blitzidentityproviderauthentication server · authentication service admin console self-service...
TRANSCRIPT
© REAK SOFT, OOO REAK SOFT
Blitz Identity Provider authentication server
Say no to the password chaos
1) Problem2) Solution3) Key customers
Contents
Password chaos
Ivanov VladimirLogin: ivvPassword: htgk&5678
Ivanov Vladimir PetrovichLogin: [email protected]: uhg%6435
Ivanov VladimirLogin: [email protected]: dsde$345
A typical employee has at least 3 accounts for the company's applications. Some also have to remember more than 10 passwords from work accounts (DTI survey 2006)
Weak security of accounts
36% of security experts believe that phishing attacks will be the most significant cyber threat in the next three years (Ponemon Institute Research Report 2015)
Good passwords are hard to remember, passwords can be stolen or brute-forced
Not all authentication mechanisms in different applications are secure enough. A "bad" application compromises passwords and poses a security threat
When accessing the "cloud" or "external" services passwords leave the organization
Limited access control and audit capabilities
Applications do not always allow you to flexibly configure authentication rules depending on who, when and from where is logging in
The administrator does not have an overall picture, in what applications which of the users and how often users log in
It is difficult for employees of another or affiliate organization to grant access to the company's information resources without the risk of unauthorized access
1) Problem2) Solution3) Key customers
Contents
The solution: a Single Sign On service for an organization
28% of organizations in the world have already implemented a single sign-on system. 25% plan to do it within a year (Deloitte security survey 2007)
Blitz Identity Provider
ü One account for access to all applications
ü Single sign on (SSO)
ü Flexibly configurable two-factor authentication
ü Access from any device (PC, Mac, tablet, smartphone)
ü Registration, personal profile, password recovery services
Blitz Identity Provider key features
Personnel
v Security self-services- User registration- User profile and password
management- Password recovery
v Identity/attribute/credential store
v Web Single Sign-On
v Identity provider
v Authorization services and API protection
v Consent management
v Access Control
v Authentication services- Password authentication- Social login- Domain integration- Smart-card and USB-
tokens- Two-factor authentication- Browser fingerprinting
v Password brute force protection
v Security events logging
v Reporting
v User management
Consumers
Contractors
Company’s web applications
Company’s mobile applications
Cloud services
Authentication methods support
Strong authentication(digital signature)
Multifactor authentication(2nd factor authentication )
Password authentication
Social login
Integrated in the OS authentication
(authentication based on domain login)
Customizable appearance of the user interface & self-services
Flexible authentication flows
Company’s applications
Chief
Connect a digital signature
Manager
Local Area Network:Enter passwordInternet:Two-factor authentication
Require a second factor if the employee has set it up himself
Log in using Blitz Identity Provider of the subsidiary company
Engineer
Employee of a subsidiary company
User directory (optional)
Blitz Identity Provider
SMTP-server, SMS-gateway (optional)
Authentication service
Admin console
Self-service
Registration
User profile
Recovery
ПриложенияПриложения
Applications
SAML 1.0/1.1/2.0,WS-Federation,
OpenID Connect 1.0,OAuth 2.0, REST API
LDAP,
REST API
Users
HTTPS
HTTPS
Blitz Identity Provider interaction scheme
Push-authentication services(optional)
Certificate authority(optional)
Social networks, federated accounts(optional)
Blitz Identity Provider deployment scheme
NLB, web-proxy
User accounts and password store
Blitz Identity Provider Servers
Couchbase DB Server
Users
Admin and log server SMTP-server andSMS-gate
Administrator
LDAP, REST API
HTTPS
Applications
SAML 1.0/1.1/2.0,WS-Federation,
OpenID Connect 1.0,OAuth 2.0, REST API
Blitz Identity Provider components
“Web” layer
“Server cache” layer
“Business-logic” layer
Bootstrap framework
Memcached
LDAP External DB
or
“Objects” layer
Web-applications “Services” layer
Operation system
Blitz BDK
or
BlitzSmartCard
Plugin
UtilitiesOAuth 2.0 / OpenID Connect 1.0
OIDC identity providerOAuth Authorization Endpoint serviceOAuth Token Endpoint serviceSecurity Token Service
SAML 2.0
Identity Provider
REST API
Resource provider (of user information)User registration serviceUser attribute change serviceService to change authorization settings
SimpleBlitz Web Gate
Identity Brokering
Registration
Authentication service
User profile
Recovery
Admin console
Federation with Blitz IDP
Social Login
Users
Attributes
Devices
Applications
Security events
Authenticators
Permissions
User accounts storage
Storage of security events and other data
“Storage” layer
1) Problem2) Solution3) Key customers
Contents
Moscow Government
The access control system to e-services of Moscow
• 5 million Moscow residents get convenient and secure access to over 50 Moscow sites and mobile applications
• About 100 thousand city employees get daily access to various service systems
• 3 million daily authentications
• 1000 authentications per second in peak
https://mos.ru
Novolipetsk Steel (NLMK)
Authentication system of the Novolipetsk Steelprovided:
• Single Sign-On to the NLMK corporate portals for 50 thousand employees of 40 affiliate companies
• Convenient login modes (domain login for office employees, password or SMS code for workers)
• Remembering a user when logging in from a personal device
• Self-registration of employees, reconciliation with the SAP HR system
• Assignment of the “confirmed” status to accounts by personnel services staff
https://auth.nlmk.com
Ingosstrakh Insurance Company
Unified authentication system of the Ingosstrakh Insurance Company provides access to 2 million consumers, 20 thousand agents, 2 thousand employees to more than 10 web and mobile applications
Users got the following features:
• Social login for customers
• Two-factor authentication for agents
• Domain integrated identification for employees
https://www.ingos.ru/
About us
Kirill GavrilovDevelopment Director
Responsible for marketing and operations in REAK SOFT Manages marketing initiatives for the successful development of REAK SOFT software
PhD in Sociology, assistant professor at the Higher School of Economics
Mikhail VaninCEO
IAM expert. In 2011-2015 he supervised the development of the Russian e-government authentication system that is used by 80 million citizens of the Russian Federation to access to 1000+ government sites
In 2014 he founded the REAK SOFT company that develops solutions for authentication.
Senior lecturer at Bauman University, the Information security department.
More questions?
Please contact us:
• Mikhail Vanin, [email protected]
• Kirill Gavrilov, [email protected]
More info on our website: http://identityblitz.com