blitzidentityproviderauthentication server · authentication service admin console self-service...

© REAK SOFT, OOO REAK SOFT

Blitz Identity Provider authentication server

Say no to the password chaos

1) Problem2) Solution3) Key customers

Contents

Password chaos

Ivanov VladimirLogin: ivvPassword: htgk&5678

Ivanov Vladimir PetrovichLogin: vivanov@outlook.comPassword: uhg%6435

Ivanov VladimirLogin: vivanov@gmail.comPassword: dsde$345

A typical employee has at least 3 accounts for the company's applications. Some also have to remember more than 10 passwords from work accounts (DTI survey 2006)

Weak security of accounts

36% of security experts believe that phishing attacks will be the most significant cyber threat in the next three years (Ponemon Institute Research Report 2015)

Good passwords are hard to remember, passwords can be stolen or brute-forced

Not all authentication mechanisms in different applications are secure enough. A "bad" application compromises passwords and poses a security threat

When accessing the "cloud" or "external" services passwords leave the organization

Limited access control and audit capabilities

Applications do not always allow you to flexibly configure authentication rules depending on who, when and from where is logging in

The administrator does not have an overall picture, in what applications which of the users and how often users log in

It is difficult for employees of another or affiliate organization to grant access to the company's information resources without the risk of unauthorized access

1) Problem2) Solution3) Key customers

Contents

The solution: a Single Sign On service for an organization

28% of organizations in the world have already implemented a single sign-on system. 25% plan to do it within a year (Deloitte security survey 2007)

Blitz Identity Provider

ü One account for access to all applications

ü Single sign on (SSO)

ü Flexibly configurable two-factor authentication

ü Access from any device (PC, Mac, tablet, smartphone)

ü Registration, personal profile, password recovery services

Blitz Identity Provider key features

Personnel

v Security self-services- User registration- User profile and password

management- Password recovery

v Identity/attribute/credential store

v Web Single Sign-On

v Identity provider

v Authorization services and API protection

v Consent management

v Access Control

v Authentication services- Password authentication- Social login- Domain integration- Smart-card and USB-

tokens- Two-factor authentication- Browser fingerprinting

v Password brute force protection

v Security events logging

v Reporting

v User management

Consumers

Contractors

Company’s web applications

Company’s mobile applications

Cloud services

Authentication methods support

Strong authentication(digital signature)

Multifactor authentication(2nd factor authentication )

Password authentication

Social login

Integrated in the OS authentication

(authentication based on domain login)

Customizable appearance of the user interface & self-services

Flexible authentication flows

Company’s applications

Chief

Connect a digital signature

Manager

Local Area Network:Enter passwordInternet:Two-factor authentication

Require a second factor if the employee has set it up himself

Log in using Blitz Identity Provider of the subsidiary company

Engineer

Employee of a subsidiary company

User directory (optional)

Blitz Identity Provider

SMTP-server, SMS-gateway (optional)

Authentication service

Admin console

Self-service

Registration

User profile

Recovery

ПриложенияПриложения

Applications

SAML 1.0/1.1/2.0,WS-Federation,

OpenID Connect 1.0,OAuth 2.0, REST API

LDAP,

REST API

Users

HTTPS

HTTPS

Blitz Identity Provider interaction scheme

Push-authentication services(optional)

Certificate authority(optional)

Social networks, federated accounts(optional)

Blitz Identity Provider deployment scheme

NLB, web-proxy

User accounts and password store

Blitz Identity Provider Servers

Couchbase DB Server

Users

Admin and log server SMTP-server andSMS-gate

Administrator

LDAP, REST API

HTTPS

Applications

SAML 1.0/1.1/2.0,WS-Federation,

OpenID Connect 1.0,OAuth 2.0, REST API

Blitz Identity Provider components

“Web” layer

“Server cache” layer

“Business-logic” layer

Bootstrap framework

Memcached

LDAP External DB

or

“Objects” layer

Web-applications “Services” layer

Operation system

Blitz BDK

or

BlitzSmartCard

Plugin

UtilitiesOAuth 2.0 / OpenID Connect 1.0

OIDC identity providerOAuth Authorization Endpoint serviceOAuth Token Endpoint serviceSecurity Token Service

SAML 2.0

Identity Provider

REST API

Resource provider (of user information)User registration serviceUser attribute change serviceService to change authorization settings

SimpleBlitz Web Gate

Identity Brokering

Registration

Authentication service

User profile

Recovery

Admin console

Federation with Blitz IDP

Social Login

Users

Attributes

Devices

Applications

Security events

Authenticators

Permissions

User accounts storage

Storage of security events and other data

“Storage” layer

1) Problem2) Solution3) Key customers

Contents

Moscow Government

The access control system to e-services of Moscow

• 5 million Moscow residents get convenient and secure access to over 50 Moscow sites and mobile applications

• About 100 thousand city employees get daily access to various service systems

• 3 million daily authentications

• 1000 authentications per second in peak

https://mos.ru

Novolipetsk Steel (NLMK)

Authentication system of the Novolipetsk Steelprovided:

• Single Sign-On to the NLMK corporate portals for 50 thousand employees of 40 affiliate companies

• Convenient login modes (domain login for office employees, password or SMS code for workers)

• Remembering a user when logging in from a personal device

• Self-registration of employees, reconciliation with the SAP HR system

• Assignment of the “confirmed” status to accounts by personnel services staff

https://auth.nlmk.com

Ingosstrakh Insurance Company

Unified authentication system of the Ingosstrakh Insurance Company provides access to 2 million consumers, 20 thousand agents, 2 thousand employees to more than 10 web and mobile applications

Users got the following features:

• Social login for customers

• Two-factor authentication for agents

• Domain integrated identification for employees

https://www.ingos.ru/

About us

Kirill GavrilovDevelopment Director

Responsible for marketing and operations in REAK SOFT Manages marketing initiatives for the successful development of REAK SOFT software

PhD in Sociology, assistant professor at the Higher School of Economics

Mikhail VaninCEO

IAM expert. In 2011-2015 he supervised the development of the Russian e-government authentication system that is used by 80 million citizens of the Russian Federation to access to 1000+ government sites

In 2014 he founded the REAK SOFT company that develops solutions for authentication.

Senior lecturer at Bauman University, the Information security department.

More questions?

Please contact us:

• Mikhail Vanin, mvanin@reaxoft.ru

• Kirill Gavrilov, kgavrilov@reaxoft.ru

More info on our website: http://identityblitz.com