Identity Provider

Identity Provider

Identity and Access Management

Identity Provider is a unified, flexible, cloud-ready Identity and Access Management (IAM) platform that offers Single Sign-on and Access Control functions for distributed web and mobile applications, regardless of their form factor and deployment model.

The platform provides the server-side implementation of modern authentication and authorization frameworks, including OpenID Connect 1.0 and OAuth 2.0. It also features end-user account management, client application registration, identity bridging and federation, two-factor authentication, security role mapping, UMA 2.0 compliant permission management, security auditing and web-based administration.

Identity Provider seamlessly integrates with a variety of industry standard authentication and authorization clients, whether those are represented by an API Gateway, Application Server, Micro-services Platform, web browser or third-party cloud service.

Federated Authentication Across Cloud Applications

Single Sign-on implements federated authentication for web applications and cloud services, to avoid multiple logins and propagate unique security context across multiple systems and data repositories.

• Offers industry standard, OpenID Connect 1.0 based authentication to online applications (issuing party).
• Issued end-user tokens are valid across internal enterprise systems and private cloud environments.

Delegated Authentication to Social Identity Providers

Identity Bridging allows to delegate login and user credentials management to one or more external identity providers. Any required third-party token claims can be mapped to the unified account type.

• Allows to reuse popular social identity providers and automatically link accounts within a security realm.
• End-user credentials are never exposed outside of the original identity provider, while granting access.

Account Synchronization with Existing User Directories

Identity Federation delegates user authentication to the existing corporate or virtual directory. It auto-imports user identities upon login, and periodically synchronizes them with the original security store.

• Supports LDAP v3 and Active Directory based logins, with periodic account synchronization.
• Account attributes are automatically mapped to a common data model in a security realm.

One-time Passwords Combined with Standard Credentials

Two-factor Authentication adds another login factor, such as user-configured One-time Password (OTP), as part of the single sign-on process. Access is granted only to users presenting both credential types.

• Requires the end-user to configure a mobile authenticator and enter a one-time code at login.
• Supports industry standard, Time and HMAC-based OTP algorithms and configurable attributes.

User Profile Management Based on Common Data Model

Account Management allows to maintain user profiles based on a common data model and configurable custom attributes. Syntax and lifecycle policies are enforced as part of password management.

• Allows security administrators to setup common user profile attributes and password policies.
• End-users have an ability to browse their profile information and change security credentials.

Dynamic Client Application Registration and Management

Client Registration allows dynamic client application self-registration. Administration web interface is available for managing client application credentials, authorization scopes and role-based access control.

• Provides service consumers with secure way of entering client credentials and application endpoints.
• Web-based UI and web services API allow to register new clients and manage their security attributes.

User Session and Token Revocation Policy Management

Session Management is accomplished using administration web interface. It allows to quickly revoke all sessions and tokens in the event of suspected or actual security breach, or as part of scheduled system maintenance.

• Provides security administrators an ability to monitor and control active logins and issued tokens.
• Logged-in users have an ability to manage their own sessions as part of the account self-service.

Delegated Authorization to Access Protected Resources

Access Control implements delegated authorization for API resources, such that can be performed by security services external to clients and target servers. This allows to minimize the exposure of security credentials.

• Offers industry standard, OAuth 2.0 token-based authorization to invoke online services (issuing party).
• Issued access tokens are valid across internal enterprise systems and private cloud environments.

Multi-tenant Security Policy Administration Framework

Security Realms segregate multiple areas of security policy administration, each managing an isolated set of security attributes. Realms can be mapped to various cloud environments and client application groups.

• Improves access control with multiple server credentials, client policies and threat defense models.
• Segregation of duties prevents fraud, simplifies security management and facilitates compliance.

Role-based Access Control for Cloud Applications

Role Mapping allows to relate business roles to security realms, client applications, permission scopes and user groups as required by the nature of protected resource access process.

• Allows to reduce the risk of security breach by limiting service access to pre-defined consumer classes.
• Roles mapped to identity or access token claims automatically determine end-user access permissions.

Fine-grained Authorization to Access Protected Resources

Permission Management allows to configure fine-grained permissions to access online resources based on the authorization scope or resource location. Permissions can be mapped to roles to simplify access control.

• Allows to define industry standard, UMA 2.0 compliant resource access scopes and policy conditions.
• Policy evaluation allows to simulate client requests by providing identity and access attributes.

Security Event Management and Real-time Notifications

Security Auditing allows to configure logging and alerting rules for critical security events, to enable regular information security assessments and effective incident management process.

• Allows to configure security event types and targets, such as log file, e-mail address or event database.
• Security administration web UI allows to browse security records by event type, client and time period.