Navbar
shell ruby python javascript

banner

SAML SSO

What is SAML?

Security Assertion Markup Language (SAML) is an open standard describing a framework that allows one computer/application to perform security functions on behalf of one or more computers/applications.

SAML enables identity providers (IdP) to pass on authorization credentials to service providers (SP), thereby making it possible to use a single set of credentials for logging in to different websites and applications - email, customer relationship management (CRM) software, Active Directory, and so on.

SAML transactions utilize XML for standardized communications between the identity provider and service providers. In other words, SAML is the link between the authentication of a user’s identity and the authorization to use a service.

SAML 2.0 was approved in the year 2005 by the OASIS Consortium.

SAML Providers

Primarily, there are two types of SAML providers:

Uses of SAML

A simplified, federated authentication and authorization processes for users, identity providers (IdP), and service providers -- this is what SAML facilitates. In other words, SAML provides a solution through which the identity provider and service providers can exist separately, while centralizing user management.

SAML also acts as a secure means to pass user authentication and authorizations between the identity provider and service providers. Since both of the identity provider and the service providers speak the same language – SAML – the user only needs to log in once. The SAML authentication process verifies the user’s identity and credentials and the authorization process informs the service provider what level of access is to be granted to the user.

SAML Assertions

The term ‘SAML Assertion’ refers to the XML document sent by the identity provider to the service provider that contains the user authorization.

SAML Assertions are of three different types:

SAML Functionality

SAML’s main functionality is to pass on information - about users, their logins, and attributes - between the identity provider and service providers.

Here’s how:

This will work, provided the identity provider and service provider(s) have the exact configuration for SAML

diagram_1

AKKU - SAML Connector

Our custom SAML Connector provides an organization’s users with the ability to access the tools and applications they need to perform their day to day activities.

Technology Stack

Implementation

The Akku-SAML connector has been built on SimpleSAMLphp and enables Akku to act as an Identity Provider (IdP) to authenticate SaaS applications that support SAML. Administrators of the organization can configure Akku by carrying out the following configurations within Service

Providers:

With these steps, a trust relationship can be established between Akku and the SPs.

diagram_1

OpenID Connect

What is OpenID Connect?

OpenID Connect (OIDC) is an open framework authentication protocol that utilizes existing technologies like URI, HTTP, SSL to enable a user-centric digital identity. OpenID Connect is powered by simple JSON-based identity tokens (JWT), delivered via OAuth 2.0 flows.

Today, OpenID Connect has become a leading standard for single sign-on (SSO) and identity provision, allowing applications/websites and authentication services to exchange security information in a standardized manner. In other words, OIDC allows users to log in once and access multiple, disparate applications or resources.

Published in 2014, OpenID Connect is a fairly new IdP standard, but has emerged into one of the best due to its simplicity and usability.

Benefits of OpenID Connect

OpenID Connect, published in 2014, is not the first standard for IdP, but definitely the best in terms of usability and simplicity, having learned the lessons from past efforts such as SAML and OpenID 1.0 and 2.0.

Versatility

From integration with basic apps to high-end security required for enterprises, OpenID Connect has features that meet every need.

Convenient ID Tokens

The identity information of users is transmitted by OpenID Connect in the form of encoded, secure and easy-to-consume JSON Web Tokens (JWTs). These ID tokens are portable and also support a wide range of signature and encryption algorithms.

Standard OAuth 2.0 Flow

OpenID Connect uses a standard OAuth 2.0 flow to obtain the ID token, which is compatible not only with web applications but also with mobile apps. Moreover, only a single protocol is required for authentication and authorization.

OpenID - The Identity token

The ID tokens come in a standard JWT format signed by the OpenID Provider (OP).

Characteristics of ID Tokens

The ID token claims (statements) are packaged in a simple JSON object, as illustrated below:

{
  "sub"       : "alice",
  "iss"       : "https://openid.c2id.com",
  "aud"       : "client-12345",
  "nonce"     : "n-0S6_WzA2Mj",
  "auth_time" : 1311280969,
  "acr"       : "c2id.loa.hisec",
  "iat"       : 1311280970,
  "exp"       : 1311281970
}

To ensure easy transmission, the ID token header, claims JSON, and signature are encoded into a base 64 URL-safe string, as illustrated below:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjFlOWdkazcifQ.ewogImlzcyI6ICJodHRw
Oi8vc2VydmVyLmV4YW1wbGUuY29tIiwKICJzdWIiOiAiMjQ4Mjg5NzYxMDAxIiw
KICJhdWQiOiAiczZCaGRSa3F0MyIsCiAibm9uY2UiOiAibi0wUzZfV3pBMk1qIi
wKICJleHAiOiAxMzExMjgxOTcwLAogImlhdCI6IDEzMTEyODA5NzAKfQ.ggW8hZ
1EuVLuxNuuIJKX_V8a_OMXzR0EHR9R6jgdqrOOF4daGU96Sr_P6qJp6IcmD3HP9
9Obi1PRs-cwh3LO-p146waJ8IhehcwL7F09JdijmBqkvPeB2T9CJNqeGpe-gccM
g4vfKjkM8FcGvnzZUN4_KSP0aAp1tOJ1zZwgjxqGByKHiOtX7TpdQyHE5lcMiKP
XfEIQILVq0pc_E2DzL7emopWoaoZTF_m0_N0YzFC6g6EJbOEoRoSK5hoDalrcvR
YLSrQAZZKflyuVCyixEoV9GfNQC3_osjzw2PAithfubEEBLuVVk4XUVrWOLrLl0
nx7RkKU8NXNHq-rvKMzqg

Requesting an ID Token

User credentials are checked and authenticated by the identity provider, with the support of a trusted agent such as the web browser. For this purpose, mobile apps on Android or iOS launch a system browser popup.

The request for ID tokens is carried out through the OAuth 2.0 protocol, which is equipped with the following types of flows (paths) for obtaining ID tokens

The following illustration compares the three flows:

Flow Property Code Implicit Hybrid
Browser redirection step
Backend request step
Tokens revealed to browser
Client can be authenticated

AKKU - OpenID Connector

Our custom OpenID Connector provides an organization’s users with the ability to access the tools and applications they need to perform their day to day activities.

Technology Stack

Implementation

diagram_3

AKKU - Desktop SSO

The Akku-Desktop SSO enables an organization’s users to access different tools and applications by signing in to their Windows network. It provides a secure and enterprise-friendly solution for an Active Directory (AD) environment.

diagram_4

This feature allows Windows AD users to access any web application directly without the need to log in again, once they are logged in to the Windows AD domain controller.

To implement this, Akku has a simple and secure solution that can be used by organizations that want to allow access only to Windows AD domain users.

The steps involved are:

The Akku SAML process then receives the SAML request along with server variable REMOTE_USER from the IIS reverse proxy and creates a SAML assertion response which is posted back to the service provider. The service provider validates this SAML response with a pre-configured SSO certificate and extracts user attributes to match server requested user data.

For additional security and session management, it is possible to verify active sessions on the reverse proxy server. Akku can also eliminate any spoofing of the reverse proxy server by using a secure SSH tunnel.

diagram_5

AKKU - AD Connector

The Akku-AD Connector enables organizations to use On-Prem AD or Azure AD as the authentication data source for Akku. No agents are installed anywhere in the client or AD environment to ensure transparency and privacy.

Implementation

Direct AD integration is carried out by establishing a secure connection from Akku LDAP client to AD LDAP server with firewall modifications on both ends. User names are synched during the setup. Passwords will neither be synched nor be stored by Akku.

The following steps are to be implemented for the AD integration:

diagram_6

Akku On-premise App Connector

Akku provides the option to access on-premise applications, through a secure SSH tunnel established with your on-premise app server, from the Akku web server accessible via the Internet.

Technology Stack

Implementation

DNS Filter

Domain Name System (DNS) is used every time an Internet search is made. When a site name is typed into the browser, the DNS is queried for the IP address corresponding to the searched domain. The browser then contacts the web server for the relevant content. This process of converting domain name to IP address is known as domain-name resolution. Domain Name System (DNS), therefore, provides a means for matching between the website name and the website IP address.

DNS filtering provides protection, mitigating the risk of web-borne threats such as viruses, malware, ransomware, phishing attacks, and botnets. It also enforces “safe” modes on search engines. A DNS filtering solution checks the request made against its database of white lists and allows the web page to be displayed or refuses the request. It also enhances productivity in the workplace by blocking access to the sites that employees may use for entertainment.

Akku DNS Filter

Akku’s DNS Filter feature enables organizations to filter all unwanted traffic as well as to enforce safe modes on search engines and YouTube channels.

Technology Stack

Implementation

Implementing a DNS filter is the easiest way to control internet traffic, especially when it comes to invisible background traffic involving viruses and backdoors apps.

To implement the Akku DNS, follow these steps:

diagram_7

Password Policy Management

Akku’s Password Policy Management service helps you define your password policies and then apply it across the organization and all its applications.

Technology Stack

Implementation

The organization’s administrator can simply choose the set of defined rules from a pre-existing template and apply these rules for user passwords, leveraging the flexibility to update the password policy whenever a change is initiated/approved by the Quality Compliance team.

This is implemented using an individual deployable Docker service component that can be consumed by an application.

diagram_8

Application Access Restriction

Akku comes in-built with an access restriction component that can restrict access to users based on login location, device IP or device. If the access request comes from a source other than that which is predefined, the incident will be reported to the administrator through a notification. Only if the administrator approves the incident request can the user access the application.

Technology Stack

Implementation

Location/IP-based Restriction:

Device-based Restriction:

diagram_8

Why - AKKU

Unique Features

Device-based Restriction, Internal Communications, and Content Filtering to name a few, are features unique to Akku IAM.

Cost Effective Iam

Akku comes at a cost far lower than any competing solution, and you can pick and pay only for the features that you actually need.

Emphasis on security & privacy

MFA and PPM are among Akku’s core features, and Akku does not store or maintain any user security information in any form.

24x7 Support

Akku is not a DIY solution - it comes with dedicated, expert support for deployment and operations.

Award-Winninf Technology

Akku uses SimpleSAMLPHP for SAML processes to act as IdP and SP - this provides high compatibility with other identity protocols and frameworks, and ensures easy scalability, load balancing, and replication using memcache servers.

Robust Platform

Akku runs on a dedicated Linux server for each client, with Apache web server, LDAP, MySQL, with web server level security modules for improved client security.

Dedicated Infrastructure

Akku does not coexist with other client data, and so provides privacy, visibility, and control at an infrastructure level, besides providing audit reports for all types of access.

Direct IP Access

Direct access to Akku IdP is possible with an IP address to prevent DNS spoofing and manipulation of DNS names, providing an additional layer of security.

Server-Level Ploicy control

IP-based, client SSL certificate-based, and location-based restrictions are controlled at the server level by Apache web server, after which the applications also filter these policies.

Proxy Gateway Control

Akku can be set up to be accessible only through proxy server IP to perform HTTPS interceptions enabling personal email filtering. k

Case Studies

Industry Segment: Healthcare Industry in USA

Customer Profile: A leading BPO dealing with process automation to the Health Care clients in USA

Objective: Wants to implement solution around clients data and accessing of different tools through single sign on solution.

Approach: CNW provided AKKU as a single sign on solution to provide access to their intranet as well as to the cloud based SaaS tools. Here we integrated AKKU with their existing on-prem Active directory as a user authentication data source.

Technology Stack

Solution Highlights

Industry Segment: Manufacturing Industry

Customer Profile: A leading manufacturing company deals with Steering and Suspension systems, Friction materials, Valve train components, Occupant safety systems, Die-casting products and provide Connected mobility solutions.

Objective: Wants to implement solution to provide restricted internet access to their employees and want to block the users to access their personal gmail and Single Sign On solution to access SaaS based applications (SalesForce CRM, ERP System)

Approach: CNW provided AKKU as a single sign on solution to provide access to their to the cloud based SaaS tools.

Provided AKKU - DNS Filter Service to restrict internet access to the employees.

Technology Stack

Solution Highlights

Industry Segment: Manufacturing Industry

Customer Profile: A leading manufacturing company deals with Engineering Adhesives & Sealants, Paints, Specially Coatings & other chemical formulations in India for AutoMobile , Aerospace & Defence , Industrial , Energy , Construction , Marine ,Railway , Vehicle Construction Industries .

Objective: Wants to implement solution to provide restricted internet access to their employees and want to block the users to access their personal gmail. Want to implement Organisation wide Password policy management as part of their compliance team recommendations.

Approach: CNW provided AKKU a solution with the following set of services:

Technology Stack

Solution Highlights