The platform is based on the essential modules that provide server infrastructure and management tools’ functioning (see Figure 1). The said Indeed AM modules are:
Indeed AM authentication and management server. The server is the core of the system. It provides functioning of the whole of the system, performs user authentication and implements the solution business logic. The server is an ASP.Net application. It supports installation in cluster mode, and, therefore it provides for higher performance and fault tolerance level irrespective to the implementation scale.
Data storage. All the system data is stored in the uniform storage which can be addressed directly by the server only. Data storage and data transfer to/from a server are performed in encrypted form. The storage can be located in the Active Directory folder (scheme expansion is not required) or in a SQL database.
Log server. All the events of settings change or access being granted are logged in the uniform log that is stored on the dedicated server. The log can be stored in Windows Event Log format or in Indeed AM proprietary format in SQL database. Besides, the syslog protocol can be used to send events to external log.
Administrator console is implemented as a web application that can be used to view and to change system parameters or user settings, as well as to view the system log.
Self-service makes it possible for users to register or modify their authentication data (smart cards, one-time password generators, fingerprints etc.).
Authentication providers give the Indeed AM an opportunity to work with user authentication technologies. An authentication provider implements a unified interface for the system to perform the required operations of a certain authentication technology: getting the authentication data to store and verify, as well as data verification. The Indeed Access Manager supports the following authentication technologies:
- Cryptographic smart cards and USB tokens, such as eToken, IDBridge etc.
- Proximity RFID cards (used as pass in MCDS systems) of EM-Marin, HID iClass, HID Proximity, Mifare format.
- Hardware and software tokens for one-time password generation using OATH TOTP and HOTP protocols.
- One-time codes sent via SMS or E-mail.
- Biometrics: fingerprint, hand vein pattern, 3D face image.
- Out-of-band authentication using a mobile application and push notifications based on the Indeed AirKey Cloud (Indeed AKC) product.
The technologies can be combined to a single authentication method, thus implementing the multi-factor authentication (MFA).
Access policies define the assignments of technologies to systems, as well as the rights of system operators and administrators.
Each of the integration modules is designed to solve a certain task of access protection and user authentication. Any of the said modules can be used separately from other ones. The integration modules are designed for operation in combination with other modules. With that said, you can create any configurations of an authentication system, adapting it to the current needs and information system structure of the enterprise.
Indeed Access Manager
Indeed AM Windows Logon
The Indeed AM Windows Logon provides an opportunity to login to Windows using the strong authentication technologies within the Microsoft Active Directory environment. To do so, the Windows Logon agent is installed onto user workplaces. The agent installer is implemented as a standard MSI (Microsoft Windows Installer) package. This allows performing bulk installation and update of the system using various tools, such as Active Directory group policies, Microsoft System Center Configuration Manager (SCCM) etc.
To integrate to Windows operating system, a standard Credentials Provider mechanism is used to implement a custom user authentication interface. The said technology allows third-party developers to integrate their own authentication technologies using Windows interface. It is also possible to execute Windows logon using Indeed AM technologies and authenticate a user within OS bounds using Indeed Access Manager, e.g., when attempting to access the domain resources, web applications etc.
The Windows Logon supports all the authentication technologies available within the Indeed Access Manager (smart cards, RFID cards, ОТР, biometrics etc.).
Employee substitution mode
Automatic user identification (kiosk mode)
- For identification users do not need to indicate a username, they only need to submit a smart card. To do so, a kiosk is equipped with a smart card reader.
- The system may require the presence of a card on the reader for the whole work time on the PC. When the card is removed from the smart card reader, the current session may be blocked or terminated.
- When a new smart card is put on the reader, the current session can either end or switch to a session of a new employee.
- Biometric authentication can be added to the card as additional protection of access (for example, contactless biometrics using a palm pattern).
Management of Active Directory user passwords
Indeed AM RDP Windows Logon
The Indeed AM RDP Windows Logon module is used to implement the two-factor authentication for remote connections via RDP protocol. In this case, the first factor is the domain password, and the second one is a one-time password (OTP) or confirmation of logon via Indeed AirKey Cloud mobile application. The said ОТР can be either generated on the user side with smartphone application or OTP token or sent to the user via SMS or Email.
The RDP Windows Logon is to be installed onto the end terminal server where the user logs in remotely. There is no need to install any components onto user PC. A configuration with Remote Desktop Gateway is supported as well.
Indeed AM Enterprise Single Sign-On (Enterprise SSO)
The Indeed Enterprise Single Sign-On (Indeed ESSO) implements a single sign-on approach for legacy applications that do not support SSO mechanisms. The system provides for centralized storage of user passwords to applications that require credentials and pastes those in automatically when the application requests to do so. The Enterprise SSO technology can be used with any application types (Windows, Java, Web, .Net), irrespective to the architecture - be it single-tiered, two-tiered, three-tiered, thick client or terminal applications.
The Enterprise SSO relieves the employees from memorizing the passwords and keeping those in secret, entering them with keyboard and changing the passwords manually in accordance with password security policies.
For this, an Enterprise SSO agent is installed onto user workstation. The said agent monitors applications launched and intercepts authentication forms when they appear on the screen. The agent also contains extensions for popular web browsers (Internet Explorer, Google Chrome, Mozilla Firefox) that allow working with web applications as well.
Enterprise SSO integration to target systems
Change of password in a target application
Support of the terminal environment
Indeed AM SAML Identity Provider
The Indeed AM SAML Identity Provider (SAML IDP) module is used to implement the multi-factor authentication and single sign-on access to web applications (web single sign-on, WebSSO). The SAML 2.0 (Security Assertion Markup Language) open international standard is used for integration to target solutions. This provides for compatibility with a wide range of commercial systems. SAML relieves a user from memorizing quite a number of authentication data. In other words, only one set of credentials is required to access all the integrated systems. The authentication itself is performed centrally of the SAML Identity Provider (IDP) side. Indeed AM SAML IDP is implemented as a web application and is deployed in the customer infrastructure. Being attempted to access, the target application redirects a user to IDP page for authentication. If authenticated successfully, the user is redirected back to the target application with “authenticated” token, and the user session is then started.
Integration via SAML protocol is done on the server side. Therefore, the MFA and WebSSO approach can be used with any device that has a browser: PC, smartphone or tablet PC.
Indeed AM SAML IDP supports any combinations of the following user authentication technologies: domain password, OATH TOTP and HOTP one-time passwords, one-time codes sent via SMS or EMail, out-of-band authentication with Indeed AirKey Cloud mobile application.
The WebSSO and MFA bounds might contain both corporate on-premise applications with SAML support (say, SAP, Citrix etc. solutions, and cloud services, such as Office 365, Salesforce, Slack, G Suite (former Google Apps) and many other.
Indeed AM ADFS Extension
Web applications based on the Internet Information Services (IIS) server can be integrated to the Indeed AM software suite using ADFS mechanism and Indeed AM ADFS Extension component. The latter implements a provider of multi-factor authentication for Microsoft ADFS server, thus adding the second factor to the access gaining process. This approach makes it possible to integrate into target applications without modifying those. When logging in to an application, the user is redirected to the ADFS authentication page, where the second authentication factor is requested from him or her via the Indeed AM ADFS Extension. If successful, the user is redirected back to the target application.
The ADFS is supported by Microsoft web applications, such as Outlook Web Access, Sharepoint, Skype for Business etc.
The Indeed AM ADFS Extension supports the following variants of the second authentication factor: OATH TOTP and HOTP one-time passwords, one-time codes sent via SMS and EMail, out-of-band authentication with Indeed AirKey Cloud mobile application.
Indeed AM IIS Extension
We developed a special Indeed AM IIS Extension integration module for authentication in the web applications that use Internet Information Services (IIS) and do not support ADFS mechanism. The module is installed onto the web server where the target application is deployed. The module provides for two-factor authentication without interfering with the application code. The said module intercepts the authentication procedure and after supplying the username and password, the user is redirected to a separate page to authenticate himself or herself with a one-time password.
A single-factor authentication mode is supported as well. The mode is useful for Exchange ActiveSync (EAS) application, as it allows to exclude the domain password from the authentication scheme. A separate password is used to access EAS in this case. In fact, it is a so-called application password, used for EAS only. This password is to be entered into a mobile client for access to corporate email.
IIS Extension can be used with any web application based on IIS, such as Outlook Web Access, RD, Exchange Active Sync etc.
Indeed AM NPS RADIUS Extension
The Indeed AM NPS NPS (RADIUS Extension is an expansion module for Microsoft Network Policy Server (NPS). This module allows implementing two-factor authentication for RADIUS-compatible services and web applications. The following is required for this:
- To deploy an NPS server in the enterprise network. The server is to provide for authentication via RADIUS protocol using the Active Directory user data.
- To configure the target application to user authentication via RADIUS protocol at the NPS server.
- To install the Indeed AM NPS RADIUS Extension module onto the NPS server. The module is to process the authentication requests and prompt the users for the second authentication factor.
Authentication on the second factor is performed at the Indeed Access Manager server. The result is sent to the target application via the NPS server.
The Indeed AM NPS RADIUS Extension supports the following variants of the second authentication factor - OATH TOTP and HOTP one-time passwords, one-time codes sent via SMS and EMail, out-of-band authentication with Indeed AirKey Cloud mobile application
Authentication via RADIUS protocol can be used with many VPN and VDI solutions, for example, in software products from Cisco, Citrix, Check Point, VMWare, C-Terra companies.
Indeed AM API
The Indeed AM API is a software interface of REST API format to integrate to third-party systems and applications. The API can be used for two purposes:
- Implementation of two-factor authentication. If the target application does not support any of the authentication standards, then the two-factor authentication can be added to it by integrating the Indeed AM API calls to the application. This approach can be used with one’s own custom application or an ordered application that can be customized.
- Integration to incident systems. Such integration allows implementing additional scenarios of user account data process automation or user access control. Integration to identity management (IDM) systems or MCDS systems might serve as an example of such scenarios.
Integration into Identity Management systems
The integration allows for creating and filling in the user access profile for the Indeed AM Enterprise SSO module automatically. A connеctor to an IDM system allows for automatic synchronization of user account data in Enterprise ESSO database. The credentials are created using IDM connectors to target systems and are immediately stored in the Indeed AM Enterprise SSO subsystem, relieving the employee from memorizing the passwords and entering them manually. The integration has the following benefits:
- The company information security level increases due to complete automation of user password lifecycle: passwords are created, entered and changed automatically, without user or administrator intervention.
- The procedures are shortened to the minimum for granting and gaining access by employees. A user gains password-free access to all the necessary systems immediately after registering a new user (e.g., in HR system) and automatic synchronization.
Scheme of Indeed AM Enterprise SSO integration to IDM
Let us see the operation principle closely using an example of hiring a new employee and authentication with USB token to access the Desktop. The whole of the process can be roughly subdivided into five major steps.
- An HR employee registers a new employee record in the HR system.
- The new employee data appears in the IDM database via the connector to HR system.
- Based on that, the IDM performs synchronization, thus creating accounts for the user in all the applications required for the employee position or business role. For this, special IDM connectors are used.
- The same principle is used for implementation of a connector to Indeed AM Enterprise SSO system. The said connector creates the employee access profile in the Enterprise SSO database by copying the user account data at the final stage of the process.
- When done, the employee has all he or she needs for performing the duties. After the access to a desktop is obtained, the Indeed AM Enterprise SSO agent provides for transparent access to all the applications required for the user by automatically filling in the application login forms.
Integration to MCDS
Integration to MCDS systems allows the Indeed AM to take the employee location at the moment of authentication into account. This makes the following scenarios possible, for example:
- Access is granted only if the employee is within the building perimeter (say, entering via entrance checkpoint n° 1, n° 2 et n° 3;
- Access is granted in the specific room only (say, in the room n° 5, no matter how the employee got there);
- Access is granted only from a PC in a specific zone (e.g., from any PC on the third floor).