High usability and simple configuration or extensive additional functions the choice between Airlock Login or Airlock IAM is yours!

Similar documents
APP NOTES Onsight Connect Cisco Integration. July 2016

VMware Inc., NSX Edge SSL VPN-Plus

Microsoft System Center Data

The MQ Console and REST API

Australian Ice Hockey League Limited Privacy Policy

CLUB REGISTRATION & SUPPORT / TICKETING

RELEASE NOTES Onsight Connect for ios Software Version 8.1

SCW Web Portal Instructions

Education Services LAGAN Upgrade Training Brochure

exsm.cluster High Availability for TSM Server Michael Abel & Bruno Friess TSM Symposium Oxford September 2005 Hier Kundenlogo

CONTENTS. Welcome to Season Setup in Play Football Setting Up Our Details Setting up Age Groups... 9

Simulation Model Portability 2 standard support in EuroSim Mk4

MPCS: Develop and Test As You Fly for MSL

DataCore Cloud Service Provider Program (DCSPP) Product Guide

MyNetball Club Training Manual

IBM Security IOC Manager 1.0.0

POLICY GUIDE. DataCore Cloud Service Provider Program (DCSPP) DCSPP OVERVIEW POLICY GUIDE INTRODUCTION PROGRAM MEMBERSHIP DCSPP AGGREGATORS

Bidirectional Forwarding Detection Routing

Resource Sharing Protocol

uemis CONNECT: Synchronisation of the SDA with myuemis

Volume A Question No : 1 You can monitor your Steelhead appliance disk performance using which reports? (Select 2)

LiteSpeed for SQL Server 6.5. Integration with TSM

Bullpen, The Complete Bullhorn to WordPress System

Connect with Confidence NO POWER NO PROBLEM

Smart Card based application for IITK Swimming Pool management

User Help. Fabasoft Scrum

Competition Management Online User Guide for Basketball

Diver Training Options

Integrate Riverbed SteelHead. EventTracker v8.x and above

Oracle Financial Services Data Integration Hub Foundation Pack Extension for Oracle Banking Platform

EasySas. The most advanced airlock electronics on the market. Recyclable product. Eco-design. Energy savings

Accelerate Your Riverbed SteelHead Deployment and Time to Value

REMOTE WATER LEVEL MONITORING

Hazard Training Guide

Steltronic StelPad User Guide

FAQs. General. There are many ways to get information about us:

Access will be via the same Player Registration tab via the Player Registrations Officer role section.

Using MATLAB with CANoe

Fitbit Pay. Terms and Conditions

CLI Mapping Reference

[XACT INTEGRATION] The Race Director. Xact Integration

- 2 - Companion Web Site. Back Cover. Synopsis

ONSIGHT FIREWALL CONFIGURATION GUIDE

ONSIGHT FIREWALL CONFIGURATION GUIDE

WHEN WILL YOUR MULTI-TERABYTE IMAGERY STOP REQUIRING YOU TO BUY MORE DATA STORAGE?

Wind Plant Operator Data User's Guide

Le Sueur County, MN Tuesday, February 17, 2015 Board Meeting

SQL LiteSpeed 3.0 Installation Guide

NASCAR Media Group CASE STUDY: LOCATION: Charlotte, NC GOAL: SOLUTION:

Creating a Walking Skeleton

Wireless Groundwater & Surface Water Data Transmission Maximize data quality Reduce operating costs Near real-time insight

Error! Bookmark not defined. Error! Bookmark not defined. Error! Bookmark not defined.

Ware Malcomb. Riverbed Steelhead Products Improve Collaboration and Productivity for Architecture Services Firm

Configuring Bidirectional Forwarding Detection for BGP

Deep dive SSL. Created for CUSTOMER

Click IRB Resources Frequently Asked Questions

Table of Content IMPORTANT NOTE: Before using this guide, please make sure you have already set up your settings in

AGW SYSTEMS. Blue Clock W38X

Panther 5 Acute Care Ventilator

SwimNumber App. Build Custom Smart Workouts Control the Wave Propulsion TM System Achieve Health and Fitness Goals INSTRUCTION MANUAL

MEMBERSHIP REGISTRATION SYSTEM

Using Moodle. Poramin Bheganan Krittaya Bunchongchit

National Hockey League : Engaging Fans and Retaining Site Visitors 45% Longer by Partnering with SAP Hybris

REMOTE CLIENT MANAGER HELP VERSION 1.0.2

CONTINUITY OF SERVICE PLAN FOR THE LRIT SYSTEM

Registering Club players in Whole Game Club Official Training Guide

Spacecraft Simulation Tool. Debbie Clancy JHU/APL

Sanctioning Events with USA Triathlon

You can also book Tee Times on GC. MOHAMMAD J BUAMAIM (MJB) Founder & CEO WELCOME

Distributed Control Systems

USA Wrestling Membership System. User Guide

Net$ync II. Net$ync II. System Controllers

Swing Labs Training Guide

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Session Objectives. At the end of the session, the participants should: Understand advantages of BFD implementation on S9700

SteelHead SaaS User s Guide

League Registration for New Leagues

Fundraising, It s Not Just Direct Mail How Other Areas of Fundraising Impact Each Other

PRODUCT MANUAL. Diver-Mobile for Android

Fencing Time Version 4.3

Shearwater Cloud Desktop Release Notes

Extreme Sportsbook (XSB)

Frequently Asked Questions (FAQs) By Banks. Aadhaar Payment Bridge (APB) System NATIONAL PAYMENTS CORPORATION OF INDIA

TEAM MEDICAL PERSONNEL - ACCREDITATION PROCEDURES

MEVO INTERNAL TRAINING. MEVO (The NG9-1-1 Backup Solution)

Using Referential and Organisation master data in eaf

Quick Start Guide. For Gold and Silver Editions

BVIS Beach Volleyball Information System

AN-140. Protege WX SALLIS Integration Application Note

LaunchPad 2. Overview

How to Download a Red App

2011 ScheduALL FOXTEL

Ingersoll Rand. X-Series System Automation

CASE STUDY. Compressed Air Control System. Industry. Application. Background. Challenge. Results. Automotive Assembly

Administrator s Guide JANUARY 2014

TEAM MEDICAL PERSONNEL

XC2 Client/Server Installation & Configuration

AMCA International General Session Air Movement and Control Association. All Rights Reserved.

API Reference for Cisco Enterprise Network Function Virtualization Infrastructure Software

Guidelines for completing Online Training Needs Assessment (TNA)

Transcription:

High usability and simple configuration or extensive additional functions the choice between Airlock Login or Airlock IAM is yours! Airlock Login Airlock IAM When combined with Airlock WAF, Airlock Login facilitates reliable user authentication and authorization. However, optimal security is not the only benefit: Airlock Login also provides high usability and cost-efficiency. When Airlock Login is enough The authentication characteristics required for users (e.g. passwords and telephone numbers) already exist in directories, databases or on RADIUS servers It is being authenticated with a password, RSA SecurID, OTP tokens via RADIUS, MTAN, Email OTP or client certificates It is being used in a domain with a uniform authentication policy Cookies, HTTP Header, On-behalf Login, Backside Kerberos or Basic Auth are being used for identity propagation CUSTOMERS MTAN phototan AUTHENTIFICATION Users are authenticated by Airlock IAM before they gain access to applications. One-time password COLLEAGUES Identity federation. Other authentication methods OTHER DOMAINS Airlock IAM is the suite s central authentication platform, including enterprise functions. With this product, customers, partners or employees can register just once for secure access to data and applications. Airlock IAM also automates user administration. When Airlock IAM is required The user profiles are to be supplemented with additional authentication characteristics (e.g. a telephone number for MTAN, allocations of OTP tokens, IAK codes for selfregistration) separate from the master data (e.g. in a separate database) Authentication methods not included in Airlock Login are being used (e.g. VASCO Digipass, Kobil, Mobile ID) Several domains with different authentication policies are in use User self-services are being used and users need to register authentication characteristics themselves (e.g. telephone numbers for MTAN or an initial password letter) An authentication logic needs to be integrated into applications directly (via web services) Cross-domain SSO (SAML, OAuth, Open ID Connect) is being used, e.g. to connect Cloud Services Identities and roles need to be managed (and not just consumed ) Special additional functions such as Identity Representation or support for HSM modules are required There are several clients in one installation Customer-specific extensions (plug-ins) are being integrated Traffic is filtered by Airlock WAF. Users are authenticated by Airlock IAM. Identities and roles are assigned to applications. Users gain access to applications. USER DIRECTORIES PUBLIC KEY INFRASTRUCTURE CORPORATE IT APPLICATIONS

A comparison of Airlock Login and Airlock IAM components Loginapp RADIUS Server SOAP/REST Server Airlock IAM Core Authentication Services Integration Data Layer Integration ID Propagation, Federation, SSO Components Web-based login application Web-based administration interface (user administration, configuration, Logviewer) Integrated database for user profile metadata Service container for batch jobs and letter generation RADIUS server component SOAP/XML service interface REST/JSON service interface This login application interacts with the customer during login and when user self-services are being used. This admin application makes it possible to manage and configure Airlock Login/IAM, which encompasses displaying and managing the user profiles, the Configuration Editor, and displaying the logs. Airlock Login uses existing user profiles saved, for example, on an LDAP/AD directory, a database, or on a RADIUS server. Existing user attributes (e.g. a telephone number for MTAN) can be incorporated into the authentication. In more complex scenarios, however, the user master data is often not sufficient for the purposes of meeting the required authentication requirements. For instance, there is often no verified telephone number available for sending SMS or using Mobile ID. If OTP tokens are being used, the user token assignments must also be saved. For self-service workflows, information about the current status, but also often IAK codes, must be saved too. Expansion of existing directories or databases for this purpose is often not possible, and not desirable either, because user authentication information is very sensitive. For this reason, Airlock IAM has an integrated database in which it is possible to add status information to existing user profiles. Periodic batch jobs, e.g. to support self-service workflows and synchronize user profiles between different directories and databases, run in the service container. New matrix cards, registration letters for MTAN or initial password letters are printed periodically, for instance. Users are also synchronized periodically between ADs and the integrated database. These use cases are restricted to Airlock IAM. Airlock IAM contains a RADIUS server component for the connection of network gateways. Airlock IAM has technical interfaces (web services) that enable the integration of an authentication logic and functions for user administration in applications. These interfaces make it possible to provide transaction signatures for online banking applications, for instance.

A comparison of the options for authentication with Airlock Login and Airlock IAM Authentication Simple authentication workflows (one and two-factor authentication) Complex authentication workflows (e.g. step-up, step down) Password (LDAP, MSAD) OTP tokens via RADIUS RSA SecurID via RADIUS and Agent Host protocol (native) MTAN (SMS) Client certificates Support for a large number of other authentication methods (see Airlock IAM) Role-based access control (RBAC) Dynamic access control (based on environment attributes) Airlock Login supports static one and two-factor authentication workflows. One example of this is as follows: 1. User name and password checked against an AD directory 2. SMS Challenge sent and queried in the login application (MTAN) In addition to the static authentication workflows, Airlock IAM supports the following dynamic workflows: Different authentication workflows per user Step-up: A user is already logged into the system, but needs further authentication (e.g. a second factor) for a protected area, which is only queried when necessary. Step-down: A user loses their authorization for a protected area selectively, without being logged out of the system. Airlock Login supports the following authentication methods: Password check against a directory (LDAP, MSAD) with password hashes in a database for statically configured users RSA SecurID via RADIUS via Agent Host protocol (native) OTP tokens that can be connected via RADIUS MTAN (SMS Challenge), if a verified telephone number is available Email OTP Client certificates In addition to Airlock Login, Airlock IAM supports a wide range of other authentication methods and integrates various products and interfaces made by third-party manufacturers, such as: VASCO Digipass tokens including Token Management in Airlock IAM CrontoSign (previously phototan) KOBIL tokens via integration of the KOBIL AST OATH tokens Mobile OTP (MOTP) e.g. using Google Authenticator Mobile ID: the Swisscom web service interface is connected to Airlock IAM Complete matrix card solution including card management and letter generation SAML 1.1/2.0 assertions OAuth 2 tokens Kerberos tickets NTLM and BasicAuth credentials Access to applications is protected via roles (RBAC, role-based access control). Once authentication has been completed, Airlock Login assigns the user with their roles, and Airlock WAF implements the access authorization as the policy enforcement point. Airlock IAM also supports ABAC (attribute-based access control) and can provide authentication steps dynamically during the runtime using various user and session attributes. One typical example of this is the differing authentication of internal and external access (decision based on the source IP address of the request).

A comparison of the login application functions in Airlock Login and Airlock IAM Login application functions Password change (voluntary or forced) Password reset via email Portal function User self-services Representation, T&Cs, maintenance messages and various other functions Airlock Login and IAM support password change workflows. A forced password change takes place if this is required (for example) by an AD because the password has expired. The password change is classed as unforced if initiated by the user. Airlock Login and IAM support a Password Reset function that communicates with the user via email. The user receives a link that enables them to enter a new password. Airlock Login and IAM include a portal that provides an overview of the applications available and access to user self-services (Airlock IAM only). Airlock IAM incorporates a wide range of self-services designed for the user themselves and for the authentication methods supported: Change and reset the password Lock and unlock the user s account Edit the user s data (home address, email address, telephone number etc.) Register a telephone number for MTAN/Mobile ID Token migration (e.g. replace an expired token or switch to a new type of token) Various self-services for specific authentication methods (e.g. client certificates, CrontoSign, matrix cards, VASCO Digipass, OAuth 2) The Airlock IAM login application supports various additional functions, such as: Representation (one user can represent another) Read and agree to T&Cs Activate maintenance messages Options available for identity federation and single sign-on (SSO) SSO/identity federation Simple SSO (cookies, HTTP Header, On-behalf Form Login, Backside Kerberos etc.) Complex SSO and identity federation SAML 2.0 (IDP and SP) OAUTH 2.0 / Open ID Connect Airlock Login and IAM support various mechanisms for identity propagation, i.e. transferring the user name, roles and additional attributes to the applications. Cookies HTTP Header On-behalf Form Login Backside Kerberos Basic Auth Airlock assertions Alongside the simple SSO mechanisms, Airlock IAM also supports other mechanisms for identity propagation such as NTLM or the conditional transfer of identities subject to user data. The standard SAML and OAuth/Open ID Connect for Cross-domain SSO are also supported. Airlock IAM supports SAML protocol (versions 1.1 and 2.0) and can be configured as IDP and as SP. Airlock IAM supports OAuth 2.0 and Open ID Connect.

User administration with Airlock Login and Airlock IAM Identity Management User search and display Manage, aggregate and provision identity and role information Search for and display users in connected directories or databases. Search for, display and edit users: Create new users Edit user data Check status information for self-service workflows Individual assignment and selective activation of authentication methods for each user Manage and aggregate role information for users Provision user identities into external directories The installation and administration options available with Airlock Login and Airlock IAM Deployment Integration into Airlock WAF Installation on separate hardware Multi-client capability Airlock Login can be installed on Airlock WAF directly. During simple set-ups, this avoids the need for an additional server and simplifies administration. Airlock Login and Airlock IAM can both be installed on separate hardware (or virtually). This is required in particular when managing sensitive authentication characteristics that cannot be kept in the DMC. Separate hardware may also be required when a failover cluster that is not dependent on Airlock WAF is needed for Airlock Login/IAM. Airlock IAM has an Instance Manager that makes it possible to manage independent installation for each client. Separate configuration, user directories, administrator accounts, log files and release versions are all possible. About Ergon Informatik AG and Airlock Suite Founded in 1984, Ergon Informatik AG is a leading developer of bespoke software solutions and products. The cornerstone of our success: 255 highly qualified IT specialists who are committed to creating value for the client, anticipating technological trends and designing solutions that generate competitive advantage. Ergon focuses on implementing major B2B projects. Airlock Suite deals with the issues of filtering and authentication in one complete and coordinated solution setting standards for usability and services. Airlock, our security product, was launched on the market in 2002 and is now used by 350 customers around the globe. Ergon, the Ergon logo, «smart people smart software» and Airlock are registered trademarks of Ergon Informatik AG. Ergon Informatik AG Merkurstrasse 43 CH 8032 Zürich +41 (0)44 268 89 00 www.airlock.com twitter.com/ergonairlock

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback