High usability and simple configuration or extensive additional functions the choice between Airlock Login or Airlock IAM is yours! Airlock Login Airlock IAM When combined with Airlock WAF, Airlock Login facilitates reliable user authentication and authorization. However, optimal security is not the only benefit: Airlock Login also provides high usability and cost-efficiency. When Airlock Login is enough The authentication characteristics required for users (e.g. passwords and telephone numbers) already exist in directories, databases or on RADIUS servers It is being authenticated with a password, RSA SecurID, OTP tokens via RADIUS, MTAN, Email OTP or client certificates It is being used in a domain with a uniform authentication policy Cookies, HTTP Header, On-behalf Login, Backside Kerberos or Basic Auth are being used for identity propagation CUSTOMERS MTAN phototan AUTHENTIFICATION Users are authenticated by Airlock IAM before they gain access to applications. One-time password COLLEAGUES Identity federation. Other authentication methods OTHER DOMAINS Airlock IAM is the suite s central authentication platform, including enterprise functions. With this product, customers, partners or employees can register just once for secure access to data and applications. Airlock IAM also automates user administration. When Airlock IAM is required The user profiles are to be supplemented with additional authentication characteristics (e.g. a telephone number for MTAN, allocations of OTP tokens, IAK codes for selfregistration) separate from the master data (e.g. in a separate database) Authentication methods not included in Airlock Login are being used (e.g. VASCO Digipass, Kobil, Mobile ID) Several domains with different authentication policies are in use User self-services are being used and users need to register authentication characteristics themselves (e.g. telephone numbers for MTAN or an initial password letter) An authentication logic needs to be integrated into applications directly (via web services) Cross-domain SSO (SAML, OAuth, Open ID Connect) is being used, e.g. to connect Cloud Services Identities and roles need to be managed (and not just consumed ) Special additional functions such as Identity Representation or support for HSM modules are required There are several clients in one installation Customer-specific extensions (plug-ins) are being integrated Traffic is filtered by Airlock WAF. Users are authenticated by Airlock IAM. Identities and roles are assigned to applications. Users gain access to applications. USER DIRECTORIES PUBLIC KEY INFRASTRUCTURE CORPORATE IT APPLICATIONS
A comparison of Airlock Login and Airlock IAM components Loginapp RADIUS Server SOAP/REST Server Airlock IAM Core Authentication Services Integration Data Layer Integration ID Propagation, Federation, SSO Components Web-based login application Web-based administration interface (user administration, configuration, Logviewer) Integrated database for user profile metadata Service container for batch jobs and letter generation RADIUS server component SOAP/XML service interface REST/JSON service interface This login application interacts with the customer during login and when user self-services are being used. This admin application makes it possible to manage and configure Airlock Login/IAM, which encompasses displaying and managing the user profiles, the Configuration Editor, and displaying the logs. Airlock Login uses existing user profiles saved, for example, on an LDAP/AD directory, a database, or on a RADIUS server. Existing user attributes (e.g. a telephone number for MTAN) can be incorporated into the authentication. In more complex scenarios, however, the user master data is often not sufficient for the purposes of meeting the required authentication requirements. For instance, there is often no verified telephone number available for sending SMS or using Mobile ID. If OTP tokens are being used, the user token assignments must also be saved. For self-service workflows, information about the current status, but also often IAK codes, must be saved too. Expansion of existing directories or databases for this purpose is often not possible, and not desirable either, because user authentication information is very sensitive. For this reason, Airlock IAM has an integrated database in which it is possible to add status information to existing user profiles. Periodic batch jobs, e.g. to support self-service workflows and synchronize user profiles between different directories and databases, run in the service container. New matrix cards, registration letters for MTAN or initial password letters are printed periodically, for instance. Users are also synchronized periodically between ADs and the integrated database. These use cases are restricted to Airlock IAM. Airlock IAM contains a RADIUS server component for the connection of network gateways. Airlock IAM has technical interfaces (web services) that enable the integration of an authentication logic and functions for user administration in applications. These interfaces make it possible to provide transaction signatures for online banking applications, for instance.
A comparison of the options for authentication with Airlock Login and Airlock IAM Authentication Simple authentication workflows (one and two-factor authentication) Complex authentication workflows (e.g. step-up, step down) Password (LDAP, MSAD) OTP tokens via RADIUS RSA SecurID via RADIUS and Agent Host protocol (native) MTAN (SMS) Client certificates Support for a large number of other authentication methods (see Airlock IAM) Role-based access control (RBAC) Dynamic access control (based on environment attributes) Airlock Login supports static one and two-factor authentication workflows. One example of this is as follows: 1. User name and password checked against an AD directory 2. SMS Challenge sent and queried in the login application (MTAN) In addition to the static authentication workflows, Airlock IAM supports the following dynamic workflows: Different authentication workflows per user Step-up: A user is already logged into the system, but needs further authentication (e.g. a second factor) for a protected area, which is only queried when necessary. Step-down: A user loses their authorization for a protected area selectively, without being logged out of the system. Airlock Login supports the following authentication methods: Password check against a directory (LDAP, MSAD) with password hashes in a database for statically configured users RSA SecurID via RADIUS via Agent Host protocol (native) OTP tokens that can be connected via RADIUS MTAN (SMS Challenge), if a verified telephone number is available Email OTP Client certificates In addition to Airlock Login, Airlock IAM supports a wide range of other authentication methods and integrates various products and interfaces made by third-party manufacturers, such as: VASCO Digipass tokens including Token Management in Airlock IAM CrontoSign (previously phototan) KOBIL tokens via integration of the KOBIL AST OATH tokens Mobile OTP (MOTP) e.g. using Google Authenticator Mobile ID: the Swisscom web service interface is connected to Airlock IAM Complete matrix card solution including card management and letter generation SAML 1.1/2.0 assertions OAuth 2 tokens Kerberos tickets NTLM and BasicAuth credentials Access to applications is protected via roles (RBAC, role-based access control). Once authentication has been completed, Airlock Login assigns the user with their roles, and Airlock WAF implements the access authorization as the policy enforcement point. Airlock IAM also supports ABAC (attribute-based access control) and can provide authentication steps dynamically during the runtime using various user and session attributes. One typical example of this is the differing authentication of internal and external access (decision based on the source IP address of the request).
A comparison of the login application functions in Airlock Login and Airlock IAM Login application functions Password change (voluntary or forced) Password reset via email Portal function User self-services Representation, T&Cs, maintenance messages and various other functions Airlock Login and IAM support password change workflows. A forced password change takes place if this is required (for example) by an AD because the password has expired. The password change is classed as unforced if initiated by the user. Airlock Login and IAM support a Password Reset function that communicates with the user via email. The user receives a link that enables them to enter a new password. Airlock Login and IAM include a portal that provides an overview of the applications available and access to user self-services (Airlock IAM only). Airlock IAM incorporates a wide range of self-services designed for the user themselves and for the authentication methods supported: Change and reset the password Lock and unlock the user s account Edit the user s data (home address, email address, telephone number etc.) Register a telephone number for MTAN/Mobile ID Token migration (e.g. replace an expired token or switch to a new type of token) Various self-services for specific authentication methods (e.g. client certificates, CrontoSign, matrix cards, VASCO Digipass, OAuth 2) The Airlock IAM login application supports various additional functions, such as: Representation (one user can represent another) Read and agree to T&Cs Activate maintenance messages Options available for identity federation and single sign-on (SSO) SSO/identity federation Simple SSO (cookies, HTTP Header, On-behalf Form Login, Backside Kerberos etc.) Complex SSO and identity federation SAML 2.0 (IDP and SP) OAUTH 2.0 / Open ID Connect Airlock Login and IAM support various mechanisms for identity propagation, i.e. transferring the user name, roles and additional attributes to the applications. Cookies HTTP Header On-behalf Form Login Backside Kerberos Basic Auth Airlock assertions Alongside the simple SSO mechanisms, Airlock IAM also supports other mechanisms for identity propagation such as NTLM or the conditional transfer of identities subject to user data. The standard SAML and OAuth/Open ID Connect for Cross-domain SSO are also supported. Airlock IAM supports SAML protocol (versions 1.1 and 2.0) and can be configured as IDP and as SP. Airlock IAM supports OAuth 2.0 and Open ID Connect.
User administration with Airlock Login and Airlock IAM Identity Management User search and display Manage, aggregate and provision identity and role information Search for and display users in connected directories or databases. Search for, display and edit users: Create new users Edit user data Check status information for self-service workflows Individual assignment and selective activation of authentication methods for each user Manage and aggregate role information for users Provision user identities into external directories The installation and administration options available with Airlock Login and Airlock IAM Deployment Integration into Airlock WAF Installation on separate hardware Multi-client capability Airlock Login can be installed on Airlock WAF directly. During simple set-ups, this avoids the need for an additional server and simplifies administration. Airlock Login and Airlock IAM can both be installed on separate hardware (or virtually). This is required in particular when managing sensitive authentication characteristics that cannot be kept in the DMC. Separate hardware may also be required when a failover cluster that is not dependent on Airlock WAF is needed for Airlock Login/IAM. Airlock IAM has an Instance Manager that makes it possible to manage independent installation for each client. Separate configuration, user directories, administrator accounts, log files and release versions are all possible. About Ergon Informatik AG and Airlock Suite Founded in 1984, Ergon Informatik AG is a leading developer of bespoke software solutions and products. The cornerstone of our success: 255 highly qualified IT specialists who are committed to creating value for the client, anticipating technological trends and designing solutions that generate competitive advantage. Ergon focuses on implementing major B2B projects. Airlock Suite deals with the issues of filtering and authentication in one complete and coordinated solution setting standards for usability and services. Airlock, our security product, was launched on the market in 2002 and is now used by 350 customers around the globe. Ergon, the Ergon logo, «smart people smart software» and Airlock are registered trademarks of Ergon Informatik AG. Ergon Informatik AG Merkurstrasse 43 CH 8032 Zürich +41 (0)44 268 89 00 www.airlock.com twitter.com/ergonairlock