Posts

Single Sign-on with privacyIDEA

Companies more and more rely on cloud services. As a result, the number of accounts and the amount of login data are growing rapidly. However, if the number of user names and passwords continues to climb, interfaces and security risks will increase. Single sign-on with privacyIDEA therefore offers the option of centrally managing an identity in order to ensure enhanced security and flexibility.

Single sign-on (SSO) is often misunderstood: The attribution “single” does not necessarily imply that the user only has to remember a single password – this is only partially true. In fact, SSO means that a user only has to log in once, but then still has access to several (cloud) applications at the same workstation – without further “logins”.

This is one of the reasons why companies like to use SSO for their own web services. The crucial factor, however, is not the reduction to one password – a central LDAP server would be sufficient for this – but the fact that users only login once. With SSO, companies offer their employees a central point of contact, whereby they can access all ERP, web or cloud applications they need for their (everyday) work with a single “login”.

According to Bitkom, 44% of all applications and work processes now run cloud-based (83% for large companies) and more and more cloud services are being used, so the need for single sign-on solutions is becoming more and more important. So here’s an overview, not just of the benefits of SSO, but also of what companies have to consider, if they want to use SSO securely and efficiently for their organization.

What is Single Sign-on (SSO)?

In particular, the growing demand for cloud applications is leading to an increased use of SSO. The reason for this is an obvious one: more applications (in the cloud) also mean more passwords or login data for different accounts. Single sign-on offers exactly this option: you only have to log on once, but then you are logged on to several applications.

How can a company benefit from SSO?

A single sign-on system, for example, reduces the proliferation of different accounts and passwords, which significantly increases ease of use for employees. They will most certainly prefer to remember one “master access” rather than many individual accesses.

In addition, too many accounts demonstrably worsen password hygiene, i.e. too many users often use the same passwords for different portals, which cannot benefit IT security.

Scattered “account silos” across multiple solutions – companies want to avoid this, not only because it is simply impractical, but also because it is insecure. With SSO, IT departments can easily create new user accounts centrally and even manage individual permissions. And if an employee leaves the company, “offboarding processes” can also be administered remotely.

Exactly this reduction to one credential – e.g. password and user name – minimizes the risk that access data is lost or consists of easily guessable passwords. On the contrary, if used correctly, SSO increases productivity, facilitates effective IT monitoring, and ultimately provides more control and security – while employees are granted or denied access to multiple systems, platforms, and other business-related resources with a single login.

How can SSO be used in the company?

However, in order to work properly, single sign-on services must access specific protocols. There are quite a few of these – for example SAML2, which is used intensively by Salesforce, or OpenID Connect (OIDC), which is also used by Google, for example.

SAML protocol

With a SAML protocol, the user receives an encrypted session cookie with which the user can authenticate to certain (cloud) services over a specified period of time. The big advantage is that the external service does not have to establish a connection to the internal authentication service (Identity Provider – IdP) – the connection to the user’s browser is all it takes.

OAuth2 with OpenID Connect

The OAuth2 protocol is used to authorize Google services such as Gmail or Google Drive. OpenID Connect is a further development of common protocols such as OpenID or SAML. Since it is generally regarded as simple and secure, OAuth2 with OpenID Connect is increasingly becoming the standard for authorizing API access on the web (and also for apps).

Users receive a unique access key which, in combination with the OAuth2 protocol, enables them to login. Information about the identity of the user as well as the authentication provided is returned to a client via an OpenID-specific token, also known as an ID token. The login then only applies to this one client.

Individual authorization processes – with Keycloak

However, since companies often have to meet different IT security and compliance requirements, they use so-called identity or access management systems – such as the open source solution Keycloak, which uses the two protocols mentioned above and is developed by JBoss under the direction of RedHat. So if role-based authorization does not meet internal needs, Keycloak offers adjustable authorization services.

This way, organizations can manage permissions for all their services through the Keycloak management console and have the ability to define exactly the policies they need.

The security issue – opportunity and hurdle at the same time

The fact that single sign-on systems fundamentally increase security is undisputed: they reduce the password jungle, prevent the creation of (account) silos, increase productivity and facilitate offboarding processes. But a large residual risk remains: A successful attack would always result in several applications being affected in one fell swoop.

But this hurdle can be overcome by additionally integrating a 2-factor authentication solution for SSO. With privacyIDEA as authproc filter (in simpleSAMLphp), for example, users can extend and individualize the authentication process in various ways. The first factor is authenticated against the authentication source (e.g. LDAP) and the second against privacyIDEA.

Functions, that Keycloak and privacyIDEA offer

With Keycloak you can log in with a second factor of privacyIDEA. The following functions allow a secure and user-friendly login:

Secure login with SSO

Exclusion of certain groups

Automatic token enrollment (if a user does not yet have a token)

Since privacyIDEA 3.0: Support of pushtokens

No input necessary: User confirmation via smartphone

Conclusion

The Single Sign-on concept has always been a big issue in many organizations. If companies today use common software and cloud solutions such as Office 365, Box or Slack, this does not mean that they need or want different passwords and login data for these services.

Especially in view of cultural subjects such as Bring your own device (BYOD) or the increasing number of decentralized workstations that can no longer be controlled by internal IT, the use of SSO is increasingly becoming a basic necessity in order to make traceable authentication processes secure and flexible.

/by

Safely into the MFA future by privacyIDEA 3.0

, ,

We are proud to announce the release of privacyIDEA 3.0 today.

With privacyIDEA 3.0, we are setting the course for a stable future. While many users quickly lose themselves in tempting MFA SaaS offers, we want to continue to give our customers the opportunity to carry out their secure multi-factor authentication with a trustworthy system under their own control, on Premise. To keep it that way in the future, we have worked on several points over the past months. On the surface, they don’t seem to have a wow effect at first, but they give you as a corporate customer what counts for you: Long-term stability!

Python 3

privacyIDEA is written in Python. The Python version 2.7 will not be further developed after 2020. We have written the privacyIDEA 3.0 code to run on both Python 2.7 and Python 3.x. This gives you the confidence that you can switch from Python 2.7 to Python 3 without migration projects and that you can use privacyIDEA relaxed even after 2020. privacyIDEA 3.0 PIP installations can be run on Python 3. However, the Enterprise packages will still be delivered with Python 2.7 and will be changed to Python 3 in the coming months. For you there is nothing else to do except a normal update.

Crypto functions

Under the hood we also exchanged crypto libraries. The old library pycrypto had to give way to the de facto cryptography standard. Signatures and encrypted data now also have their own versioning, so that we are future-proof here if we want to change the way we sign or encrypt data.

Database Schema

We have broken with a design legacy that goes back to the first versions in 2009. Previously, the assignment of a token to the user in the database was stored in the token table itself. This was simple, but not flexible. The assignment is now stored in a separate table. This way we have already prepared the database so that several users can have the same token. This will make it easier for us to develop completely new token types in the future.

Installation variants

We have decided to deliver all installation variants as so-called Python virtualenv. This means in a dedicated directory privacyIDEA brings along all dependencies it needs. Thus in a given version of privacyIDEA always the complete same code will run. No matter if privacyIDEA runs on a Debian, Ubuntu, RHEL or SLES and was installed via pip, apt or yum. This helps to exclude side effects from underlying dependencies. The installations will become more homogeneous and stable. But you can still easily install and update using apt/aptitude or yum.

We will no longer build Ubuntu 14.04LTS packages of privacyIDEA 3.0 and later. But starting with version 3.0 we offer packages for Ubuntu 18.04LTS and 16.04LTS. The packages for Ubuntu can no longer be published in the PPA Launchpad repositories. Rather, we now publish them in a separate repository.

Installation of the new version privacyIDEA 3.0

privacyIDEA 3.0 is the Community Edition, which is available on the Python Package Index and in repositories for Ubuntu 16.04LTS and 18.04LTS.

The Enterprise Edition for enterprise customers will follow in a few weeks as version 3.0.1.

You can read more details on the privacyIDEA project page.

Before installation or update please read the online documentation and the READ_BEFORE_UPDATE.

/by

Once again privacyIDEA 2.23 improves process workflows

,

Today on August, 29th 2018 privacyIDEA 2.23 is released. Packages are available in the public Launchpad-Repositories for Ubuntu 14.04LTS and 16.04LTS. The Multi-Factor Authentication System privacyIDEA can also be installed via the Python Package Index on any other Distributionen.

Automated processes

Event Handlers were already added to privacyIDEA in Version 2.12. They enable the administrator, to connect any event to new actions like user notification, token management or any arbitrary script. If such an event occurrs, the defined action is triggered.

With version 2.23 these actions can now be triggered, before the originial event is processed. We distinguish Post-Event-Handling and Pre-Event-Handling. E.g. the administrator can define, that a user, who has no token assigned and tries to authenticate, gets a new token enrolled. And this newly enrolled token will be directly used during this authentication request. The logon experience for the user is totally transparent. There is no additional effort for the administrator.

This way a lot of tasks, which would otherwise be done manually or called by a script, will be executed automatically just at the right moment within privacyIDEA. This way the administrator can cope with unforeseen scenarios and can automate actions accordingly.

The Pre-Event-Handler ernolls a token for the user, if the user has no token, yet. This token is used in the very same authentication request.

Periodic tasks

In version 2.23 the administrator can define periodic, recurring tasks. Besides these can be used, to gather information about or from the privacyIDEA system. Several modules (“Event Counter”, “Simple Statistics”) are used to define, what should happen periodically.

E.g. using the Statistics Module the administrator can monitor the number of the available (not assigned) hardware tokens. This is often important, so that the administrator know, when he needs to reorder new hardware tokens.

The Event Counter module records how often a certain event has occurred. A simple scenario is to record the numter of failed authentication requests.

privacyIDEA saves all this information to time series. Using tools like Grafana you can plot this to relevant graphs.

Events – like authentication requests – can be recorded and view graphically in a timeline.

 

2FA for the masses

Two-Factor-Authentication is widely spread. A lot of services offer 2FA to their end users. But it is not always possible to use hardware devices. Not every user has a smartphone. Sometimes users to not want to pass their mobile number for SMS tokens – due to privacy concerns. There is not one solution for all. This is the strength of privacyIDEA, you can mix and match a lot of different token types.

With version 2.23 you also get the TAN token. The administrator now can import existing TAN lists into privacyIDEA. This way you can easily add authentication to a huge number of users and you can smoothly migrate from an existing TAN solution to privacyIDEA.

More at Github

You can find the complete Changelog at Github.

In a few weeks the NetKnights GmbH will release privacyIDEA Enterprise Edition 2.23.1. In addition it will be available for RHEL/CentOS 7 and the Univention Corporate Server.

/by

NetKnights presents 2FA system privacyIDEA at it-sa

, ,

NetKnights GmbH will attend the business fair and conference it-sa this year in October. Being a partner at the stand of ownCloud in Hall 10.0-428, NetKnights places its core competence of Multi Factor Authentication just at the right spot. Keeping your own data under your control is the job of ownCloud. Securing the access to that data is the job of NetKnights and the privacyIDEA ownCloud App. It allows a flexible, enterprise grade two factor authentication at the File Sync And Share solution from ownCloud.

New features in privacyIDEA

Within the privacyIDEA Authentication Server there are a lot of interesting new features.

We will present the upcoming version 2.23 of privacyIDEA. Two of the innovative new features are the Pre-Event-Handler and Monitoring and Statistics.

The administrator can use the Pre-Event-Handler to add additional task before e.g. an authentication request is processed. These tasks and the conditions can be configured completely flexible. The administrator could configure privacyIDEA this way, that before authenticating a user, this very user gets an Email token enrollend and assigned – without user or admin interaction. This is only one possible scenario to use the Pre-Event-Handler.

The Monitoring and Statsitics module can use data from the Event Counter and use periodic tasks to gather any possible metrics. Within a blink of an eye the administrator can define, which data he wants to collect and e.g. create a metric of failed authentication requests. External tools like Grafana can then be used to create graphs.

We continue to strive making privacyIDEA one of the most flexible Multi Factor Authentication systems in the market.

Check it out! Get your own personal date at the it-sa!

 

/by

Two factor authentication for thousands of users

,

If a company or an organization wants to provide two factor authentication for thousands of users they are faced with totally new challenges.

Users will not come to the administrators desk. The administrator will not enroll a hardware token or initialize the user’s smartphone with the Google Authenticator on a per user basis. There are so many users, that the administrators or helpdesk users do not even know all the end users anymore. There must be a solution, that the enrollment process itself hands the authentication object to the user and ensures the identity of the user – preferably automatically!

Users might be spread over cities, countries – worldwide. They are ordinary end users and often not computer savvy. The rollout and the usage of two factor authentication should bother neither the end user nor the IT department too much.

Read more

/by

privacyIDEA Enterprise Edition 2.21.1

,

Today we released the stable version 2.21.1 of the privacyIDEA Enterprise Edition.

The Enterprise Edition as version 2.X.1 is released a few weeks after the corresponding major public release and contains necessary bug fixes. You can read about the features of version 2.21 like the secure smartphone enrollment in our previous blog post.

Version 2.21.1 fixes the following bug:

  • The LDAPS connection to the user directory like OpenLDAP or Active Directory only used TLS1.0. The administrator can now configure the user resolver to also use TLS1.1 or TLS1.2.

About the Enterprise Edition

The Enterprise Edition of the Multi-Factor-Authentication system privacyIDEA is ment for enterprises and organizations, which need a reliable update process. It is available for Ubuntu 16.04LTS, CentOS7, RHEL7 and the Univention Corporate Server. In addition the enterprise edition contains an appliance that helps you quickly and easily set up a high available master-master replication.

Please contact us if you have further questions, if you want to test the enterprise edtion or want to book a workshop.

/by

Transaction signature and federated authentication with privacyIDEA4UCS 2.20.1

,

The privacyIDEA Enterprise Edition version 2.20.1 is now available for Univention Corporate Server. You can install or update privacyIDEA 2.20.1 on the UCS easily from the Univention App Center.

Please note that the subscription handling was changed in privacyIDEA4UCS. You now no longer need a special license file but the common subscription file, which is used with the common privacyIDEA Enterprise Edition. Existing clients already received the new subscription file. If you are running tests in a demo environment, you can create your own demo subscription file for privacyIDEA4UCS.

OCRA, Display-TAN and Federation in privacyIDEA 2.20.1

We already posted about the common release of privacyIDEA version 2.20.1. Now also customers running privacyIDEA on UCS can use the awesome new features:

New token types OCRA token and the Display-TAN card are not supported. In contrast to classic authentication scenarios the OCRA token also allows the signing of transaction data. Using an OCRA token the user can testify, that the data set he is sending is correct. The recepient can cryptographically verify, that the received data is still valid and unmodified. This can be used in banking scenarios and other applications, where data must not be modified.

A second main feature is the federation handler. This allows to forward special authentication requests to other, subordinate privacyIDEA systems. This is interesting for federated organizations and infrastructures. Departments may run their own privacyIDEA systems. A central privacyIDEA system in the orgnization can then forward the authentication requests to the corresponding departments.

A complete changelog can be found here.

Get your personal subscription file for privacyIDEA4UCS!

We are happy to answer any of your questions!

 

/by

Federated authentication with privacyIDEA 2.20

,

Today we released privacyIDEA 2.20. Packages are publically available in the Laundpad repositories for Ubuntu 14.04LTS and 16.04LTS. You can also install the new version via the Python Package Index on any other distribution.

New Features in privacyIDEA

Federation-Handler

The new federation handler allows to forward authentication requests to sibling privacyIDEA instances.

This way you can setup network structures, where brances of an enterprise or sub organizations can run their own privacyIDEA instance under their own control. Authentication requests will be handled by a central privacyIDEA instance and forwarded to the corresponding instance, where the user and the user’s tokens are managed.

This way business devisions, departments or sub contractors can manage the tokens of their own employees.

The federation handler also offers new possibilities and business models for service providers.

New token type OCRA and DisplayTAN

In version 2.20 we also added the basic token type OCRA and the special type DisplayTAN. The DisplayTAN is a hardware card, which can communitcate with a smartphone via Bluetooth LE. This way the OCRA challenge is sent to the card, the user can check the challenge data and the card will generate an OTP value as response.

OCRA is specified in RFC 6287. A common use case is signing bank transactions. This way a TAN (OTP value) can be generated in hardware, and this TAN totally depends on the transaction information. Thus privacyIDEA can be perfectly used to manage authentication and signing devices for banking scenarios. We already talked about this in a previous blog post.

Login with different login names

The LDAP resolver now allows that a user can login with different LDAP attributes. The administrator can specify the list of attributes, which may be used as login names. This way an user can choose if he will login with the sAMAccountNAme, the email address or a telephone number.

Authentication cache

The administrator can now define if and how long succesful authentication should be cached. This way it is possible for a certain amount of time to authenticate with the very same OTP value again. Yes, this is not the original idea of OTP. But certain specific applications may need such a functionality. This behaviour is specified in an authentication policy, which can also depend on time and client IP.

More functions

Many policies now allow to use resolvers in the policy definition. This way the administrator can define the behaviour of privacyIDEA depending on user groups in detail.

During the rollout process of smartphone tokens, privacyIDEA display a QR-Code to the user. If the user is in doubt, that the QR-Code may be also seen by an attacker, he can now immediately regenerate the QR-Code.

All event handler definitions can now be ordered to your needs. This way the administrator can precisely define the behaviour and reaction of privacyIDEA.

The conditions of event handlers may now contain times and time deltas.

Challenge Response tokens can now be used to unlock the UI.

While installing Ubuntu packages, a PGP key pair is generated. The public PGP key can be easily used to encrypt the seed files before importing tokens.

You can find a complete changelog at Github.

Enterprise Edition and Consultancy

NetKnights provides consulting and support with the privacyIDEA Enterprise Edition. Using Open Source you optimize your total cost of ownership this way, that there are no external limitations which dictate how long or short your may use the software. Getting the privacyIDEA Enterprise Edition including an SLA you get the warranty and thus operating safety.

You want to stay tuned? Please subscribe to our newsletter!

You want to know more? Get in touch!

 

/by

World Wide Web Consortium is enrolling 2FA using privacyIDEA

,

Kassel, September, 26th 2017. The World Wide Web Consortium (W3C) is implementing privacyIDEA for securing access to their infrastructure with a second factor. The privacyIDEA Authentication System was chosen due to its flexible nature and the possibility to allow a single sign on experience for the users.

The services and especially the users are distributed world wide. Shipping authentication devices centrally is not efficient. Allowing only one type of authentication object is not an option. For W3C this is a big advantage that privacyIDEA can manage many different token type of different vendors at the same time. The lean REST API allows easy integration into their own user portal. W3C connected privacyIDEA to their existing user management. Users will be able to choose if they want to self-enroll Smartphone-Applications or U2F devices. Depending on the device type users gain access to resources of different security levels.

“Working with NetKnights is very effective. They provide just the right amount of consultancy for us to be able to implement the open source software privacyIDEA into our network and in our workflows.” said Ted Guild, Head of W3C Systems. Cornelius Kölbel, CEO at NetKnights, added: “W3C stands for Web standards. So we are very happy that W3C chose privacyIDEA, as this is an open solution, which complies to an open development workflow and open standards.”

About the World Wide Web Consortium (W3C)

The mission of the World Wide Web Consortium (W3C) is to lead the Web to its full potential by creating technical standards and guidelines to ensure that the Web remains open, accessible, and interoperable for everyone around the globe. W3C standards HTML5 and CSS are the foundational technologies upon which all Web sites are built. For its work to make online videos more accessible with captions and subtitles, W3C received a 2016 Emmy Award.

W3C’s vision for “One Web” brings together thousands of dedicated technologists representing more than 400 member organizations and dozens of industry sectors. Organizationally, W3C is jointly run by the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) in the United States, the European Research Consortium for Informatics and Mathematics (ERCIM) headquartered in France, Keio University in Japan and Beihang University in China.

For more information see www.w3.org.

About NetKnights and privacyIDEA

NetKnights GmbH is located in Kassel, Germany. It is an independent IT Security firm, providing services and products in the fields of strong authentication, identity management and encryption. NetKnights employs the core developers of the modular authentication system privacyIDEA.

privacyIDEA is open source software and thus has not vendor defined end of life. Customers can own their privacyIDEA installation and use it without restrictions. NetKnights provides different subscription and support levels of privacyIDEA Enterprise Edition to meet the requirements of companies.

From October 10th-12th NetKnights presents privacyIDEA at the IT security fair it-sa in Nuremberg, Germany, at stand 10.1-208.

/by

privacyIDEA 2.19.1 on Univention Corporate Server

,

The Enterprise Version 2.19.1 of privacyIDEA is now available on the Univention Corporate Server. With version 2.19.1 privacyIDEA is now available on the Univention Corporate Server 4.2. Customers can easily upgrade from UCS 4.1 with privacyIDEA 2.18.1 to UCS 4.2 with privaccyIDEA 2.19.1.

Besides the improvements in Univention Corporate Server 4.2 privacyIDEA 2.19.1 also comes with interesting improvements. These are the generic user cache, which can reduce the authentication time dramatically. Using policies the administrator can define which U2F devices may be registered and used by the users. A Token Janitor allows the administrator to find orphaned tokens and either disable or delete these. We already blogged about the complete new features in privacyIDEA 2.19.

Service Level Agreement and Subscription

privacyIDEA4UCS can be installed on the Univention Corporate Server quickly and easily via the Univention App Center. You can find further details on privacyIDEA4UCS on the product page and also get a test subscription. The normal service level agreement for privacyIDEA also entitles the customer to use privacyIDEA on the Univention Corporate Server.

/by