Avanpost FAM (Federated Access Manager)

2024

NGFW Continent 4 compatibility

On April 10, 2024, Avanpost announced that, together with Security Code, it had successfully tested the compatibility of products - NGFW Continent 4 and the Avanpost FAM/MFA + multifactor authentication system.

avanpost.ru

According to the company, the integration of products was carried out using the Avanpost FAM LDAP Proxy component, which allows you to solve two-factor the authentication problem for supported applications. domain authentications

Continent 4 multifunctional firewall from Security Code is a key component of the perimeter protection system. In turn, Avanpost's MFA +/FAM solution provides technology-based two-factor authentication methods to ensure security at workplaces both within the local network and on remote devices. Remote access to corporate resources uses software clients Continent AP or Continent ZTN client: when connecting clients to the access server Continent 4 Avanpost FAM/MFA + requests a second authentication factor through push methods, which practically eliminates attempts to unauthorized access to corporate data. The joint solution makes it possible to get a comprehensive security tool by implementing encryption of confidential information, enhanced authentication and control of devices connected in the system.

Now, when using two solutions together, users, both remote and local, are able to use the convenient Avanpost Authenticator mobile application or Telegram client and choose the second security factor based on their own convenience.

The authentication scenario for Avanpost FAM LDAP Proxy is as follows:

• The user is authenticated by entering a login and password into the authentication interface Continent AP or Continent ZTN client;
• The user receives the second factor according to one of the methods chosen by the administrator (either push in Avanpost Authenticator or push in Telegram);
• After successful verification of the second factor, the login and password are checked in the LDAP Proxy LDAP directory connected;
• If the password is successfully verified, the response from the LDAP directory is returned to the target application.

When using NGFW Continent 4 and Avanpost FAM/MFA + together, users can confirm authentication in the Avanpost Authenticator mobile application using push notifications, including in conditions of limited Internet access.

Avanpost FAM LDAP Proxy is designed specifically for applications that support user authentication only through the LDAP protocol. The Avanpost FAM LDAP Proxy component allows you to add an additional authentication factor to applications, thereby emphasizing the versatility of the Avanpost FAM platform, which provides users with uniform login rules and the use of the same credentials in the corporate infrastructure.

Avanpost FAM is a unified employee authentication system in the organization's corporate resources. Avanpost MFA + is based on the Avanpost FAM system, which includes a lightweight set of functions and is designed for rapid deployment for typical tasks.

A joint solution between Avanpost and Security Code will optimize the risk of unauthorized access to accounts at no additional cost.

With the Avanpost FAM LDAP Proxy component, we have expanded the list of supported applications by adding those that support authentication only through the LDAP directory. This allowed us to optimize system life and make our solutions universal in terms of application integration. commented Dmitry Grudinin, owner of the Avanpost FAM/MFA + product line

As noted by many research companies for the analysis of cyber incidents, password hacking is one of the main methods of hackers to penetrate the enterprise network. Multivariate authentication complicates this process for attackers. Therefore, the result of our joint integration is a decrease in the likelihood of information security incidents that are associated with intruders entering the corporate network through remote users. noted Dmitry Lebedev, leading expert "Security Code"

Avanpost MFA +/FAM Linux Logon 1.9 Compatibility with Astra Linux Special Edition 1.7

The compatibility of OCAstra Linux 1.7 and POAvanpost MFA +/FAM Linux Logon 1.9 has been confirmed. The vendor's experts conducted comprehensive testing and made sure that the software stack works correctly. Users of a secure platform can use a joint solution without limitation to ensure secure authentication in their infosystems. This was announced on March 18, 2024 by Astra Group.

Avanpost MFA +/FAM Linux Logon 1.9 is a client component of Avanpost MFA + and FAM products. It supports all authentication methods implemented in them in Astra Linux Special Edition 1.7 and other Linux-like operating systems, including electronic signature authentication on removable key media.

Avanpost MFA + is provider-based authentication with support for all its modern methods and the ability to flexibly configure factors in a convenient administrator interface.

Avanpost FAM is a modern unified center for managing multi-factor employee authentication in enterprise applications with support for identity federation.

The successful completion of the Avanpost MFA +/FAM Linux Logon 1.9 compatibility tests with Astra Linux means that users can be sure that the product works correctly on a secure platform, and using the software stack, they can build a reliable personnel authentication system and increase the level of data security and infrastructure.

The updated version of the Avanpost Linux Logon component made it possible to use an extensive range of methods for user authentication on Linux systems, including electronic signature authentication on smart cards. Cooperation with Astra Group is aimed at expanding the capabilities of Russian software users, including authentication in the most security-demanding infrastructures of both state and large commercial corporations. The compatibility of our component with Astra Linux allows you to ensure the fastest, seamless transition to multifactor authentication in the operating system, - said Dmitry Grudinin, owner of the Avanpost MFA +/FAM product line.

The IT industry is developing very rapidly, and there are more and more high-quality and reliable technologies that can fully replace foreign counterparts in a variety of niches. Such rapid growth became possible due to the fact that vendors are united by a common goal - to saturate the market with products as soon as possible that allow organizations to maintain their performance and create conditions for further economic development. The fact that the Avanpost developers, creating a new version of the software, implemented in it the functionality necessary for correct operation under Astra Linux, once again confirms: we have really formed a unified understanding of the needs of customers, - said Alexey Trubochev, director of the support department of Astra Group.

2022

Ability to combine complex IT infrastructures into a single authentication system

On December 14, 2022, Avanpost presented an updated version of the Avanpost FAM centralized corporate authentication system. The updated product features enable multi-domain support and enable complex IT infrastructures to be integrated into a single authentication system.

The ability to combine complex IT infrastructures into a single authentication system. Illustration: vo.plus.rbc.ru.

According to the company, Avanpost FAM has a number of functions designed to integrate user domains and directories into a single corporate identification and authentication system. Holding structures and organizations with complex domain infrastructure often have the problem of having disparate user directories. Building a single LDAP directory from several disparate domains is technically difficult and resource-intensive. Combining user directories using Avanpost FAM does not require rebuilding the existing LDAP infrastructure and allows you to take into account the needs and features of each existing domain.

Also, the updated version of Avanpost FAM has added the functionality of identifying users from various domains during authentication to corporate information systems. In large-scale domain infrastructures, various approaches to the formation of domain prefixes are used, while sometimes users in different domains intersect by logins, which complicates the construction of a single user directory. In addition, the specific operation of one specific application connected to an LDAP directory may require a review of approaches to maintaining user data in the LDAP directory itself. Avanpost FAM allows you to take into account the specifics of user domain identification and definition for each enterprise application without the need to make changes to the existing LDAP infrastructure.

Another additional feature is the identification of users by phone number. Together with other factors, for example, SMS, it allows you to use the authentication system for freelance employees or specialists without a domain account. As a result, employees of production departments who do not need to create separate accounts in LDAP can use web applications and services allowed by the administrator and connected to Avanpost FAM, using a mobile phone number for access.

The updated version adds support for multi-domain when using Kerberos authentication. Avanpost FAM allows you to register several keytab files for different, including unrelated, domains. Employees from various domains can be authenticated to access any corporate information system - both web applications and desktop ones. The authentication process will be completely transparent. Thus, Avanpost FAM eliminates the need for administrators to combine unrelated domains with LDAP infrastructure.

In addition, it is possible to centrally install and change password the user in domains. Often, tools not intended for this purpose are used to solve this problem Microsoft Exchange Outlook : Web Access with the ability to change the password or, Windows OS which limits user password management scenarios. Avanpost FAM optimizes this operation for employees and administrators.

The updated version of Avanpost FAM has redesigned and expanded the functionality of password policies. Now the system allows you to set an unlimited number of password policies and bind them to different user groups. In this case, the administrator can track which password policy is applied to a particular user.

The system also extends the password recovery functionality. Now in Avanpost FAM you can specify for which groups of users password recovery will be prohibited. For example, note that the password recovery ban is relevant for administrative and technological accounts maintained in the system. Also, for each user group, you can define a list of factors that can be used to confirm the desire to change the password.

For RADIUS applications, the updated version of Avanpost FAM has added the functionality of providing information as part of SAML Response via VSA (RADIUS Vendor-Specific Attributes). This allows you to support authorization scenarios and configuration of RADIUS clients, for example, VPN and VDI solutions connected over RADIUS. At the same time, it remains possible to configure arbitrary VSA dictionaries, which are provided by various infrastructure service vendors and equipment providers, without restrictions.

The changes also affected the configuration of the authentication process - an identification mode appeared in it, which will help build more complex authentication scenarios with preliminary user identification. For example, use a password for authentication after other means, and not as a priority tool.

The updated version of Avanpost FAM is an important step in applying the system for complex domain infrastructures of holding and geographically distributed organizations. The solution implemented in the product allows you to build a single corporate authentication system, taking into account the needs of each application and domain connected to Avanpost FAM. noted Dmitry Grudinin, system architect of Avanpost

Compliance with the requirements of the FAPI.SEC standard

On February 2, 2022, Avanpost, a Russian developer of identification and access control systems, announced that it had made improvements to the employee authentication system in Avanpost FAM corporate resources and the Avanpost Web SSO client authentication system. Now both decisions comply with the requirements of the Bank of Russia standard for the security of banking operations (STO BR FAPI. SYeK-1.6-2020 - FAPI.SEK, "Security of financial (banking) operations. OpenID-based security APIs for financial services ").

FAPI.SEC is one of the recommended standards of banking interfaces or Open APIs approved by the Central Bank of the Russian Federation. The latter help banks interact with each other, with customers and with fintech services. The FAPI.CEC standard provides requirements and recommendations for authentication systems: they must provide secure access to customer financial data in fintech services using OpenID Connect mechanisms. Among other things, the standard helps unify the requirements for an authentication system that can be used to log customers into financial applications and confirm transactions.

In order for Avanpost FAM and Avanpost Web SSO to comply with the standard, the developers have expanded the capabilities of the systems in terms of compliance with authentication, authorization and user interaction requirements. In addition, a lot of work has been done to develop the functions of systems in terms of secure authentication of interacting APIs in order to transfer financial data.

"Thanks to the FAPI.SEC standard, the operation of financial services and APIs becomes safer and more transparent. The document, among other things, pays a lot of attention to the authentication process, and this is not surprising: there is an opinion that banking begins with it. Accordingly, financial institutions and fintech companies need authentication management tools that support such standards. Therefore, we have improved a number of processes in Avanpost FAM and Avanpost Web SSO so that financial industry representatives can immediately implement a ready-made solution into their business processes. " noted Dmitry Grudinin, system architect of Avanpost

Avanpost FAM (Federated Access Manager) is a platform for unified employee authentication in corporate applications that has functionality in the Russian market. The single sign-on system created with Avanpost FAM allows transparent and multifactorial authentication in mobile and web applications, thick client applications, SaaS services and terminal solutions. Products of this class, in conditions of remote operation, are especially in demand.

A feature of Avanpost FAM is support for an extensive pool of authentication technologies: Enterprise SSO (ESSO), IDP (Identity Provider, including SAML and OAuth/OpenID Connect), Reverse Proxy (Web Access Manager), RADIUS, Credential Provider for, Windows PAM for/. LinuxUNIX This allows for "seamless" single single authentication in mixed, IT infrastructures where there are applications with both "thick" and with, "thin" client workstations, web interfaces, microservices and. mobile applications

Avanpost Web SSO is a system of unified client authentication in portals and external applications, a Russian product of the CIAM class. The system in Identity Federation mode allows you to make client registration simple and transparent by combining various accounts from external Identity Provider within one client multi-account in Avanpost Web SSO. Self-service features provide customers with transparent and easy management of their accounts, data, and security settings.

2021

Certification of FSTEC of Russia

On December 28, 2021, the Avanpost company announced the certification of its Avanpost FAM solution according to the updated requirements of the FSTEC of Russia. The certificate confirms that the product meets the fourth level of trust - the maximum for the protection of confidential information. Now it can be applied in organizations that have increased requirements for data security. In addition, the use of Avanpost FAM frees the customer from the need to independently certify their systems so that they comply with the FSTEC requirements for authentication and authorization.

To obtain certification, Outpost has implemented many new security features, conducted additional large-scale testing of Avanpost FAM, and prepared new documentation. In addition to a detailed description of the solution, it includes information on the protective measures used, the processes for designing, developing and testing the system, including for troubleshooting and vulnerabilities. Compliance with the fourth level of trust established by the FSTEC of Russia allows the use of Avanpost FAM in state information systems up to and including the first security class, in personal data information systems up to and including the first security class, in automated critical facilities management systems (CSR) up to and including the first security class. In addition, the system can now be used in significant objects of critical information infrastructures (CII) up to the first category inclusive.

Avanpost FAM is a Single Sign-On (SSO) class product that is suitable for all types of enterprise applications and supports operation in hybrid IT infrastructures. A distinctive feature of the solution is the support of an extensive list of integration interfaces. This allows organization systems connected to Avanpost FAM to close most of the FSTEC's authentication requirements.

Another important quality of the product is the availability of certified authorization functionality within the OAuth/OpenID Connect protocols. This allows you not to carry out a costly and complex procedure for self-certification and certification of the functionality of the component responsible for calculating user access rights, but to rely on the already formed set of end-user rights. As a result, the costs of developing authorization functions in all applications become lower, as well as the costs of self-certification and certification of the implemented functions of information systems in terms of authorization and authentication.

By successfully solving the corporate authentication task, Avanpost FAM allows companies to solve a number of problems. Using this solution, the problem of connecting information systems is transformed into choosing the most suitable method integration from the vast range of methods available in Avanpost FAM. Therefore, by using Avanpost FAM as a platform for building a corporate authentication system, the risks of system incompatibility can be minimized. In addition, Avanpost FAM helps organizations centrally monitor all system access attempts, which is important in light of the application of these SIEM solutions. Now, thanks to certification according to the new requirements of FSTEC, Avanpost FAM can be used for authentication and authorization in the most critical information systems, "said Oleg Gubka Avanpost Development Director.

Integration with Citrix Virtual Apps and Desktops and Citrix ADC

On November 18, 2021, Outpost announced that it had integrated Avanpost FAM with Citrix enterprise solutions for secure remote access: Citrix Virtual Apps and Desktops and Citrix ADC.

Citrix solutions are used by large companies to organize remote access to virtual desktops and applications (Citrix Virtual Apps and Desktops, formerly XenApp), as well as to publish web applications (Citrix ADC/NetScaler). Avanpost FAM protects remote desktops and applications published through Citrix, providing multifactorial authentication and centralized control of employee access. This supports both an integration scheme using Citrix Gateway as an authentication tool, and directly, without this solution.

Thanks to Avanpost FAM, business units related to information technology and information security receive full control over employee access to Citrix corporate solutions, can centrally manage authentication scenarios and security policies for each application, "said Dmitry Grudinin, system architect of Avanpost.

Providing biometric authentication on wearable devices according to the WebAuthn standard

On October 27, 2021, Avanpost, a Russian developer of identification and access control systems for information resources of the enterprise, announced that its two systems now support biometric authentication in applications connected to them, which occurs using biometric readers on user devices and WebAuthn/FIDO U2F plug-in web tokens.

wearable devices biometrics In has already become a familiar way of confirming payment transactions, logging into applications and unlocking the device. Since 2019, the WebAuthn standard from the consortium has been adopted and is developing, W3C unifying approaches biometric authentications to wearable devices.

The use of user devices - laptops, smartphones, readers with support for the WebAuthn standard - and the integration capabilities of Avanpost FAM will allow customers to get a universal biometric authentication mechanism and strengthen the protection of corporate web applications, as well as "thin" and "thick" clients. Thanks to a fairly wide set of authentication factors in Avanpost FAM and flexible authentication scenarios, administrators can combine WebAuthn with other methods to improve the convenience and security of authentication. Employees can use a reader of a personal mobile device (smartphone, laptop) as an authenticator, which greatly simplifies the process of switching to an updated authentication method.

The ability to use the user biometrics Avanpost Web SSO in will allow customers Internet services to protect their accounts using an authentication method that is available and familiar to most smartphone users. This will increase confidence in resources that provide online services, especially those related financial to operations.

The WebAuthn authentication method supported by Avanpost FAM and Avanpost Web SSO does not require significant costs to purchase specialized biometric readers for employees. The burden on IT and information security departments is also reduced, since they do not need to manage biometric data - users independently perform this procedure.

"Biometrics readers on user devices with WebAuthn support work" normally "in most operating systems and are supported by browsers without installing additional drivers and plugins. Biometric data is stored on the user's device under the protection of the operating system and does not require transmission to the authentication server. This can significantly reduce the cost of introducing biometrics, reduce the cost of centralized administration of biometric data, as well as ensure compliance with legal requirements, "- explains Dmitry Grudinin, system architect of Avanpost.

Multi-factor authentication in Linux and Windows

On September 2, 2021, Avanpost, a Russian developer of identification and access control systems, released an updated version of the Avanpost FAM solution, designed for unified authentication of employees in corporate resources. One possibility is multi-factor authentication to Linux operating systems using the PAM module.

According to the company, the PAM module provides multifactorial and multi-step authentication in Linux both when entering the graphical shell of workstations and servers, and when working in the terminal. In this case, the parameters of the authentication scenario are managed centrally from the administrative console of the FAM system.

In turn, the updated version of Credential Provider supplied with Avanpost FAM provides multi-factor and multi-step authentication in Windows. The module uses fully standard lightweight mechanisms and APIs of the Windows operating system and is supplied by standard Microsoft infrastructure tools. In addition, it can work with both domain users and local accounts of the operating system. The module can be used not only for multifactor authentication and unlocking a session in Windows, but also for resetting and changing the password.

Avanpost FAM allows you to provide enhanced authentication for individual groups of specialists with elevated privileges, for example, administrators, while remaining a convenient and simple login service for other employees. You can do this by using the centralized authentication script configuration tools available in the updated FAM administrative console.

ESSO mode

Enterprise APIs and microservices can be protected through advanced OAuth 2.0 capabilities. FAM allows you to implement scripts using a common Access Token shared between systems, which optimizes the administration of authentication tools with a large number of microservices. For the latter, built-in authorization functionality was also implemented, which allows you to obtain a set of subject permissions as part of a JWT token in accordance with UMA. This saves the cost of self-authorization on the microservices side.

The updated version adds support for system performance metrics in Prometheus format. Metrics can be used to automate processes in Kubernetes. They can also be useful for displaying operational information about important performance indicators of the system in real time, for example, using Grafana dashboards.

To optimize integration with applications in business scenarios, the developers added an updated GraphQL API to Avanpost FAM. As a more modern and convenient format for obtaining data than the classic REST API, it reduces the cost of implementing enterprise system integrations with FAM.

Using Avanpost FAM, you can monitor active employee authentication sessions in various applications and block access if necessary. Advanced self-service tools available in this version of the system, including authenticator initialization tools, can reduce the burden on administrators and simplify system commissioning.

The updated version supports authentication tools for the most demanding components of the corporate infrastructure - microservices, while retaining all the necessary functions for classic enterprise applications. The authentication management mechanisms implemented in Avanpost FAM allow you to build multifactorial scenarios based on the criticality of systems and the privilege of employees. noted Dmitry Grudinin, system architect of Avanpost

Avanpost FAM (Federated Access Manager) is a platform for unified employee authentication in enterprise applications. The single sign-on system created with Avanpost FAM allows multi-factor authentication in mobile web applications, thick client applications, SaaS services and terminal solutions.

A distinctive feature of Avanpost FAM is support for an extensive pool of authentication technologies: Enterprise SSO (ESSO), IDP (Identity Provider, including SAML and OAuth/OpenID Connect), Reverse Proxy (Web Access Manager), RADIUS, Credential Provider for Windows, PAM for Linux/UNIX. This enables seamless, single authentication in mixed IT infrastructures with both thick and thin client applications, workstations, web interfaces, microservices, and mobile applications.

Role model for authorizing application users

On April 13, 2021, Avanpost, a Russian developer of enterprise identity and access control systems (IDM), announced the release of a version of its software product for adaptive employee authentication in the corporate resources of Avanpost FAM. The updated version implements the most popular functions: role-playing model of user authentication and authorization in corporate mobile, desktop and web applications; authentication in a corporate IS via a mobile application; tools for multifactor authentication have also appeared .

Avanpost FAM

According to the company, one of the key changes in this version of the product was the role model for authorizing application users. It allows you to implement a certified delegated authorization script for all enterprise applications and expands the list of tasks solved by the authentication system by adding the rights of applications connected to the system.

The updated version implements a mechanism to limit the number of simultaneous sessions of the user working with the application from one account on various devices. This feature allows you to prevent the misuse of the same account by different employees, and can also be used to limit the possibility of simultaneous use of administrative accounts of the Avanpost FAM system. This provides administrators with advanced capabilities to monitor user activity on FAM-connected enterprise systems.

Also, Avanpost FAM added advanced options for customizing system interfaces, including the administrative console and the FAM user's personal account (through the administrative console). Now you can adapt all system interfaces: install a logo, customize fonts, colors of any elements, their dimensions and location. In this case, the changes will be extended to all users of these interfaces immediately after saving them, without the need to rebuild the interfaces.

The function of controlling the sources and channels of receipt of accounts (manual creation by the administrator, through synchronization with external sources of accounts, during self-registration) can be used by the administrator to track their life cycle, and in the future - to obtain a high-quality characteristic when assessing the level of trust in adaptive authentication scenarios.

Also, the Outpost specialists expanded a number of ready-made integration solutions for multifactor authentication for VDI and VPN systems, including: VPN Cisco ASA/ASAv (AnyConnect), OpenVPN, Microsoft VPN and Mikrotik VPN (Router OS). In addition, an updated version of the solution for integrating Microsoft Remote Desktop Gateway (RD Gateway/RDGW) and RDP services (including when using the RDS farm) with Avanpost FAM has been implemented without the need to install any agents and other components into the infrastructure.

Avanpost FAM provides one- and multi-factor authentication for both internal and remote employee access. Avanpost FAM supports authentication technologies such as IDP for any SAML and OpenID Connect-enabled applications, RADIUS for VPN/VDI/RDP solutions, Enterprise SSO (ESSO) for desktop applications, and IDP (Identity Provider) and Reverse Proxy for web applications. In addition, authentication through the PayControl mobile application has become available for all Avanpost FAM integration interfaces as an additional authentication factor (supports authentication in mobile applications connected to Avanpost FAM on Android and iOS devices).

2020

Integration with PayControl

Avanpost products for user authentication in Avanpost FAM corporate resources) and external applications (Avanpost Web SSO) have expanded the range of available authentication factors through integration with the PayControl mobile electronic signature platform . This became known on December 22, 2020. Read more here.

Inclusion in the register of domestic software

On July 29, 2020, it became known that the Avanpost Avanpost FAM (Federated Access Manager) product was included in the unified register of programs for electronic computers and databases (the register of Russian software) on the basis of the opinion of the expert council approved by the Ministry of Communications of the Russian Federation. Software registration number 6824. Avanpost FAM has added to the list of products recommended for use in Russian organizations, which already contains all other Avanpost access control solutions (IDM, PKI, Web SSO).

Avanpost FAM is an SSO (Single Sign-On) product suitable for all types of enterprise applications: hosted on-premises and cloud (SaaS) web applications, mobile applications, as well as traditional enterprise software with desktop client applications installed, legacy software of any architecture. A distinctive feature of Avanpost FAM is support for three authentication technologies at once: Enterprise SSO (ESSO), IDP (Identity Provider) and Reverse Proxy. This allows for truly "seamless" one-time authentication in mixed IT infrastructures, where there are applications with both a "thick" and "thin" client, including mobile applications.

The inclusion of Avanpost FAM in the state register of Russian software is an official confirmation of its compliance with all established rules and legal requirements and recommendations for purchase by state and municipal customers as part of their purchases.

Avanpost FAM Enterprise Single Authentication Solution Overview

At the end of June 2020, a review of the solution for a single single authentication in corporate applications was released. Read more here.

Avanpost FAM announcement

On June 16, 2020, Outpost announced the release of the Avanpost FAM (Federated Access Manager) software product. This software is suitable for any large organizations, including ministries, departments and other authorities, state-owned companies, municipalities, vertically integrated enterprises, holding structures, companies that are centers or participants in partner clusters, ordinary and network commercial enterprises.

According to the company, as of June 2020, any such organization, whatever the scale and profile of its activities, specific requirements for the authentication processes of users of all levels of authority in corporate IS, as well as features of the IT landscape, needs a reliable, flexible scalable single sign-on (SSO) system that extends to various types of software. Avanpost FAM allows you to create such systems, combining strict information security requirements with convenience for users and increased productivity of their work. At the same time, the need for other SSO class solutions disappears.

Avanpost FAM provides one-time authentication for software provided by both the organization itself and its trusted partners. In both cases, the authentication data of employees does not go beyond the perimeter of the organization.

Avanpost FAM is a non-import-dependent software that allows the customer organization to meet the requirements of central and industry regulators. In particular, to exclude the placement of personal user data on foreign servers when using foreign Solutions SaaS.

The single sign-on system created with Avanpost FAM covers all Enterprise-software architectures used for June 2020, including: on-premise and cloud (SaaS) Web applications, mobile applications, as well as traditional enterprise software with desktop client applications installed (both thick and thin clients), legacy software of any architecture.

The SSO infrastructure, on the basis of which the customer provides its employees with a single single authentication service, seamlessly fits into the IT landscape of modern IS, smoothly interacting with MS Active Directory (AD) directory management systems or similar solutions based on Open Source software. At the same time, Avanpost FAM increases the reliability of authentication by combining multi-factor authentication and complex authentication policies. With such policies, an organization can solve many tasks, for example, provide different procedures and sets of authentication factors for different categories of employees, introduce corporate authentication standards and ensure their compliance, comply with regulatory requirements, etc.

Avanpost FAM is able to work with almost any authentication factor, including: physical factors (key media, smart cards, biometric readers, and tag readers); One-time codes (SMS, TOTP, HOTP, messengers) certificates and ES (electronic signature); media data obtained from network environment, MCDS and other sources; and domain authentication (SPNEGO/Kerberos). Avanpost FAM allows the company to implement uniform employee passes that can be used both to control the passage to the territory of the enterprise, and as an additional authentication factor in corporate IP and application software.

Before the advent of Avanpost FAM, large organizations had to create and accompany a complex set of information security solutions to implement SSO functions. As a result, the vast majority of organizations stopped at the authentication level using the MS AD domain. The use of multifactor authentication based on proprietary Western information security solutions required operating costs unacceptable for most Russian organizations, and also led to the placement of authentication data of employees outside the Russian Federation, which is a gross violation of the current regulatory framework of the Russian Federation and an unrecoverable source of sanctions and other risks.

Avanpost FAM fixes all these problems. One software product gives the customer organization authentication technologies (for all types of software), allows you to reduce costs and eliminate the most dangerous vulnerabilities in the SSO system, as well as fulfill the requirements of regulators (FSTEC of the Russian Federation, FSB of the Russian Federation, Central Bank of the Russian Federation, etc.) in terms of password policies and authentication.

In Avanpost FAM, SSO for various types of enterprise software provides a single authentication core using modern authentication protocols (OpenID, OpenID Connect, OAuth and SAML) and IdP (identity provider) architecture. In the Avanpost IdP role, FAM makes authorizing or rejecting decisions on authentication requests from all types of software.

Modern enterprise web applications and SaaS services initially support the IdP architecture and specified authentication protocols. In such software, it is easy to specify Avanpost FAM as IdP. Moreover, authentication via Avanpost FAM can be configured not only for IS based on software located on the customer's own servers, but also in SaaS applications. Avanpost FAM can provide authentication with adequate levels of protection, control, and assurance in the context of a distributed infrastructure often provided to employees of a partner organization and/or other enterprises within a holding structure. In both normal and federated authentication (the last two scenarios), Avanpost FAM will make the necessary checks, apply the information security policies adopted in the organization, request the authentication factors necessary in this case from the user, check them and make a final decision on the received request. The result of user authentication will be returned to the IC from which the authentication request was received. And depending on the result of authentication, the IC will decide on the provision of IP resources to the user.

Enterprise software with a traditional architecture also often uses authentication tools that come from the Internet. For June 2020, this is a steady trend. But if there is no support for these standards, it is not difficult to implement it by modifying the authentication function of this software using libraries existing for all popular programming languages.

Using Avanpost FAM, it is not difficult to connect legacy software to a single sign-on system. There are two possibilities here. With legacy web applications, Avanpost FAM can operate in Reverse Proxy mode - in this case, the system acts as an intermediary that modifies requests from the user to the application and back over the scripts configured for this application. For authentication in the desktop program on the AWS, a lightweight Agent from Avanpost FAM is used. The agent allows providing and implementing multifactor authentication both when entering the OS and when the user is working in an OS session. When the desktop application is launched, the Agent identifies and intercepts the login window of the program that is connected to Avanpost FAM and checks the sufficiency of the user-provided authentication factor chain. If the user is authenticated according to the required set of factors in accordance with the policies and can access the application, the Agent will safely download and substitute data into the application window for the user, thereby performing authentication. To manipulate this window, the agent uses compact templates configured for each application directly in the Avanpost FAM administrative interface. Accordingly, connecting a desktop application usually boils down to configuring a template and does not require programming.