Avanpost Web SSO

Main article: Identity and Access Management - Definitions

Avanpost Web SSO is a system for managing user authentication in enterprise resources, SaaS services and cloud products. The product allows you to implement on the scale of both a large geographically distributed organization and a network of interacting enterprises (business networks, corporate, regional, industry and project clusters) a complete set of functions of regular and multifactorial authentication of users of information systems (IS), as well as the safe entry of the latter into all necessary applications after single authentication (Single Sign-On, or SSO).

2022

Obtaining FSTEC certificate

On February 15, 2022, Avanpost announced the receipt of a FSTEC certificate of conformity for its Avanpost Web SSO decision. It confirms that the product fully meets the current data security requirements and meets the fourth, maximum level of trust to protect sensitive information. Avanpost Web SSO can now be used in organizations that have increased requirements for the use of certified information protection tools.

For certification, Avanpost implemented additional security functions in Avanpost Web SSO and carried out additional work on testing the product and preparing the necessary documentation. It includes information on implemented protective measures, design and development processes, methods and results of testing the system, including for the presence of vulnerabilities and elimination of shortcomings.

The obtained certificate certifies that the Avanpost Web SSO solution can be used in state information systems up to and including the first security class, in personal data information systems up to and including the first security class, in automated critical object management systems (CVO) up to and including the first security class. In addition, the system can be used in significant objects of critical information infrastructures (CII) up to and including the first category.

The important quality of the Avanpost Web SSO solution is that it helps to ensure unified authentication in web applications of more external users, while imposing relatively low requirements on the hardware platform. The presence of the FSTEC certificate allows you to use Avanpost Web SSO when building significant state and social information services, which are subject to increased requirements for information security both in terms of confidentiality and accessibility. Now the introduction of Avanpost Web SSO exempts customers from the need to independently certify their systems for compliance with the FSTEC authentication and authorization requirements, "said Oleg Gubka, Development Director of Avanpost.

Fulfillment of requirements of FAPI.CEC standard

On February 2, 2022, Avanpost, a Russian developer of identification and access control systems, announced that it had made improvements to the employee authentication system in Avanpost FAM corporate resources and the Avanpost Web SSO client authentication system. Now both decisions fulfill the requirements of the Bank of Russia standard for the security of banking operations (STO BR FAPI. SEC-1.6-2020 - FAPI.SEC, "Security of financial (banking) operations. Applied program interfaces of safety of financial services on the basis of the OpenID protocol"). Read more here

2021: Provide biometric authentication on wearable devices according to the WebAuthn standard

On October 27, 2021, Avanpost, a Russian developer of enterprise information resource identification and access control systems, announced that its two systems now support biometric authentication in applications connected to them, which occurs using biometric readers on user devices and connected web tokens WebAuthn/FIDO U2F. More details here.

2020

Integration with PayControl

Products of the Outpost company for authentication of users in corporate resources (Avanpost FAM) and external applications (Avanpost Web SSO) expanded the range of available factors of authentication due to integration into the platform mobile electronic podpisiPayControl. This became known on December 22, 2020. More details here.

Avanpost Web SSO 2.5

On September 23, 2020, Avanpost Web SSO, Outpost Russian a company developing enterprise information resource identification and access control systems IDM (), announced the release of a milestone update of the Avanpost Web SSO one-time login system, supporting modern application architectures, ON including mobile applications Web interface software, as well as legacy software, which is implemented on the basis of Reverse Proxy.

Avanpost Web SSO

According to the company, part of the updated Avanpost Web SSO 2.5 features is associated with the Reverse Proxy mechanism: in addition to the previous authentications HTTP Basic and Web Form methods, support for language authentication scripts has been added. JavaScript As a result, Avanpost Web SSO now supports authentication in web applications and portals of various complexity, and this does not require reprocessing the legacy application, since Avanpost Web SSO is able to adapt to the features of the web application.

Another important change is the significant expansion of the software synchronization functionality implemented using the queuing mechanism, as well as the advent of support for Apache Kafka buses, NATS.io and the compact gRPC protocol. These tools are available literally "out of the box," which simplifies the integration of Avanpost Web SSO into the IT infrastructure of modern information systems.

Improvements have been made to the functionality and ergonomics of the user's personal account. Here, updated features allow you to transfer the most common self-service tasks to Avanpost Web SSO, including both managing the security of your account and navigating the resources and services available to the user (directly from the user interface of the personal account). The resulting integration at the authentication mechanism level simplifies Avanpost Web SSO interaction with the IT landscape and enables you to get ready-to-use IT solutions as soon as possible.

In addition, the boundaries of self-service have been expanded when managing passwords and other authentication factors, and users can independently determine the acceptable level of security of their account within the boundaries set by the system administrator.

Avanpost Web SSO 2.5 developers have increased the flexibility and adaptability of authentication scenarios, preserving the simplicity and usability of features. With rules that can be defined for each process step, it has become easy to configure even very complex algorithms where authentication steps are dynamically executed or skipped based on various data, including user network environment parameters. Avanpost Web SSO now supports password policies that allow you to set minimum and maximum password validity periods, as well as requirements for their length, character composition, change history, etc. Administrators were able to create policies for automatically blocking an account, processing account login attempts from a certain device, and set a reaction to the selection of identification and authentication data. To prevent illegal access to the administrative console and the private room, the option of automatically ending a session when an open but not active interface is detected.

Avanpost Web SSO 2.5 provides enhanced auditing capabilities. In particular, this version learned to automatically record various security events related to authentication. At the same time, messages are written in several formats at once (syslog and JSON), which simplifies integration with any logging systems and with SIEM solutions.

2019: Multilingualism Support

On September 3, 2019, it became known that Avanpost, a Russian developer of enterprise information resource identification and access control (IDM) systems, built a universal localization mechanism into the latest versions of its Avanpost IDM and Avanpost WebSSO software products, which made their user interfaces multilingual. More details here.

2018

Avanpost SSO 2.0

On October 23, 2018, Avanpost announced the release of Avanpost SSO 2.0, a milestone release of a software product for creating enterprise systems with single sign-on (Single Sign-On, or SSO).

The changes included in this release, according to the developer, expanded the capabilities of authentication systems created on the basis of Avanpost Web SSO, simplified the implementation and maintenance of the product, and also made it possible to equally effectively implement authentication for both modern software and legacy systems.

Avanpost Web SSO is a system-forming software that allows a large geographically distributed organization or network of interacting enterprises (cluster, business network, extended supply chain, etc.) to implement a full range of functions of regular and multifactorial authentication of IP users, as well as their safe entry into all necessary applications after a single authentication. Based on Avanpost Web SSO, a unified authentication system covers all means of user interaction with modern ICs: thin clients, mobile applications, SaaS services, traditional desktop applications and complex organized web resources, whose pages dynamically access the information systems of one or more organizations. At the same time, Avanpost WebSSO is able to effectively support IP with millions of users, according to the Outpost.

Among the changes to Avanpost Web SSO 2.0, the developer noted support for multiple user IDs, effective work with legacy software, the emergence of a full-featured administrative interface that allows you to maintain an internal user directory, including managing groups and assigning access to applications to groups and individual users. In the Avanpost Web SSO release, the data management technology was completely changed, which simplified the implementation and configuration of the product, as well as made it possible to change the data model and make appropriate updates to the authentication systems without user participation.

Identification of users

Multiple user IDs allow them to log in not only by login, but also by any other unique keys allowed by the customer, for example, by phone number, e-mail, SNILS, etc. No matter what indicator a user logs on to, they will be able to access the same set of applications. In addition, each Avanpost Web SSO 2.0 application transmits exactly the identifier and in the format that it expects. This allows you to connect applications to a single authentication system that use different options for identifying users and have their own databases of identifiers that need to be saved. This situation is characteristic of the inherited software, the developer noted.

Authentication and SSO for new and legacy software

Support of two completely different authentication methods in Web SSO 2.0 is essential for efficient operation of the corporate authentication system as with modern software. Since the first release, Avanpost Web SSO has implemented identity provider authentication. In such a scheme, the Web SSO system participates only in the authentication process itself, after which no interaction with the application software takes place anymore. Accordingly, the authentication system using this scheme is most stable and least loaded.

Avanpost Web SSO 2.0 also has the ability to work as a special authentication proxy (reverse proxy). The authentication service and SSO, placed in front of the information system, intercepts all requests to applications and adds to them a particular authorization attribute (for example, one of the user IDs), which allows the application to know which user the request came from. SSO systems running this scheme are involved in the processing of all requests of each application and therefore can be scaled only with them. After all, the speed of data transfer to applications depends on the bandwidth reverse proxy. A loaded, difficult-to-scale authentication system is obtained. However, this scheme also has a strong point related to the ability to connect legacy applications to the corporate authentication system and SSO, which will never support either SAML or OpenID or something like that, the developer emphasized.

Avanpost Web SSO 2.0 enables customers to work efficiently with both new and legacy applications while maintaining the optimal corporate authentication and SSO lifecycle. Avanpost believes that using one technology platform is easier and more convenient than combining and developing independent authentication systems.

Data Management System

Another change is due to the complete redesign of the data management system in Avanpost Web SSO 2.0. Instead of two software products (OpenLDAP and Redis), it is used. DBMS Tarantool Storing user information in the OpenLDAP made updating the data schema difficult. Adding fields and extending the schema that any relational DBMS handles is, in the case of OpenLDAP, a complex task that requires a highly skilled administrator and a lot of work. At the same time, the need for changes in the data schema arises quite often (for example, the implementation of multiple user IDs and the Avanpost Web SSO 2.0 administrative interface required this). The transition to the Tarantool DBMS ensured the expandability of the data schema and its updating without the participation of users.

The highly available network logging data store of the "key - value" type Redis allowed Avanpost Web SSO 1.x to keep in memory variable information about many sessions on multiple nodes and correct these connections in a timely manner (for example, when moving services or switching users between nodes). Although this function worked flawlessly, a number of Redis features led to unnecessary complexity of the IT solution and increased implementation and administration costs. So, in cluster mode, Redis requires at least three nodes, while most Avanpost Web SSO customers need two. Replacing Redis with Tarantool fixed similar problems without side effects. Tests have shown that the Tarantool DBMS is highly accessible, quickly replicated, stores information both in online and external memory, and is effective in high-load mode and in fault-tolerant configurations. In addition, configuring and administering one data management system instead of two significantly reduced the complexity of configuring and administering highly available clusters.

Other changes

In the Avanpost Web SSO release, the developer noted smaller changes that affect the usability and functionality of the product. In the presented version, more authentication factors are supported, and they can be used in any combination. domain Kerberos authentication is fully implemented. And in multifactor authentication, you can use, SMS for this, the product includes the necessary integration tools with external SMS gateways of any. providers

The reporting system has also changed. In particular, based on the experience of the practical application of Avanpost Web SSO, a verified set of reports was developed that allow you to see who and when worked with a particular system and how many inputs to it were in a certain time, collect various statistics on systems, users and groups, obtain sections on accounts and other elements of the data model. This fixed set of reports is built into Avanpost Web SSO 2.0 and does not require either administration, integration with other applications, or complex configuration. At the same time, it is also possible to create reports of any complexity in external software.

In preparing Avanpost Web SSO 2.0, Avanpost applied its own methods for dosing changes included in stage and minor updates of its products. This change, introduced in connection with the transition to Agile technologies, simplifies the development of new versions by users and administrators of the Avanpost product line, the developer said.

Product Description

Features (as of September 2018):

• Transparent authentication in legacy applications
  • Automatic substitution of authentication data into application windows and web pages enables transparent authentication.

• Multi-Factor Authentication in OS and Applications
  • The solution allows you to organize multi-factor authentication using various factors: tokens, smart cards, RFID tags, fingerprint scanners, SMS and other factors.

• Increase the security of user accounts in IP.
  • Automatically changing a user's password in managed ICs based on custom policies helps protect accounts from theft or password matching.

List of supported authentication tools:

As of September 2018, Avanpost SSO supports various authentication factors, such as:

• USB tokens and smart cards of famous manufacturers (ruToken, eToken, ESMART, MS Key and others);
• one-time passwords via SMS;
• biometrics based on BioLink products;
• cards with RFID labels (most often used in MCDS systems).

Password Change and Propagation Mechanism

Avanpost SSO integrates with target applications using connectors and automatically changes passwords in them according to the specified password policies. After a password change, the passwords are delivered to the user's profile, which allows the user to authenticate transparently in applications while observing current security policies.

Inclusion in the register of Russian software

In January 2018, Avanpost announced that the Avanpost Web SSO software product was included in the unified register of Russian programs for electronic computers and databases (registration number 4049). Now it includes all Avanpost software products (Web SSO, IDM, PKI and SSO), which allows, in compliance with the requirements of the current legislation of the Russian Federation, to apply them separately and in any combinations in state structures (including FOIVs), law enforcement agencies, state corporations and municipalities. The inclusion of Web SSO in the register of Russian software is also important for commercial organizations that form their technological platforms taking into account the import substitution policy.

2017: Avanpost Web SSO Announcement

On March 20, 2017, Avanpost announced the promotion of Avanpost Web SSO, a set of functions for regular and multifactor authentication of IP users. The product is aimed at enterprises with a large geographically distributed organization or business network.

The unified authentication system and SSO, created through Avanpost WebSSO, covers all mechanisms of user interaction with modern IP:

• thin clients,
• mobile applications,
• SaaS services,
• traditional desktop applications
• Complex web resources whose pages provide access to the information systems of one or more organizations.

Avanpost WebSSO is focused on IC support with millions of users.

Out-of-the-box development supports three scenarios of authentication and SSO implementation in large IEs:

• a common authentication service for multiple applications of a large centralized organization;
• federated authentication when users are in multiple interacting organizations, and the authentication service provides one of them;
• Authentication in SaaS applications required by organizations moving their IP to private cloud infrastructure.

The first scenario simplifies the development of applications (since they do not need to run user information management subsystems), remains manageable with conscious decentralization of IP, introduced to increase flexibility.

In the second case, the level of security of interaction between large groups of companies and large business networks increases. This is due to the fact that the organization of federal authentication is difficult.

When migrating to the SaaS architecture, an organization can create internal applications in the private cloud and safely use the services of hosting providers without transferring its user data externally. The interaction of external and internal SaaS applications with the Avanpost WebSSO service is based on open standards (SAML, OAuth, etc.).

Avanpost WebSSO provides a set of authentication services. Using this software in conjunction with the Avanpost IDM software product allows you to automate the management of the credential directory of the WebSSO system associated with it through the LDAP connector. With Avanpost authentication, WebSSO can receive authorization attributes directly from the IDM system. In addition, role information can be transmitted from IDM (there is a standard protocol for this information in SAML). All this allows not to store in the system WebSSO information about users (including authentication attributes). This simplifies the administration of authentication functions, eliminates the possibility of errors and abuse.

Avanpost WebSSO provides a set of authentication and SSO functions for information systems based on technologies and products of foreign vendors, as well as for import-independent IT solutions.

The technology stack of the Avanpost WebSSO platform, including the programming language, additional libraries and frameworks, has implementations for Linux and Windows. Avanpost WebSSO source code can be transferred between these platforms. However, the developers said, on March 20, 2017, Avanpost WebSSO 's preferred execution environment is Linux.

The software is available in two licensing schemes: by the number of users and processor cores.

A single authentication and authentication data management point created with Web SSO provides benefits to representatives of all target segments. In the case of large state and municipal structures, there is a unification of services for internal users, subordinate institutions and contractors. Large commercial organizations increase the security and convenience of their IP for users amid an expanding set of communication channels (through Web sites, mobile applications, Web services, etc.), the growing popularity of service delivery through interactive Web sites and mobile applications, the complexity of the service portfolio (for example, in banking), as well as transferring various functions to outsourcing and the need to integrate partner IP access mechanisms into their communication tools. And for large municipalities developing powerful service aggregator portals, all the above advantages are important.