RooX UIDM Authentication and Authorization Management System

2024

Compatible with Astra Linux 1.7

The RooX UIDM access control system has completed compatibility tests with OCAstra Linux 1.7. The correct operation of the software stack is confirmed by the certificate issued by Astra Group. For end users, this means that they have the opportunity to create and develop information security circuits that meet their individual needs. This was announced on March 27, 2024 by the Astra Group.

Obtaining the certificate was preceded by comprehensive testing of the health of the software stack. To do this, RooX experts used a stand with the Postgres PRO Standard DBMS, Astra Linux OS, as well as the Tarantool in-memory computing platform created in VK, designed to store tokens and other operational information. At this stand, experts checked all user scenarios for registration, authentication, authorization and self-service and made sure that RooX UIDM works correctly in conjunction with Russian software, and the functionality for calculating access policies, user authorization and authentication, including federated, is available in full.

{{quote 'RooX UIDM has been compatible with Linux-based operating systems before. We have finalized the distributions so that the system is installed and launched on Astra Linux as conveniently as on other import-independent platforms, "commented Konstantin Korsakov, chief architect of RooX. }}

One of the priority tasks of import substitution is to ensure full compatibility of domestic software products from different segments. Users should have access to the widest possible ecosystem of solutions that work correctly and stably in conjunction. Now that the tests have been successfully completed and the performance of RooX UIDM in the Astra Linux environment has been confirmed, the organizations have the opportunity to build and modernize information security systems, - said Alexey Trubochev, director of the support department of Astra Group.

Recall that now at the ministry level the issue of mandatory compatibility with Linux-like platforms of products included in the register of the Ministry of Digital Development is being discussed.

Red OS Compatibility

RooX and Red Software have confirmed the compatibility of the RooX UIDM authentication and authorization system with the operating system Red OS. Business now has a joint solution for secure access management, as well as for building import-independent IT ecosystems. Red Soft announced this on February 27, 2024.

The operating system is used by government and commercial customers. Partnering with such a developer and confirming the compatibility of our solutions is a strategic step for our company, which will offer even more domestic business users reliable access control tools, said Konstantin Korsakov, chief architect of RooX.

RED SOFTWARE is constantly expanding its partner network, including popular information security solutions. We thank the RooX team for active and fruitful cooperation, - said Rustam Rustamov, Deputy General Director of RED SOFT.

2023

Add Gateway API

Added to the UIDM RooX Access Control System API is Gateway, a universally configurable gateway for controlling access to information systems. The Gateway API will facilitate the transition to a Single authentications Sign-On system, strengthen application security and APIs, and reduce security costs. Thanks to this gateway, new applications can be connected to the authentication system without the participation of developers. RooX Solutions (Ruks Solutions) announced this on December 21, 2023.

When implementing a single authentication system in a large company, the following circumstances may complicate the digital transformation: it is necessary to ensure uniform authorization of dozens and even hundreds of applications and APIs that are created within various technological stacks, including legacy applications and cloud services.

At the same time, the allocated resource for refinement in terms of access control functions is organic, and access to the source codes of applications may be difficult or impossible.

In addition, application security may not be sufficient or meet current security standards and regulations (for example, support for multifactor authentication may not be available).

The Gateway API in RooX UIDM will facilitate the implementation of Single Sign-On: it will eliminate the need to refine the authorization functionality in each application or API, and provide the ability to easily configure the connection of new applications. It will also provide a reliable level of application protection thanks to the use of unified modern authorization rules.

As part of the RooX UIDM microservice architecture, we separate security issues from business logic. This approach allows for a higher level of protection, "said Konstantin Korsakov, chief architect of RooX.

The Gateway API in RooX UIDM works on the principle of a reverse proxy, interrupting incoming HTTP requests. It analyzes user session data, URLs, request body headers and fragments, source IP address, HTTPS certificate data, and other parameters.

Connecting applications and APIs and configuring access rules for them can be carried out without the participation of developers. For each URL, you can specify the criteria for selecting the request and the list of necessary actions when meeting this criterion. Among the available actions are checking access rights, forwarding to the form of authentication or entering an OTP code, modifying, routing or blocking a request, and others.

For security reasons, the Gateway API in RooX UIDM logs request processing events and can also restrict information sent to the application.

For legacy applications, the Gateway API can secretly start a session, support it, and provide multi-user access to this application.

The Gateway API in RooX UIDM is designed for high load, supports request tracing, centralized logging and monitoring.

Add user authentication from multiple directory services

In RooX UIDM, combined user authentication from several directory services has appeared. This was announced on November 14, 2023 by RooX Solutions (Ruks Solutions).

This feature of the RooX UIDM access control system will facilitate authentication to various enterprise services when the company has deployed the so-called "multiles," and will also provide unified authentication to applications that do not support connection to multiple directory services.

The directory service is a common component of the IT infrastructure that allows users to be authorized and authenticated to internal domains. It has a tree structure and stores all information about the company's divisions, network users, the groups in which they belong, etc.

The most popular product of this class in Russian campaigns until recently was Microsoft Active Directory (AD) based on Windows Server. Examples of open source solutions are Samba DC and FreeIPA. Among the Russian directory services can be called ALD Pro from Astra Group of Companies, RED ADM from RED SOFT, a module built into Alt Workstation and Avanpost Directory Service.

Large companies can use multiple directory service servers for a variety of reasons. This approach is common among holdings with many branches and subsidiaries. Multiple directory services also apply the business going through the merge process. Sometimes user groups are placed in separate repositories in accordance with the company's information security policy. Finally, and this is an actual pattern recently, companies can simultaneously use several directory services - old and new - in the process of migrating to domestic software.

At the same time, the need to support several different forms of login to the same applications for different groups of users complicates management, increases security risks and leads to inconvenience for users. In addition, some applications, in principle, do not support connecting to multiple directory services and need a single account mechanism to sign in.

This feature in the UIDM RooX Access Control System provides combined user authentication from multiple directory services.

It allows you to configure the search for a user in multiple directory services with the priority settings specified. The connection parameters to each directory service server are configured independently, taking into account the peculiarities of its structure. So, in RooX UIDM you can set the address of the directory server, the account for the connection, as well as a number of filters for finding the user - for example, in which groups, in which subtree or according to what conditions to search for it. You can also set up rules for defining account attributes (mapping).

These settings can be applied to different directories or to the same directory. Multiple connections with different settings to the same directory will allow you to query user data from different subtree for different templates and filter them differently. This may be necessary if the data in the directory service is not harmonized.

With the update, user authentication from several directories using the Kerberos protocol has also become available in RooX UIDM.

The ability to connect to multiple directory services is available to all RooX clients as part of the RooX UIDM product roadmap. We also advise on settings for a specific client task - for example, in what order it is better to prioritize the choice of trees when searching for data or on what parameters of rights to search for users, "said Konstantin Korsakov, chief architect of RooX.

Add Device Identification

RooX announced on September 4, 2023 that it has added adaptive device authentication to the RooX UIDM access control system. The "device identification" function will allow you to determine which gadgets are logged into the system, as well as control access rights from these devices. This will help protect users of mass services from unauthorized actions.

Every day, people use dozens of digital services - they enter Internetbanks-, make purchases, watch movies, register for a doctor's appointment and perform other operations. And when it comes to, authentications it usually means user authentication. That is, human authentication using methods such as login/,password, multivariate authentication login by biometrics , and so on. However, to improve the security level, it is also necessary to authenticate the device from which the user enters the service.

If implemented correctly, device authentication can provide strong protection against common attack vectors such as social engineering, the use of compromised credentials, session interception, and the use of a compromised device.

As part of the Device Identification function in RooX UIDM, you can configure user notifications about logging into the service, as well as enable you to administer the ability to log in without a password from a device.

Notification of each entry is likely to become "white noise" for the user and will only weaken vigilance. Therefore, in RooX UIDM, you can configure notifications only about unusual inputs: logging in from a previously unknown device, unusual use of an old device, for example, "impossible to move," changing the operating system or browser, and others, "said Konstantin Korsakov, chief architect of RooX UIDM.

In addition, the function allows you to administer devices and login sessions. The user can view a list of devices from which the service has ever been signed in, analyze the history of authentication on them, view a list of current sessions and interrupt irrelevant ones, as well as revoke the possibility of logging in without a password on a certain device or delete unused devices.

In order for notifications and administration to be possible, RooX UIDM collects information about all devices from which the application or online service is logged in. Device markup is protected from counterfeiting using asymmetric cryptography. Thanks to this protection, it is impossible to disguise one device as another, for example, an attacker's computer as a legal user's computer.

Ability to adjust authentication scenarios based on device settings

The Russian access control system RooX UIDM implements the ability to adjust authentication scenarios depending on the parameters of the devices from which the entry is made. With this function, among other things, you can restrict logging into systems and services from Apple devices. This was announced on July 25, 2023 by RooX Solutions (Ruks Solutions).

In July 2023, several government departments banned employees from using Apple equipment in the performance of official duties. According to market experts, the tendency to limit the use of devices from this manufacturer in the future may spread to other large departments.

The UIDM RooX access control system helps companies build secure authentication scenarios with such restrictions in mind. RooX UIDM defines a number of device parameters from which the user tries to log into the system, including the manufacturer. Logon scripts can be configured based on the values ​ ​ of these parameters, in particular, you can restrict logon from devices of a particular manufacturer or, conversely, allow logon only from trusted devices.

In addition, the RooX UIDM implements the function of logging login attempts. This will help the internal security services of the enterprise to promptly monitor all authentication events.

The ability to restrict entry to digital services, corporate portals and applications from certain devices is an important part of corporate information security. RooX UIDM will help close such a need for business and state-owned companies, as well as control the process of introducing such restrictions. If necessary, the solution can be customized for the specific tasks of companies, - said Aleksei Khmelnytsky, CEO of RooX.

Java Axiom JDK Pro Compatibility

On June 19, 2023, RooX announced that it had made the domestic RooX UIDM authentication and authorization management system compatible with the Java Axiom JDK Pro development and execution environment. The compatibility of these solutions will allow RooX UIDM to be used in IT landscapes deployed on the Russian Java stack.

RooX UIDM

According to the company, technologically, the Java Axiom JDK Pro execution environment is a necessary link when launching the RooX UIDM system on domestic OS and DBMS. Tests have confirmed that solutions work together correctly. This makes it possible to recommend the RooX UIDM authentication and authorization management system for use in a certified domestic Java environment when implementing import substitution projects.

RooX UIDM is an IAM system designed to control user access to business applications, web portals, and digital services. The solution provides authentication of individuals and legal entities, as well as extensive integration opportunities. RooX UIDM is included in the Register of Russian software and complies with GOST and Central Bank safety standards.

Axiom JDK Pro is a Russian Java platform that is used in systems that require a high level of security, critical information infrastructures (CII), as well as in complex IT landscapes of banking, exchange and other systems that require high bandwidth Java applications. It is a cross-platform solution for cloud, server and desktop systems that complies with the Java SE standard . Axiom JDK Pro is included in the register of the Ministry of Digital Development of Russia and supports many system configurations, including domestic OS and DBMS, hardware and processor platforms, applications and clouds.

The Axiom JDK Pro platform, created on the basis of open technologies and supported by Russian engineers, is a worthy alternative to proprietary products of Oracle, IBM and other Western vendors, which is of interest among our clients from the financial sector and retail planning to migrate to domestic software. told Konstantin Korsakov, chief architect of RooX

We welcome RooX UIDM to the ecosystem of domestic Java and are pleased that more and more information security vendors are providing compatibility with Axiom JDK Pro. This contributes to the formation of a secure and sovereign Java stack, stimulating practical import substitution and minimizing information security risks. We invest in compatibility with all popular platforms and systematically expand the functionality of our professional products. told Aleksei Kuznetsov, Partner Relations Director of Axiom JDK

Tarantool Platform Compatibility

The company RooX on May 29, 2023 announced the update of the management system authentication authorization and RooX UIDM. The solution is now compatible ON with the intermediate layer for processing. This data Tarantool will allow customers to process information about sessions and user profiles in RAM, which significantly speeds up the process without additional computing power costs.

{{quote 'Authentication and authorization are an integral part of almost any IT system. They are necessary for correct access and use of applications. Therefore, we are constantly improving RooX UIDM and are working to expand the network of partner software products. Compatibility with Tarantool is an important step in the strategic development of the system, - commented Konstantin Korsakov, chief architect of RooX. }}

The RooX team has extensive experience in building a complex IT infrastructure that meets high information security requirements. Therefore, the compatibility of its access control system with Tarantool software will simplify the creation of flexible and secure IT solutions, - said Alexander Vinogradov, head of Tarantool at VK.

Launch of password verification technology for dictionary and leaked password databases

The company RooX has implemented a technology for checking passwords dictionary and leaked password databases in the RooX UIDM access control system. This will allow companies bank in the sector,, and retail e-commerce others to further industries secure user accounts.

According to various studies, from 50% to 75% of users set simple passwords, and also use repeated combinations of login and password on different services. As a result, every year a huge number of hacks become possible simply because hackers automate the search for known leaked passwords. For example, they take a database of logins and passwords of the delivery service and check them on the Internet bank.

This functionality in the RooX UIDM authentication and authorization management system will help notify the user of a compromised or weak password and even prohibit its use in some cases.

Attackers regularly upload password databases to the public. For example, in 2021, a file with a volume of about 100 GB was posted, containing 8.4 billion passwords. The global community of information security specialists regularly monitors leaks and adds data from them to specialized databases. RooX UIDM uses these databases to check passwords. In addition, our clients have the ability to connect their own databases of "bad" passwords for checks, - said Konstantin Korsakov, chief architect of RooX.

In RooX UIDM, password verification can be built into user registration, authentication and authorization scenarios at the following points: setting a password, restoring or changing it, logging into the service, performing an action that requires additional authorization.

In addition, it is possible to launch a full-scale check of the entire user base for matches with dictionaries and compromised data on demand (for example, after the next leak news) or on schedule.

How tough the system's response will be when a compromised password is detected is determined by the settings. The system can simply notify the user that the password has ceased to be reliable, provide the opportunity to immediately change it or even prohibit the action until the password is changed to secure.

Compatibility with PostgreSQL and Postgres Pro DBMS

RooX on April 24, 2023 announced the compatibility of the RooX UIDM authentication and authorization management system with the PostgreSQL open database and its Postgres Pro build from the Russian company Postgres Professional. The current update of RooX UIDM will expand the list of available databases and supplement them with secure import-independent software.

DBMS Postgres Pro is one of the most popular bases data among large corporate clients that we serve as part of comprehensive projects to build user access control systems. The inclusion of DBMS Register of the Ministry of Digital Development in guarantees full compliance with the requirements information security and absence. vulnerabilities In addition, it is important for our customers that the solution is fully adapted for work in the Russian market. Thus, all variants of the Postgres Pro DBMS have complete technical documentation and system messages in the Russian language. We will continue to ensure compatibility with future builds of this DBMS and develop our cooperation with Postgres Professional, "said Konstantin Korsakov RooX's chief architect.

Business needs secure domestic IT authorization and authentication solutions, so testing and ensuring compatibility with Postgres Pro DBMS has become a natural stage in the development of RooX UIDM. We are glad to see RooX among our partners and are ready to provide the development team with all the necessary consulting assistance and technical support, - said Ivan Panchenko, Deputy General Director of Postgres Professional.

2022

Based on Application Protection against Stacking

On August 9, 2022, RooX introduced an IT solution that protects large companies from losing customers due to the removal of mobile applications from storages. The solution is based on a web application in the form of Progressive Web App (PWA) and the RooX UIDM authentication and authorization system. The solution helps to maintain the interface familiar to customers, as well as ensure simplicity and security of access. At the same time, you do not need to download anything to your smartphone.

This RooX solution is intended for companies that may lose customers due to the removal of mobile applications from popular stores: for banks, insurance and medical companies, state and news portals, telecom operators, e-commerce, educational platforms and other organizations. The prerequisite for the development of the solution was the sanctions of the United States and the EU, which led to the removal of applications of Russian banks and other companies from the AppStore, Google Play and Huawei AppGallery.

The Russian audience is used to the convenience of mobile applications. If they are not offered a good replacement, users can start moving to competing service providers.

A popular way out - migration to APK - requires large organizational and advertising costs, since it is necessary to convince customers to take unusual steps - download the application from the site and deal with the security settings of the smartphone. In addition, this release is not suitable for owners of iOS devices, since it is impossible to install third-party programs on the iPhone without hacking.

A personal account or Internet bank, even adapted for mobile devices, also cannot completely replace the native application. Sites lose to applications in UX - in speed, smoothness and ergonomics of the interface. Some functions are not available to them, for example, modern types, biometric authentications such as Touch ID, Face ID and their analogues for, - Android said the director of Nikita Evgenov business development at RooX.

Transferring sites to progressive web application (PWA) technology in conjunction with the RooX UIDM authorization and authentication system will help solve the problem. Such an application works in a browser on both iOS and Android, it does not need to be installed on the device, it boots quickly even with an unstable Internet, can work offline, and updates occur automatically.

For the user, it looks like a mobile application. It can include, among other things, Touch ID, Face ID or their analogues for Android, you can use a camera and location inside it. For a business, such an upgrade of the site will save on transactions, because to enter the PWA application and confirm operations, you can use biometrics, and this is free for the company, unlike confirmation by SMS. In addition, the PWA application can be supported and developed by the same team that runs the site. This will reduce the cost of supporting the mobile device channel.

There are pros to marketing in the transition to PWA + RooX UIDM. For example, converting site visitors to using PWA is higher compared to converting to using mobile applications, since PWA does not need to be installed on a phone. Also, Roof UIDM integrates with web analytics systems, this provides additional opportunities for end-to-end analysis of marketing activities, "said Natalia Ledneva, Marketing Director of RooX.

The RooX team has invested in this solution their experience in developing complex web applications and expertise in the field of authentication and authorization. Our PWA applications are as close as possible to native ones in terms of convenience. We can implement any authentication scenarios - login/password, through social networks, through IDP, using OTP or TOTP, through biometrics familiar to mobile applications, and so on. At the same time, access will be protected according to the security standards OWASP, NIST, GOST and the Central Bank, - added Nikita Evgenov, director of business development at RooX.

The advent of functionality for end-to-end web analytics

On June 7, 2022, the company, developer RooX authentications of the RooX UIDM system and authorization, announced that it had added integration with web analytics systems. RooX UIDM can enrich Yandex.Metric Google Analytics data the user's path as well. Integration will be especially useful for end-to-end analysis marketing of promotions designed to attract customers or bids. It will allow marketing departments to better analyze the leads attracted and avoid double counting them.

Source: revesecure.com

In some industries, registering a new customer involves more than just filling out a form with contact information. Registration can be a multi-step business process with asynchronous checks. For example, banks can check users in the ESIA and for presence in "black" lists (in particular, a person is wanted or his passport is not confirmed, the company is undergoing liquidation or has a license revoked).

Previously, the path of such a user according to web analytics systems ended by clicking the "Submit Registration Request" button. It was impossible or laborious to collect data on the further stages of the request processing. After the integration is implemented in RooX UIDM, you can track all the steps, since the results of checks during the registration process and many other events concerning the user are recorded in a special audit event database. As part of the integration, impersonal, but associated with tracking identifiers, data about these events are transmitted through a special adapter to Yandex.Metric or Google Analytics. The web analytics system completes the conversion funnel from this data. So the integration of RooX UIDM with web analytics systems allows you to get more complete information about the user's path.

In addition to the user creation event, other events of the UIDM RooX audit system can be handled in this way.

"Our customers seek not just to massively offer their users (buyers, suppliers, partners) a discount, product or tariff, but to make everyone an up-to-date individual offer based on data analysis. We are also developing RooX UIDM as a system that provides personalized user experience in authentication and authorization tasks. The integration of authentication and web analytics provides more complete information for analyzing the user's path, " comments Natalia Ledneva, Marketing Director of RooX

Strengthen Enterprise System Access Protection

On April 20, 2022, RooX announced that it had updated the Russian RooX UIDM CIAM system. For field, outsourcing and freelance employees of large companies, an adaptive authentication scenario is implemented, in which the protection of access to corporate systems is strengthened.

Many companies involve outsourcing employees, for example, sales agents, call centers employees, couriers. In addition, full-time employees can fulfill their duties "in the field" - crews of assistance in an accident, field medical services, auditors of chain stores, and so on.

RooX UIDM now has an adaptive secure login scenario for these categories of employees that takes into account the specifics of remote work.

Such employees usually work on a mobile gadget. They connect to the Internet through a "foreign" network - mobile Internet, public access points, the client's network. On the road, they have a smaller set of functions than in the office, and sometimes this set is severely limited by the functionality of a specialized application.

"It is dangerous to use a domain account on untrusted networks and devices. In some cases, "field" employees generally do not want to know their login and password in the domain, since they should not have access to any other corporate resources other than a specialized application. In addition, it makes sense to distinguish between the privileges of a "mobile" and "office" role. Then even if an attacker logs into the system through a stolen gadget, he will not have full access to all internal services, "- tells Konstantin Korsakov, architect of RooX authentication and authorization systems.

Additional RooX UIDM Features

RooX UIDM has previously implemented role management and multi-factor authentication capabilities. Two functions have been added to the system - checking the subnet from which the user is working, and storing additional data for authentication.

The first function allows you to distinguish between untrusted networks and restrict access from them to company resources. The second makes it possible to bind to the user a mobile phone number in a standardized form, UKEP, an identifier of a third-party IDP account, and so on. It is important to note that the practice of using mobile phone numbers specified in the domain is unreliable. Data in it is rarely reduced to a single recording standard, may be irrelevant, invalid, repeated for different employees or simply absent

With these features, the adaptive secure login scenario is configured in RooX UIDM, which covers all stages of interaction with the employee.

How Adaptive Secure Login Script is Configured

The employee is connected to remote work capabilities within the corporate network. The employee logs in with his domain account and binds data to it for authentication "in the field." If this is a mobile phone number, it is confirmed using a one-time password via SMS. In a phone number setup scenario, you may have options for notifications and actions in case the phone number was previously used by another employee.

If an employee is restricted in domain access, the administrator binds.

Next, when the employee starts working in a "foreign" network, the script branch is activated using an alternative login. In this case, the rights to use the functions are automatically reduced to a "mobile" role. This scenario thread can be further enhanced using the second factor.

Announcement of RooX UIDM

On March 10, 2022, RooX introduced the domestic RooX UIDM authentication and authorization management system in Russia.

RooX UIDM

According to the company, RooX UIDM is designed to protect access to finance and sensitive data of customers and partners of medium and large organizations. The system takes into account Russian specifics and legal requirements, meets safety standards and quickly unfolds.

RooX UIDM includes several dozen ready-made user authentication and authorization methods, from which scenarios of any complexity are collected, including multifactorial ones. Among the available methods are login password, CEP certificates, ESIA, biometrics, digital fingerprint, OTP (one-time password), TOTP, QR code and others.

RooX UIDM has developed as part of the web solutions that we develop and implement - Internet banks, supplier portals, personal accounts and others. In 2021, we worked to separate this functionality into a separate product and present it to the Russian market. told Alexey Khmelnitsky, CEO of RooX

RooX emphasizes that the system does not depend on third-party companies and products of other vendors. It is designed with an understanding of the requirements for architecture and scenarios specific to large companies. So, out of the box, integration mechanisms with anti-fraud systems are available, the ability to customize the user UI, including embedding in SPA, integration with mobile applications. There is support for machine-2-machine integration to connect partner services or automated systems of corporate clients. The solution supports the organization model and allows you to manage user access depending on the department or organization to which they belong.

We understand that it is important to maintain continuity in enterprise solutions. Therefore, RooX UIDM provides a variety of mechanisms for working with legacy (legacy) systems for smooth migration to access control based on a single account. added Aleksei Khmelnytsky

RooX UIDM is included in the register of domestic software, an entry in the register No. 10504 of 06.05.2021.

Technical support is carried out in Russia in Russian.

The solution complies with OWASP, NIST, GOST, Central Bank safety standards and ensures proper performance and fault tolerance.