Indeed Access Manager (Indeed AM)

Indeed Access Manager (combined several products - Indeed Enterprise Authentication, Indeed Enterprise Single Sign-On, Indeed AirKey)

Indeed Access Manager is a system for centralized control of user access to the company's information resources, which allows you to consolidate the procedures for managing, providing and gaining access to enterprise information systems. Indeed Access Manager consists of a number of software products (components) that share the general principles of organization: architecture, storage, administration, general style of design of the user interface.

2024: TrueConf Server Compatibility

Russian companies Indid and Trukonf on March 18, 2024 announced the technological compatibility of their products: the Indeed Access Manager enhanced authentication system and the TrueConf Server corporate communications platform. Integration will help protect data from unauthorized access in the event of user login and password leaks.

Indeed Access Manager implements centralized authentication management policies and various enhanced and multi-factor authentication scenarios for TrueConf login.

The joint use of two Russian systems allows replacing standard authentication with more secure enhanced authentication technology in order to neutralize the threat of gaining access to corporate data, which is possible due to human factors, login and password leaks and other cases leading to access compromise. At the same time, all authentication data is stored in the protected storage of the Indeed AM system.

For enhanced user authentication, many different technologies are used, in particular biometric authentication, push authentication, authentication using hardware, digital certificates or one-time passwords issued by local generators or sent by SMS or e-mail.

Confirming the technological compatibility of Indeed AM with the TrueConf VKS platform is another important step for us. Now we can better meet the needs of organizations that are obliged to use only domestic solutions in their IT perimeter. Integration with TrueConf will ensure reliable access protection and increase information security of Russian companies, - said Kirill Michurin, head of the sales group of Indid.

2021: Compatibility with VeiL virtualization ecosystem products

Within the framework of technological cooperation, specialists of the Research Institute "," Scale which is part of the Concern "Automatic equipment State Corporation," and Rostec representatives of the company Indid"" tested for compatibility and correctness of the ecosystem software products virtualizations VeiL and the Indoor Access Manager software complex. This was announced on November 10, 2021 by the Avtomatika company. Positive test results will enable market participants to use joint solutions of companies. More. here

2019: Indeed Access Manager 7.1

Indeed ID released the release of Indeed Access Manager (formerly Indeed Enterprise Authentication) 7.1 on March 19, 2019.

Capabilities of Indeed Access Manager in version 7.1:

using and Authentication mobile application product-based push notifications Indeed AirKey Cloud

Indeed AM was integrated with Indeed AirKey Cloud: a client server platform where the client is an application for smartphone running and. operating systems iOS Android To switch to this technology, you will need to deploy the Indeed AKC server, install Indeed AirKey Cloud on Provider the Indeed AM server and install the mobile application. During authentications , a push notification appears on the device.

When you click on the notification, you will be taken to the Indeed AirKey application, where additional information and buttons will be displayed to confirm or deny the authentication request.

Indeed ID claims that the technology is a secure replacement for SMS. Unlike SMS messages, where information is transmitted in an unprotected form, in Indeed AirKey Cloud all data transmitted to the user's smartphone is encrypted using asymmetric cryptography, which guarantees the ability to view data only on the device for which it is intended.

Hardware TOTP Provider

Added support for hardware TOTP tokens. Such are presented, for example, in the eToken PASS line.

The following algorithms are supported:

• HMACSHA1
• HMACSHA256
• HMACSHA512

Using Indeed SAML IdP for Authentication in Administration Console and Indeed AM User Self-Service

Along with Windows authentication in Indeed Enterprise Management Console and Indeed Self Service, it became possible to authenticate via Indeed SAML IdP.

According to the developer, the advantage of the technology is:

• authentication using any authentication methods supported in AM 7.1
• ability to request multiple authenticators from the user at the same time
• support for scripts outside the Active Directory domain

Among other changes in Indeed ID, highlighted:

• Separate web application for Self Service for publishing outside the corporate infrastructure over the Internet
• Unification of SAML IdP and IIS Extension authentication page design

2018

Tasks to be solved and basic description of the functionality of Indeed Access Manager

• Replacing Passwords with Biometric Employee Authentication - Windows Access and Business Applications
• Single point of access to your company's IT systems - Enterprise SSO and two-factor authentication
• Protection of published enterprise applications - two-factor authentication and one-time passwords in VDI, VPN and Web applications
• Using RFID Cards to Access Information Systems
• Two-factor smart card authentication in OS and applications
• Meet PCI DSS user authentication requirements

Supported Authentication Technologies

The system supports more than 20 access technologies, including:

Smart cards and USB keys from any manufacturer

• Smart cards and USB keys from any manufacturer
• Biometrics: fingerprint, palm vein pattern, 3D face image
• RFID-карты: Mifare, EM Marin, HID Prox, HID iClass
• One-time passwords: OATH TOTP/HOTP, SMS, OTP keychain, smartphone application

All supported technologies can be combined. For example, you can authenticate users by fingerprint and contactless card, smart card and OTR, etc.

Application Area

From the moment an employee is hired, he begins to interact with information stored and processed in various it-systems. Each system creates an account, determines the rights and password. The employee is given a pass to enter the building, the work time is determined, the office and computer are allocated. Every day, an employee gets access to company data, moves around the office, works from home, flies on business trips. Career advancement, the emergence of new duties require constant modification of rights, and dismissal of instant blocking of the access profile and deletion of credentials. In organizations where hundreds, thousands or tens of thousands of employees work, it is impossible to effectively manage the listed processes without using special tools.

The product line of Indeed AM allows you to partially or completely automate many of the listed operations, reduce their execution time, avoid downtime and simplify the work of each category of users. The presence of an independent central event log helps with incident analysis and information collection. The integration of the solution with third-party systems allows you to gain additional return on investment, achieve seamless and continuous operations.

Indeed AM includes a number of components that allow you to consolidate the procedures for managing, providing and gaining access to information systems within a single complex.

Currently, manual password entry is used in 90% of systems, which poses a threat to the information security of companies. The Indeed AM complex is based on authentication technology, which allows you to abandon the use of passwords in the corporate environment. No matter where an ordinary user gets access: Active Directory resources, corporate portal, mail system or remote desktop of the terminal server, Indeed AM saves employees from remembering, changing and tedious password entry. To authenticate its users, the complex provides support for a range of modern technologies, most of which are included in the minimum package.

Account management, modification of access rights, reset of forgotten passwords, restriction of access when special conditions arise, issuance or suspension of certificates - that list of operations, most of which are amenable to full or partial automation. Thus, companies today can begin to cut their costs.

Indeed Enterprise Authentication 7.0 (22.08.2018)

The company has completed work on a new version of Indeed Enterprise Authentication. Despite being numbered 7.0, the version is technically a brand new product.

The server is a ASP.NET application deployed on an IIS web server, allowing you to work with multiple servers combined into farms to provide the required level of performance and fault tolerance.

The storage can be Active Directory and MS SQL systems. The data in the vault is encrypted and is only editable through the Indeed EA server.

The user directory is an external database with respect to the product in which the user information is stored. The Active Directory system is supported as a user directory in release 7.0, and in the future various DBMS, LDAP directory and other systems will be supported. Multiple user directories can be connected to the solution at the same time.

The log server is used to log and audit all events of the Indeed EA system. Events can be stored in the DBMS, in the Windows Event Log, or in the syslog format. The log server is a ASP.NET application, the solution allows you to install several log servers combined into a farm.

The Administrator Web Console was introduced as an interface for managing licenses, user profiles, and log browsing previously. A new release has added a user self-service service.

The integration modules are responsible for embedding the solution in the authentication process in the target application or protocol.

Added support module for the international authentication standard SAML 2.0 (Security Assertion Markup Language) Centralized token management functionality (registration, release, recall, blocking, resynchronization, etc.)

2017

Indeed Enterprise Single Sign-On (Indeed Enterprise SSO)

A system for centralized control of user access to the company's information resources. Indeed Enterprise SSO implements Single Sign-On's enterprise-wide approach. The system centrally stores user passwords from all applications that require authentication, and automatically substitutes them when the application requires it, thus saving employees from remembering and storing passwords in secret, from manually entering passwords from the keyboard, from periodically changing passwords according to password security policies.

Tasks to be solved

• strict and enhanced authentication when accessing applications
• end-to-end authentication in applications
• strict and end-to-end authentication in terminal mode applications (Remote Desktop, VDI, Citrix)
• Logging Administrator and User Actions

Application platforms supported

The system can be used to organize access to both boxed applications and custom-designed applications. The following platforms are supported:

• Windows applications
  • Application Java

• .Net-applications
• Web applications using browsers: Internet Explorer, Mozilla Firefox

Supported Authentication Technologies

The system supports more than 20 authentication technologies, including:

• smart cards and USB keys from any manufacturer
• biometrics: fingerprint, palm vein pattern, iris
• RFID-карты: Mifare, EM Marin, HID Prox, HID iClass
• one-time passwords: SMS, OTP keychain, smartphone app

In this case, all supported technologies can be combined with each other, for example, you can authenticate users by fingerprint and contactless card, smart card and OTR, etc.

---

The implementation of the Indeed-Id program allows the company to build an effective user account management system that is convenient for both ordinary employees and administrators and security specialists.

System users do not have to remember many passwords made up of a number of characters. Administrators get convenient mechanisms for configuring access levels for different categories of users. And the security service will be able to control the actions of employees and, in case of registration of violations, successfully find their cause and culprit.

The company offers more than 20 ways to identify users. These include working with one-time passwords, biometric fingerprint authentication, access to the system by card. If enhanced access control is required, the company's specialists will offer one of the methods for multifactorial verification of users before logging in. For example, combining a one-time password with a smart card.

A one-time password must be generated using a well-known scheme of characters that appear on the screen. The characters are updated each time, but the principle of compiling a password from them remains the same. Therefore, third-party users cannot find the key to logging in, and it is not difficult for company users to work according to such a simple scheme. The access card assumes the presence of a card reader that reads information from it and passes the user into the database. A more expensive but also more reliable method of authentication is fingerprint access. It ensures that only a user of a particular computer can log into its system, since the fingerprint cannot be transferred to another person or accidentally lost.

The system centrally stores user passwords from all applications (requiring authentication) and automatically substitutes them when the application requires it. Indeed-Id Enterprise SSO technology is applicable to any type of application (windows, java, web), regardless of their architecture: single-link, two-link, three-link, "thick" client, "thin" client, terminal applications.

Indeed-Id Enterprise SSO saves employees from storing and storing passwords in secret, from manually entering passwords from the keyboard, from periodically changing passwords according to password security policies.

The system consists of server and client components. The server provides centralized management of all user credentials and authenticators. The client part is installed on each workstation. The client component (agent) intercepts the user's access to resources, inviting him to go through a universal authentication procedure. If the procedure is successful and the user is allowed access, the agent passes the login and password to the requested resource.

One of the ways to transfer the login and password is to automatically fill in the required fields and forms in the application dialog. This approach allows you to use Indeed-Id to access almost any application.

Integration with Solar inRights and Indeed Card Management

On August 9, Solar Security and Indeed Identity announced the development of a joint integration solution that combines the capabilities of the Solar inRights IGA platform (Identity Governance and Administration), the Indeed Enterprise SSO single sign-on system and the Indeed Card Management public key infrastructure management system. The solution improves information security and saves human resources in the company by automating processes related to granting access rights and managing the user password lifecycle. You can read more about the event here.

2016

Indeed Enterprise Authentication 5.4

On March 2, 2016, Indeed ID announced the release of a version of the Indeed Enterprise Authentication and Indeed Enterprise SSO information resource access control systems. The new edition of Indeed EA/ESSO 5.4 introduces a number of new features and capabilities.

Distributions include the Indeed Enterprise Management Console (EMC Indeed) tool for centralized administration of Indeed ID systems and provides the administrator with a complete set of tools for managing system parameters and users. The tool is implemented in the form of a web application that is deployed on the basis of the Microsoft Web Server (IIS) and does not require installation at each administrator workplace. EMC's Indeed enhances ESSO management by enabling changes to individual user data from role accounts. All information about users of the system is combined into profiles that group authenticators according to the login method, and Single Sign-On accounts - according to the user's membership in the role.

The ability to use the Indeed EA and Indeed ESSO systems in the enterprise in the employee replacement mode has been added. In the event of a temporary absence of the user (sick leave, leave, etc.), the administrator can give the deputy access to the credentials of the absent employee for a limited period. The authenticators and passwords of the substitute employee remain unknown to the alternate. Access to IT resources is provided to the deputy for authenticators registered in the system to him. The event log records a delegated logon event. When the replacement period expires, you cannot access the account data of the substitute employee.

To provide access to IT resources exclusively using strong authentication technologies, it is possible to exclude a password from the list of logon methods for certain workstations.

The software interface for automating user profile management operations Indeed ESSO implemented using scripts executed Microsoft Windows in the PowerShell environment has been significantly expanded.

In addition, the version expands the capabilities of personalizing the user interface of the system, adds the ability to determine the priority of searching for Indeed servers outside the site, optimizes the algorithm for checking the availability of storage for Indeed servers, optimizes the compression of SSO data during storage and transmission over the network.

Indeed ID Enterprise SSO 5.4

On March 2, 2016, Indeed ID announced the release of version 5.4 of the Indeed Enterprise SSO system and access control for information resources Indeed Enterprise Authentication.

The distributions include the new Indeed Enterprise Management Console (EMC Indeed) for centralized administration of Indeed ID systems and provide the administrator with a complete set of tools for managing system parameters and users. The tool is implemented in the form of a web application that is deployed on the basis of the Microsoft Web Server (IIS) and does not require installation at each administrator workplace. EMC's Indeed enhances ESSO management by enabling changes to individual user data from role accounts. All information about users of the system is combined into profiles that group authenticators according to the login method, and Single Sign-On accounts - according to the user's membership in the role.

The ability to use [[|the Indeed EA and Indeed ESSO systems in the enterprise in the employee replacement mode has been added. In the event of a temporary absence of the user (sick leave, leave, etc.), the administrator can give the deputy access to the credentials of the absent employee for a limited period. The authenticators and passwords of the substitute employee remain unknown to the alternate. Access to IT resources is provided to the deputy for authenticators registered in the system to him. The event log records a delegated logon event. When the replacement period expires, you cannot access the account data of the substitute employee.

To provide access to IT resources exclusively using strong authentication technologies, it is possible to exclude a password from the list of logon methods for certain workstations.

The software interface for automating user profile management operations of Indeed ESSO, implemented using scripts executed Microsoft Windows in the PowerShell environment, has been significantly expanded.

The possibilities of personalizing the user interface of the system have been expanded, the ability to determine the priority of searching for Indeed servers outside the site has been added, the algorithm for checking the availability of storage for Indeed servers has been optimized, and SSO data compression during storage and transmission over the network has been optimized.

2015

Indeed Enterprise AirKey

On December 16, 2015, Indeed ID developed Indeed Enterprise AirKey network virtual smart card technology for data protection. The card emulates the behavior of hardware key media and allows the execution of operations available to its physical counterparts.

In companies with a deployed PKI infrastructure, an employee smart card is a personal key for protecting and accessing data. The hardware component of such a means of protection, being lost or damaged, can become a "weak link" when used within the PKI infrastructure. The Indeed Enterprise AirKey network virtual smart card technology helps to eliminate this factor and eliminate its shortcomings.

Indeed AirKey Enterprise Presentation (2015)

Indeed Enterprise AirKey emulates the behavior of a physical smart card and allows you to perform the full range of operations and user scripts available to hardware key media: electronic digital signature, data decryption, two-factor user authentication, Single Sign-On access.

The developed technology defines a virtual smart card in several ways. In one case, the physical medium is replaced by a special storage of keys and digital certificates on the system server, in the other, the smartphone with the AirKey application installed on it becomes the personal key carrier.

The Indeed Enterprise AirKey virtual smart card works in accordance with standard protocols, interfaces and mechanisms of the PKI infrastructure. Like conventional cryptographic key media, the virtual smart card uses the PKCS# 11 standard and the Microsoft CryptoAPI interface to perform crypto operations.

In this case, private encryption keys are not transmitted to the user's PC. Depending on the implementation of the virtual smart card technology, the keys are stored either in encrypted form in the database on the system server, or in the secure memory of the smartphone and cryptographic operations are performed on the system server or the user's smartphone. With this approach, neither malware at the employee's workplace nor an attacker can compromise private keys.

To ensure security, communication channels are encrypted between all elements of the system (server, PC and/or user's smartphone) using asymmetric encryption algorithms using the TLS protocol. A ready-made crypto operation result is delivered to the user's PC.

author = Pavel Konyukhov, Technical Director of Indeed ID Conveniently, the delivery of the virtual smart card itself to the user's computer is carried out remotely, without requiring a personal visit of an employee to the system operator. For information security specialists, in addition, the procedure for removing a card from the system is significantly simplified: to stop using it, the administrator only needs to perform a remote recall of the smart card with the destruction of private keys.

For the operating system of the computer and the target applications with which the user works, the virtual smart card is indistinguishable from its physical counterpart. Excluding the user-side hardware component from the PKI infrastructure, the Indeed Enterprise AirKey virtual smart card allows you to make this process continuous.

Indeed AirKey

Indeed AirKey is an application iPhone for that programmatically emulates the behavior of a plastic smart card and thus allows you to use smartphone to store keys and digital certificates, perform strict two-factor authentications and create enhanced electronic signature of documents.

Tasks to be solved

• electronic signature of messages and documents;
• Installation and protection of [www.tadviser.ru/index.php/VPN VPN] connections
• Access to the Windows desktop
• Access to the Active Directory corporate network
• Access to business applications and web resources
• Remote Desktop Access (VDI)
• encryption of messages, documents, data.

Advantages of the Indeed AirKey Digital Smart Card over Plastic Counterparts

Indeed AirKey Digital Smart Card has significant advantages over traditional plastic smart cards:

• no costs for the purchase, maintenance and replacement of plastic smart cards, readers, USB tokens;
• unlike the issued plastic smart card, the iPhone is a user's personal device that is not forgotten at work, is not handed over to colleagues, is not borrowed for vacation;
• Wireless connection to a personal computer, laptop, or tablet no USB port required; the device retains the standard dimensions, standard weight and the usual level of comfort (usability);
• convenient graphical interface, familiar gesture control;
• iPhone CPU performance is sufficient to allow fast encryption of large amounts of data without transferring the encryption key to the PC side;
• visualization of data on the iPhone screen before executing an electronic digital signature;
• Direct IP connection of the digital smart card to web resources there is no need to install a driver, runtime or browser plugin on the computer;
• Push notification of the user (the use of a smart card in this mode allows you to confirm transactions on the go, in response to a request from the information system or another user).

The application is available in two editions:

• Indeed AirKey - digital smart card with support for RSA, SHA-1 and AES algorithms
• KripoPro AirKey - digital smart card with support for algorithms GOST R 34.10-2001, GOST R 34.11-94, GOST 28147-89, RSA, SHA-1 and AES

Problems to be solved and basic description of the Indeed-ID IAM function

• strict and enhanced PC access authentication
• strict and enhanced authentication in terminal mode of operation (Remote Desktop, VDI, Citrix)
• enhanced authentication in Outlook Web Access
• enhanced authentication on RADIUS server
• Logging Administrator and User Actions

Supported Authentication Technologies The system supports more than 20 access technologies, including:

• smart cards and USB keys from any manufacturer
• biometrics: fingerprint, palm vein pattern, iris
• RFID-карты: Mifare, EM Marin, HID Prox, HID iClass
• one-time passwords: SMS, OTP keychain, smartphone app

All supported technologies can be combined. For example, you can authenticate users by fingerprint and contactless card, smart card and OTR, etc.

Application Area

From the moment an employee is hired, he begins to interact with information stored and processed in various it-systems. Each system creates an account, determines the rights and password. The employee is given a pass to enter the building, the work time is determined, the office and computer are allocated. Every day, an employee gets access to company data, moves around the office, works from home, flies on business trips. Career advancement, the emergence of new duties require constant modification of rights, and dismissal of instant blocking of the access profile and deletion of credentials. In organizations where hundreds, thousands or tens of thousands of employees work, it is impossible to effectively manage the listed processes without using special tools.

The Indeed-Id IAM product line allows you to partially or completely automate many of the listed operations, reduce their execution time, avoid downtime and simplify the work of each category of users. The presence of an independent central event log helps with incident analysis and information collection. The integration of the solution with third-party systems allows you to gain additional return on investment, achieve seamless and continuous operations.

Indeed-ID IAM includes a number of components that allow you to consolidate the procedures for managing, providing and gaining access to information systems within a single complex. The solution includes: Indeed-ID Logon for Windows, Indeed-ID ESSO, Indeed-ID Rules System, Indeed-ID IDM, Indeed-ID Integration Pack. The combination of these components in a single ensemble, as well as integration with third-party systems, allows you to achieve optimal results in creating seamless access control procedures and user credentials.

Manual password entry is used in 90% of systems, which poses a threat to the information security of companies. The Indeed-ID IAM complex is based on the Indeed-ID authentication technology, which allows you to abandon the use of passwords in the corporate environment. No matter where an ordinary user gets access: Active Directory resources, corporate portal, mail system or remote desktop of the terminal server, Indeed-ID IAM saves employees from remembering, changing and tedious password entry. To authenticate its users, the complex provides support for a range of modern technologies, most of which are included in the minimum package.

Account management, modification of access rights, reset of forgotten passwords, restriction of access when special conditions arise, issuance or suspension of certificates - that list of operations, most of which are amenable to full or partial automation. Thus, companies today can begin to cut their costs.

2011

AGSES, a supplier of software and hardware products that provide unconditional biometric authentication, and Indid entered into a technological partnership agreement in September 2011, under which Indid integrates AGSES unconditional authentication technology into proprietary products under the Indeed-Id brand.

The integration is expected to allow the use of AGSES-based multifactor biometric authentication in the tasks of centralized management and providing users with access to information resources solved by the Indeed-Id line of software products.

AGSES technology is a breakthrough in ensuring the security of access to information and confirmation of operations, Indid said in a statement. The AGSES card stores the identity identifier of the owner in the form of fingerprint models, which allows it to be considered an electronic analogue of a person's passport. At the same time, the personal characteristics of the user are not transferred anywhere. Access to information systems is carried out by confirming the fingerprint of the owner.