Authentication

Updated: Sept 05, 2019

Fortanix SDKMS provides access to its functions and APIs to two types of entities – humans (users), and machines (applications). There are many ways to authenticate to SDKMS for both users and applications, which vary in terms of ease of use, integration with existing enterprise IAM (Identity and Access Management Systems), and level of security. Once authenticated, there is an elaborate access control mechanism which controls which entity has authorization to perform which function under what conditions.

User Authentication Using Password

The below forms of authentication is supported for users using password:

Username and password stored in SDKMS

This is done using the “log in without SSO” option.

  1. In the SDKMS login screen, select the option “LOG IN WITHOUT SSO”.

1.png Figure 1: Login Without SSO

  1. Enter your password, and then click LOG IN.

2.png Figure 2: Enter Password

Username and password stored in SDKMS along with second factor authentication

Using a U2F (Universal 2nd Factor) device, such as a YubiKey or a Google Titan Key. To configure this, follow the steps below:

  1. Click My profile to go to your profile settings.

3.png Figure 3: Profile Settings

  1. In the option for Two-step Authentication, click ENABLE to enable two-factor authentication.

4.png   Figure 4: Enable 2-Step Authentication

User Authentication Using SSO - Configuration

SDKMS accounts can be integrated with third-party Single Sign-On (SSO) providers. When an account is configured for SSO, users in that account will be able to login with their SSO credentials.

To setup SSO for your account:

  1. Login as administrator, and click the Settings Settings.png icon in the SDKMS UI, and then click the AUTHENTICATION tab in Account Settings page.
  2. Select SINGLE SIGN-ON, and then add the desired SSO mechanism and provide the required configuration values.

Picture2.pngWarning: Administrator lock-out: If the SSO mechanism is mis-configured, you will not be able to log in to your account. When updating the SSO configuration, make sure to select the Account administrators can log in with password option. This way, account administrators can continue to log in with password and access the account.

Currently, the below SSO mechanism is available for users:

SSO using a third-party identity provider

The following protocols are supported: 

  • SAMLv2
  • OAuth / Open ID Connect
  • LDAP

SAMLv2

To Configure user authentication using SAML, follow the below steps:

  1. In the Authentication page, select ADD SAML INTEGRATION to configure SAML.

5.png Figure 5: Add SAML Integration

  1. In the Add SAML Integration form, click UPLOAD A FILE to upload the configuration file (IdP metadata XML file), and then click ADD INTEGRATION to complete SAML configuration for user authentication.

6.png Figure 6: Add SAML Integration

For more information on SAML provider configuration, refer to User Guide: Single Sign-On

OAuth / OpenID Connect

To configure user authentication using OAuth, follow the below steps:

  1. In the Authentication page, click ADD OAUTH INTEGRATION to configure OAuth.

7.png Figure 7: Add OAuth Integration

  1. In the Add OAuth Integration form, add all the required details about the OAuth provider, and then click ADD INTEGRATION to complete OAuth configuration for user authentication.

8.png Figure 8: Add OAuth Integration

  1. For more information on OAuth / OpenID Connect provider configuration, refer to User Guide: Single Sign-On

LDAP

To configure user authentication using LDAP, follow the below steps:

  1. In the Authentication page, click ADD LDAP INTEGRATION to configure LDAP.

9.png Figure 9: Add LDAP Integration

  1. In the Add LDAP Integration form, add all the required details about the LDAP provider, and then click ADD INTEGRATION to complete LDAP configuration for user authentication.

10.png Figure 10: Add LDAP Integration

 For more information on LDAP authentication, refer to User Guide: Single Sign-On

User Authentication Using SSO - Usage

Once the configuration steps for user authentication using SSO are complete, the user can test the various authentication mechanisms using LOG IN WITH SSO option in the SDKMS login screen. The user will now be presented with all the SSO authentication mechanisms that were configured for logging in to SDKMS.

11.png Figure 11: User Authentication

Multiple Accounts: Different accounts might have different SSO providers. A user can be in multiple accounts with different SSO providers. In these scenarios, the user will need to select which SSO provider to use during the login process. When switching accounts, a user might need to re-authenticate to satisfy the new account’s authentication requirements.

Application Authentication

Currently, there are four forms of authentication methods supported for applications:

12.png        Figure 12 - Application Authorization

Using a system generated API Key

When you create an application in SDKMS, an API key is used to authenticate the application. The user can copy this API key using the COPY API KEY button for the application.

13.png ) Figure 13: Copy API Key

Using a client TLS certificate

You can also use a TLS certificate to authenticate your application in SDKMS. To do this, select the Certificate option as the authentication method, and then upload a certificate using the UPLOAD CERTIFICATE button when you create a new application.

14.png Figure 14: Upload Certificate

“Trusted CA” or using a client TLS certificate issued by a trusted root CA

You can use a certificate that is signed by a trusted CA to authenticate your application or a client TLS certificate that is issued by a trusted root CA in SDKMS. To do this, select the Trusted CA option as the authentication method, and then upload a certificate using the UPLOAD CERTIFICATE button when you create a new application.

15.png Figure 15: Upload Trusted CA Certificate

Google Service Account Identifier

Google Service Account Identifier is used by a service account in Google Cloud to use the external KMS interface from GCP KMS.