Authenticator

Within the didmos framework Authenticator is the central authentication component. However, it is possible to use Authenticator independently from didmos to secure any application. Authenticator is based on the open source software Satosa specifically adjusted to didmos.

The modular structure of Satosa allows for attributes from different sources to be used. This makes it possible to use local accounts as well as common identity providers (IdP) such as the social networks Facebook and Twitter, any IdP of a SAML-based federation or other standard-compliant IdPs. The connection of such IdPs is easily configurable. This function is especially beneficial in federated Identity and Access Management (IAM). On the one hand, there are less accounts to be managed, on the other hand, users will have to remember only one password. Consequently, there will be less requests for the help-desk which will reduce costs in the long run due to the lowered administrative effort.

In addition to authentication by different IdPs, the Authenticator also offers the option of multi-factor authentication (MFA). For this purpose, the open source solution PrivacyIDEA can easily be connected to enable the use of MFA tokens. Naturally, any other customer-specific factors may be implemented.

If users register with credentials from an external IdP, the Authenticator can include users in the identity management through so-called shadow accounts. The authorisations of the users are managed by assigning them to groups or roles, even without using a local login.

As Authenticator supports both relevant SSO protocols, SAML and OIDC, it enables SSO beyond single protocol limitation. Users who chose to register via OIDC can access SAML applications and vice versa without the need for re-authentication.

Structure and Features

Satosa, thus didmos Authenticator, consists of muliple components which are consecutively executed and can be individually combined.

  • Backend Modules: The backend modules represent the interface with different authentication methods (external IdPs, local login via LDAP, etc.). Even individual IdPs can be connected as long as they are SAML or OIDC compliant. So far the following modules are available:
    • external SAML-IdPs
    • external OIDC OP
    • AD/LDAP-based authentication
    • etc.
  • Micro Services (MS): Using micro services various functions can be implemented. For instance, there are micro services for:
    • didmos-LDAP: when implemented with didmos, a MS can query attributes from the metadirectory, i.e. information about groups or roles for shadow accounts.
    • Attribute Mapping: different IdPs may name the same relevant attribute differently (i.e. name, email address, etc.), a MS can translate and harmonise them.
    • Shadow Accounts: they are a MS to register users who chose to authenticate using an external IdP.
    • Memory: a MS which remembers a user’s backend selection for preferred authentication method.
    • Any additional MS may be integrated if it is called for.
  • Frontend Modules: frontends are used to connect applications and services to the SSO system. Persistent information of the frontends is saved in a MongoDB database. As of now applications of the following protcols are supported:
    • SAML
    • OIDC
    • additional protocols are conceivable
Menu