Web Access Manager : Specification

Evidian Web Access Manager is a product in constant functional development. The result of more than 15 years of research and development in the Web SSO domain, it can be adapted for a very broad range of uses. The functionality described here is not exhaustive and changes with each minor or major upgrade. Evidian Web Access Manager is based on the 4A principles, “Authentication, Authorisation, Administration and Auditing”

Primary authentication methods

For more information, if you are partners, click here

Multiple user directoriesSupports the simultaneous use of several different types of user directories. Users are identified in their original directory, and their attributes are extracted from this directory. The use of a consolidation directory is not necessary, as a directory can be defined for the users of different organisations. Supports LDAP, Active Directory and ADLDS directories.
Primary authenticationUsers are authenticated based on the data in their directory. The user may have the choice of directory (domain) or the choice may be made dynamically by WAM.
Authentication using a formA customisable authentication form, in the language of the user, is available for primary authentication.
Basic authenticationBasic HTTP authentication is supported.
Authentication with an X509v3 certificateThe X509v3 certificate presented by the browser is used for authentication. Correspondence between the certificate and the user depends on the attributes of the user and the certificate. This correspondence can be configured. Certificates on USB tokens or smartcards associated with the client browser are supported.
Kerberos authenticationUsers already authenticated in a Windows domain will not have to authenticate themselves again. If they have already been authenticated, Kerberos authentication is required. This functionality requires an additional IIS server.
RADIUS authenticationThe authentication phase is delegated to an external RADIUS server. The mapping of RADIUS usernames can be configured. OTP tokens and authentication calculators are supported. Evidian Web Access Manager has obtained RSA SecureID certification, and is compatible with all kinds of authentication solutions that support the RADIUS interface.
Chained authenticationsAll the authentication policies may be chainable in order to create a strong multi-steps multi-factors authentication.
Social AuthenticationsMajor socials networks (Facebook, twitter, googleplus, linkedin, Microsoft,…) are pre-configured. Regardless of the protocols used (OpenID, OpenID Connect, Oauth2.0), social authentication can be enabled with the information provided by the different identity providers. This authentication can be chained, associated with different levels, filtered depending the access networks, or offered as a choice of authentication to users based on their means of authentication.
Expiration of authentication sessions When a high level authentication expires, the authentication session may still remain active while using the properties of a lower level authentication policy.
Authentication via SMS or MailAn OTP is sent via SMS or email to the user. Web Access Manager relies on external servers accessible through SMS service URLs, or SMTP servers in the enterprise.
Password GridUsers self-register and get, after checking, their personal grid by e-mail. Users use this grid to solve the challenge displayed by the server during the authentication phase. The user must enter their response using a matrix with random placement numbers to counter potential “key logger” on its non-mastered host. This authentication method can be linked to create a multi-factor authentication in several stages.
QRentryThe QRentry authentication is shared with E-SSO/Authentication Manager or deployed only in Web Access Manager. Only phones enrolled may resolve a challenge in the form of QR-Code. Web Access Manager provides an interface for enrollment that can be authenticated using SMS authentication or other authentication methods.
CAS servers supportWeb Access Manager can use the CAS (Central Authentication Service) servers already deployed and delegate the authentication phase. The choice of authentication mechanisms, filtering, or multi-level also apply to these forms of external authentication.
Front-end SAML authenticationFront-end tools can conduct primary authentication instead of Evidian Web Access Manager and provide proof of authentication in the form of an SAML exchange and an SAML statement. This applies to equipment on the Juniper network.
Front-end HTTP header authenticationFront-end tools can conduct primary authentication instead of Evidian Web Access Manager and provide user identity data in the HTTP headers for each request. Evidian Web Access Manager conducts the user search in the user directories, based on the data in the headers and the correspondence rules for the LDAP attributes. The user does not need to be identified again in Evidian Web Access Manager.
SAML “Service Provider” authenticationWhen Evidian Web Access Manager is set to “Service Provider” mode, the mechanism for exchanging SAML statements with an “Identity Provider” from another trusted SAML domain allows the SAML statement to be used as proof of authentication.
Custom authenticationSoftware Development Toolkit for rapid integration of a new mode of authentication in Evidian Web Access Manager. Guides, tutorials and examples are delivered with the product.
OpenID authenticationBased on the custom authentication SDK, the required pre-configured components are delivered with the product.
OAuth 1.0 authenticationBased on the custom authentication SDK, the required pre-configured components are delivered with the product.
Multiple levels of authenticationAuthentication policies can be prioritised. Certain URLs or services may have a higher level of protection and may request re-authentication or stronger authentication.
Choosing the method of authenticationThe user can choose their authentication method based on the means of authentication available to them.
Password expiryThe security policy may require periodic renewal of primary passwords, and generate visual or e-mail alerts when the password is about to expire.
Password strengthThe password policy may require a level of configurable complexity for passwords and verify that old passwords are not reused on renewal.
Session managementThroughout the user’s activity, Evidian Web Access Manager manages the user’s single session and monitors the expiry dates for authentications and periods of re-authentication, in accordance with the authentication policy.
Disconnecting and closing applicationsWhen the user disconnects, the application disconnection URLs for protected servers are requested. Evidian Web Access Manager closes the user session.
Daily verification of primary password expiryAt a scheduled time, e-mails can be sent to users before their password expires.

Access control, authorisations, SSO and data input

For more information, if you are partners, click here

Access Control ZoneEach service gathering a set of URLs from several protected Web servers can be isolated in an access control zone, restricted to specific users. By default, two zones are created: the “public” zone without authentication and the “controlled” zone gathering all the authenticated users. The administrator can create new zones and populate them with groups of users or individual users.
Dynamic user groupStatic groups defined in the user directories can be used to populate the Access Control Zones. The dynamic groups represent a list of users that contain a set of characteristics or attributes. These groups are dynamically valued and therefore follow the evolution of the users’ rights.
AuthorisationThe access control is performed on each URL by checking if the user is part of the security zone and owns the right authentication level to access the service. The authorizations are dynamic and change depending on the result of the evaluation of the dynamic groups that form the access zones.
Secondary authentications and Single Sign-OnThe secondary authentication data is extracted either from the secondary account bases associated with the application, or from the user’s primary data.The secondary account bases can be provisioned by I&AM, by importing CSV or LDIF files, or with external applications based on a provisioning Web Service or a Java API. The user can provision his accounts on his own in his personal administration zone or on-demand when Evidian Web Access Manager requests it.
Secondary authentication using a formThe usernames, passwords and additional data are automatically inserted into the forms of protected applications. WAM detects the forms and completes them without forwarding the passwords to the client browser, and submits them dynamically, without user input. Due to its powerful data analysis engine for HTTP feeds, Evidian Web Access Manager can handle all kinds of forms, analysing the content of HTML pages and modifying it dynamically if needed. No modification of the protected applications is required.
Secondary HTTP authentication “Basic authentication”Authentication of the HTTP protocol is detected and automatically completed. A secondary account where the primary username is inserted automatically.
Secondary authentication “IIS integrated Windows authentication”This mode of authentication is specific to Microsoft IIS servers, using strong authentication through Kerberos or NTLMv2. Evidian Web Access Manager automatically detects the type of authentication and the type of server protected and inserts a secondary or primary account.
Data input All the known user data coming from his personal attributes or his session context can be injected into the HTTP headers, HTTP requests or in the content of the protected server’s response. Some pieces of this data can be encoded in base64 depending on the needs and usage of the application.
Secondary authentication in the HTTP feedEvidian Web Access Manager can inject data from the secondary account bases into the HTTP streams. This allows managing the authentication mechanisms of certain non-HTML applications, such as Adobe Flash/Flex applications that exchange the identifiers between the client in the browser and the application server.This same mechanism is used to manage the authentications in the Microsoft ActiveSync protocol.
Renewing secondary passwordsThe password renewal forms of protected applications are detected. The forms are automatically filled-in and new passwords respecting the secondary password policy (complexity and history) are generated automatically.
Detecting incorrect secondary passwordsAfter several failed connection attempts to a protected application, the secondary bad password detection prompts the user to perform a self-provisioning action if this service is enabled.
Using the E-SSO account base With the Mobile E-SSO option, Evidian Web Access Manager can use the already-provisioned secondary account bases thanks to E-SSO. The sequestration of the primary passwords enables to inject the primary identifier and its Active Directory password without the user knowing it. For example: the user authenticates with a strong authentication mean such as a token but the primary password is necessary to access Outlook Web Access.

User interface, customisation and main APIs

For more information, if you are partners, click here

Customisable user interface homepageThe web-based user interface homepage brings together all the services accessible to the user after authentication. These services can be shared across several “portal” or “remote web agent” instances, on one or several machines. All the interfaces can be customised to respect the company branding, and partly integrated into the company portal that is protected by Evidian Web Access Manager. The interface homepage is natively multilingual and can be easily adapted to be displayed on mobile phones or tablets.
Self-management of user data, multiple accounts and delegationThrough his profile management interface, the user can modify his personal information, secondary passwords, questions to lost passwords, primary password, or choose his secondary passwords and his role in case of multiple account applications.When the Mobile E-SSO option is available, the user can access his delegated accounts and the E-SSO delegation portal.
Self-enrolment for usersUsers can self-enroll through the Evidian Web Access Manager portal. They will be dynamically created in the user directory and their information will be collected. The self-enrolment panels are entirely customizable, the choice of attributes to collect, the look & feel, the directory and collect branch are configurable. Thanks to the multi-directory management, the self-enrolled users can declare themselves in a dedicated directory and retrieve rights different than the users who are provisioned or who already exist in other directories.
Post-Authentication APIModules can be integrated to perform additional treatments after authentication and to validate or not the authentication according to schemes that are specific to the corporate environment.
Post-Authorization APIThe authorization mechanisms can be extended by integrating modules that use a logic and mechanisms specific to the corporate environment.
API for managing the SSO and identitiesAPIs enable to reroute the different points of decision making into the secondary data injection or in the user identification management. All these APIs are documented and illustrated with concrete examples. They enable Evidian Web Access Manager to open up to external mechanisms.

Infrastructure, high availability and load balancing

For more information, if you are partners, click here

Reverse ProxyThe main components of Evidian Web Access Manager are HTTP/HTTPS reverse-proxies. These reverse-proxies have advanced capabilities such as URL translation in the protocol headers or in-depth in the query content. Cookies or JavaScript parameters are also treated to completely hide all references to the protected servers. Protected applications sometimes contain absolute or non-relative URLs to the root; they are rewritten properly with external URLs.Applications do not need to be modified, even if they do not meet modern writing standards. This technology allows to modify, delete or add elements to Web pages delivered to client browsers.
User directoryEvidian Web Access Manager is based on the concept of user multi-directory. It uses simultaneously multiple identity sources dispatched in several directories. Each directory can be used in high availability mode or load balancing, if it has replicates or several domain controllers in this Active Directory case.
Compatible with Forward ProxiesSome protected applications can be accessed only through a Forward-proxy; this is the case for external applications. Evidian Web Access Manager takes into account the Forward-proxies and can inject a primary or secondary authentication if these proxies require an authentication.
Front-end Reverse-ProxyA Reverse-proxy acting as a WAF (Web Application Firewall) can be positioned in front of Evidian Web Access Manager. With the URL translation engine, the URLs are renamed directly with the external name of this Reverse-proxy, therefore helping the reverse-proxy.
Multiple contact pointsDeploying on several workstations within a unique configuration enables to control multiple access points and to respect the geographical, organizational or load-balancing constraints.
Resilient architectureThe internal components of Evidian Web Access Manager can be used in several instances, with multiple couplings with E-SSO or I&AM to ensure load balancing and high availability.
SafeKit Option: High Availability and Load BalancingAs an option, SafeKit allows transparent load balancing and high availability for the Evidian Web Access Manager contact points and high availability for its dedicated configuration directory.
Easier installation and updatesEvidian Web Access Manager is an off-the-shelf product which can be installed on any platform (e.g. Solaris, Linux, Windows) using a simple and rapid graphic interface, or by command line for machines without an imported user interface. The updates use the same installer, and are not destructive of the current configuration. They allow updates and new functionality to be added in accordance with the Evidian support policy. The configurations can be exported and imported, and the implementation of the pre-production and post-production phases are facilitated. Evidian Web Access Manager is independent of the system on which it is installed, no additional components are necessary, and it can be installed on a clean system which has been newly built and virtualised.




To receive Evidian news, please fill the following form.