Web Access Manager : Specification (2/2)
Evidian Web Access Manager is a product in constant functional development. The result of more than 15 years of research and development in the Web SSO domain, it can be adapted for a very broad range of uses. The functionality described here is not exhaustive and changes with each minor or major upgrade.
Evidian Web Access Manager is based on the 4A principles, "Authentication, Authorisation, Administration and Auditing"
Encoding and PKI
|AES||The sensitive configuration data, the secondary authentication data or the certificate storage are AES-encrypted in secure containers.|
|SSL encoding||All HTTP and LDAP connections can be secured through HTTPS and LDAPS. You can choose only strong encryption algorithms for additional security. Evidian Web Access Manager supports X509v3 certificates of type “wildcard” to protect a set of servers.|
|Verifying certificates on protected servers||The certificates used by the protected servers can be rigorously analyzed or not, if for example the server uses self-signed certificates that do not use a certification authority.|
|CRLs||The CRLs of the certification authorities can be downloaded through HTTP, LDAP or OCSP.|
|PKI ready||For its server certificates needs or to check client certificates, Evidian Web Access Manager accepts certificates from the Certification Authorities and can send certificate requests for PKIs.|
|Verifying certificates daily||Every night or at any specified time, the certificates contained in the Evidian Web Access Manager configuration are checked and email alerts are sent when these certificates are about to expire.|
Audit and log
|Complete log||All the user activity is recorded in log files. Each URL is saved as well as all the information on the user, their authentication method, the services accessed and any error codes received. The size of the files, the period recorded by the file and the number of files to be saved is configurable. All failed authentication attempts and any protocol errors are also archived. The log files can be used directly with tools capable of processing files in the "W3C – Extended Log File Format"|
|Centralised audit and unique username||Evidian Web Access Manager generates audit events for primary and secondary authentications, the input of secondary data and failed authentication attempts. These events are centralised for consolidation through a link to Evidian IGA or Evidian E-SSO. A unique username extracted from the user directory can be deployed instead of their primary identity as the username for these events. The choice of this username facilitates consolidation based on your governance rules and compliance with local legislation on the anonymisation of consolidated data. Like all Evidian Web Access Manager components, the centralised audit mechanism is based on mechanisms for high availability and load balancing. But if all the centralisation links were to be cut off, it also has a local saving mechanism for lossless recovery.|
|Diagnostic tools and updates||A set of commands for analysing connections, tracking, backup and capture tools are provided with the product, complete with documentation. If necessary, our Evidian Service Professional experts can diagnose, analyse, improve your configuration, based on a screenshot, and support you with its deployment.|
|Analytics & Intelligence||With the audit analysis functionality, Evidian Analytics and Intelligence places data into your daily operation. Through a business-oriented interface Evidian A&I allows you to track audit events and find the root cause of practices that you would consider abnormal or outside the normal use of the Identity and Access Management system.|
Administration and configuration
|Universal administration console||The administration console is accessible using a web browser. It allows you to configure, use and administer all the contact points under its control. This console brings together all the administration operations in a single and unique point. It also allows logs to be consulted remotely, as well as the error messages produced at the contact points.|
|Administration API||Administration operations are also accessible through an API, to be integrated into the company's environment.|
|Configuration management||The Evidian Web Access Manager is stored in a dedicated LDAP directory, and may use replication mechanisms or the SafeKit option for high availability. A configuration can be exported or backed up from its directory and imported into another directory, as it contains all the necessary information.|
|Daily saving of the configuration||Every night, or at any programmed time, the configuration is saved in a configurable floating period.|
Federation and the cloud
|SAML 2.0: service provider and identity provider||Evidian Web Access Manager supports SAML 2.0 as a Service Provider or an Identity Provider.
All applications protected by Web Access Manager can become protected resources accessible to other trusted SAML domains.
Similarly, resources external to the enterprise now become accessible while resting on the authentication mechanisms of the enterprise; Web Access Manager is used as an Identity Provider for the trusted external domains. It is this relation that is implemented to access SalesForce or GoogleApps, while managing user authentication with the enterprise means.
Being a service or identity provider enables you to keep control of the accesses between the trusted domains, partners, affiliates or Cloud.
|Protecting private clouds||The capabilities of Evidian Web Access Manager make the deployment of private clouds easier. WAM protects Web interfaces for administration or user connections to applications such as VMware vCloud Directory; it increases the authentication level and provides features to configure the security of new organizations. The same identity sources can then be used for internal Web applications and access to private Cloud features.|
|OpenID connect authentication/OAuth 2.0||Evidian Web Access Manager supports OpenID connect as a Service Provider or an Identity Provider.|
|Cloud Access Management, Web Access Management||The same Evidian Web Access Manager instance enables to manage consistently the access to internal applications, external applications and to control the access use to cloud applications. Cloud Access Management is therefore simplified and administered.|