Web Access Manager : Specification (1/2)

Evidian Web Access Manager is a product in constant functional development. The result of more than 15 years of research and development in the Web SSO domain, it can be adapted for a very broad range of uses. The functionality described here is not exhaustive and changes with each minor or major upgrade. Evidian Web Access Manager is based on the 4A principles, "Authentication, Authorisation, Administration and Auditing"

Primary authentication methods

For more information, if you are partners, click here

Multiple user directories Supports the simultaneous use of several different types of user directories. Users are identified in their original directory, and their attributes are extracted from this directory. The use of a consolidation directory is not necessary, as a directory can be defined for the users of different organisations. Supports LDAP, Active Directory and ADLDS directories.
Primary authentication Users are authenticated based on the data in their directory. The user may have the choice of directory (domain) or the choice may be made dynamically by WAM.
Authentication using a form A customisable authentication form, in the language of the user, is available for primary authentication.
Basic authentication Basic HTTP authentication is supported.
Authentication with an X509v3 certificate The X509v3 certificate presented by the browser is used for authentication. Correspondence between the certificate and the user depends on the attributes of the user and the certificate. This correspondence can be configured. Certificates on USB tokens or smartcards associated with the client browser are supported.
Kerberos authentication Users already authenticated in a Windows domain will not have to authenticate themselves again. If they have already been authenticated, Kerberos authentication is required. This functionality requires an additional IIS server.
RADIUS authentication The authentication phase is delegated to an external RADIUS server. The mapping of RADIUS usernames can be configured. OTP tokens and authentication calculators are supported. Evidian Web Access Manager has obtained RSA SecureID certification, and is compatible with all kinds of authentication solutions that support the RADIUS interface.
Chained authentications All the authentication policies may be chainable in order to create a strong multi-steps multi-factors authentication.
Social Authentications The main social networks (Facebook, twitter, googleplus, linkedin, microsoft, ...) are preconfigured. Regardless of the protocols used (OpenId, OpenId Connect, Oauth2.0), social authentication can be activated with the information provided by the different identity providers. These authentications can be chained, associated with different levels, filtered according to the access networks, or proposed as authentication choices to users depending on their means of authentication.
Public key hardware token (Smartcard) X.509 v3 certificates authentication (HTTPS only), stored as token certificates on the client side. Any hardware token is supported as long as the corresponding framework is available for the used browser.
Public key hardware token (Other) Major socials networks (Facebook, twitter, googleplus, linkedin, Microsoft,…) are pre-configured. Regardless of the protocols used (OpenID, OpenID Connect, Oauth2.0), social authentication can be enabled with the information provided by the different identity providers. This authentication can be chained, associated with different levels, filtered depending the access networks, or offered as a choice of authentication to users based on their means of authentication.
Expiration of authentication sessions When a high level authentication expires, the authentication session may still remain active while using the properties of a lower level authentication policy.
Authentication via SMS or Mail An OTP is sent via SMS or email to the user. Web Access Manager relies on external servers accessible through SMS service URLs, or SMTP servers in the enterprise.
Out of band SMS Evidian WAM can deliver an OTP using the user profile attributes
Out of band push mode app (Mobile Phone Push Notification) Evidian Authenticator mobile application provides support for Push authentication to Evidian WAM
One Time Password (OTP) software application for smartphone QRentry mobile app, users are authenticated using their registered smartphone that generates an OTP from a QR-Code displayed on the authentication banner. QRentry is Out of Band and requires no network connection (except registration). QRentry authentication technology is shared with Evidian EAM. (Multi-factor Authentication)
Software based OTP for smartphone or tablet or PC (specify endpoint device or OS supported) Form authentication using external RADIUS server (RSA SecurID certified). As it's form based it's virtually compatible with any browsing environment.
One Time Password (OTP) hardware token Form authentication using external RADIUS server. (RSA SecurID certified)
Password Grid Users self-register and get, after checking, their personal grid by e-mail. Users use this grid to solve the challenge displayed by the server during the authentication phase. The user must enter their response using a matrix with random placement numbers to counter potential "key logger" on its non-mastered host. This authentication method can be linked to create a multi-factor authentication in several stages.
Fingerprint methods Provided through the Evidian Authenticator mobile app. Evidian EAM supports fingerprint authentication method (via Authentication Manager module) for Windows session management. QRentry with EAM supports biometrics on smartphone device.
QRentry The QRentry authentication is shared with E-SSO/Authentication Manager or deployed only in Web Access Manager. Only phones enrolled may resolve a challenge in the form of QR-Code. Web Access Manager provides an interface for enrollment that can be authenticated using SMS authentication or other authentication methods.
CAS servers support Web Access Manager can use the CAS (Central Authentication Service) servers already deployed and delegate the authentication phase. The choice of authentication mechanisms, filtering, or multi-level also apply to these forms of external authentication.
Front-end SAML authentication Front-end tools can conduct primary authentication instead of Evidian Web Access Manager and provide proof of authentication in the form of an SAML exchange and an SAML statement. This applies to equipment on the Juniper network.
Front-end HTTP header authentication Front-end tools can conduct primary authentication instead of Evidian Web Access Manager and provide user identity data in the HTTP headers for each request. Evidian Web Access Manager conducts the user search in the user directories, based on the data in the headers and the correspondence rules for the LDAP attributes. The user does not need to be identified again in Evidian Web Access Manager.
SAML "Service Provider" authentication When Evidian Web Access Manager is set to "Service Provider" mode, the mechanism for exchanging SAML statements with an "Identity Provider" from another trusted SAML domain allows the SAML statement to be used as proof of authentication.
Custom authentication Software Development Toolkit for rapid integration of a new mode of authentication in Evidian Web Access Manager. Guides, tutorials and examples are delivered with the product.
Multiple levels of authentication Authentication policies can be prioritised. Certain URLs or services may have a higher level of protection and may request re-authentication or stronger authentication.
Choosing the method of authentication The user can choose their authentication method based on the means of authentication available to them.
  • Base64 encoded login/password
  • Form authentication for primary login and password.
  • Base AM: Kerberos/NTLM login/password (IWA)
Password expiry The security policy may require periodic renewal of primary passwords, and generate visual or e-mail alerts when the password is about to expire.
Password strength The password policy may require a level of configurable complexity for passwords and verify that old passwords are not reused on renewal.
Session management Throughout the user's activity, Evidian Web Access Manager manages the user's single session and monitors the expiry dates for authentications and periods of re-authentication, in accordance with the authentication policy.
Question and Answer Methods (identify whether static or dynamic data is used) Evidian WAM: Grid Card authentication; each user owns a personal card password and must solve a challenge to authenticate. Each challenge is unique (Multi-factor Authentication)
Disconnecting and closing applications When the user disconnects, the application disconnection URLs for protected servers are requested. Evidian Web Access Manager closes the user session.
Daily verification of primary password expiry At a scheduled time, e-mails can be sent to users before their password expires.
Other knowledge-based methods (picking and image, pattern, gesture) Not provided/Third party solution implementation possible through supported authentication SDK
Other user authentication methods, (Passive biometrics, liveness detection, etc.) Evidian WAM natively support the following authentication methods:
- Delegated authentication to a CAS server
- SAML token authentication when connected with front-end hardware such as Juniper or in SAML Inter-Domain authentication.
- Delegated authentication to a SAML Identity Provider
- BlackBerry authentication using the trusted link between WAM and the Black Berry Enterprise Server. (Multi-factor Authentication)
- Header authentication when a frontal network equipment issues the authentication phase and provide a proof of identification in the HTTP Headers
- Mail Authentication; a token code is sent to the users in using their profile attributes (phone or mail address)
- OAuth (2.0) and OpenID (1.0, 2.0) authentication; when connected to external OAuth or OpenID identity providers. These authentication methods do not require additional third party product, but require deployment and configuration depending on the third-party identity provider.
- FranceConnect authentication (OpenID based see above)
- Built-in Social Authentication already pre-configured for Twitter, Facebook, Google Plus, LinkedIn, Microsoft Live, GitHub, Foursquare, WordPress.
- Web Browser DNA authentication as a second factor authentication. WAM can compute a fingerprint of the current user browsing context and use it as authentication method
- Chained-Authentication: any previous authentication can be chained together to create a robust multi-step/multi-factor authentication supporting levels of authentication and "user's choice of authentication", and filtered by source IP addressesThird Party: other authentication methods or servers that are not natively supported (and cannot be supported by CAS, RADIUS, SAML, OIDC methods), may be integrated using the WAM Authentication integration Module. This integration was already done to integrate HOTP/TOTP authentications.

Access control, authorisations, SSO and data input

For more information, if you are partners, click here

Access Control Zone Each service gathering a set of URLs from several protected Web servers can be isolated in an access control zone, restricted to specific users. By default, two zones are created: the “public” zone without authentication and the “controlled” zone gathering all the authenticated users. The administrator can create new zones and populate them with groups of users or individual users.
Dynamic user group Static groups defined in the user directories can be used to populate the Access Control Zones. The dynamic groups represent a list of users that contain a set of characteristics or attributes. These groups are dynamically valued and therefore follow the evolution of the users’ rights.
Authorisation The access control is performed on each URL by checking if the user is part of the security zone and owns the right authentication level to access the service. The authorizations are dynamic and change depending on the result of the evaluation of the dynamic groups that form the access zones.
Secondary authentications and Single Sign-On The secondary authentication data is extracted either from the secondary account bases associated with the application, or from the user’s primary data.The secondary account bases can be provisioned by IGA, by importing CSV or LDIF files, or with external applications based on a provisioning Web Service or a Java API. The user can provision his accounts on his own in his personal administration zone or on-demand when Evidian Web Access Manager requests it.
Secondary authentication using a form The usernames, passwords and additional data are automatically inserted into the forms of protected applications. WAM detects the forms and completes them without forwarding the passwords to the client browser, and submits them dynamically, without user input. Due to its powerful data analysis engine for HTTP feeds, Evidian Web Access Manager can handle all kinds of forms, analysing the content of HTML pages and modifying it dynamically if needed. No modification of the protected applications is required.
Secondary HTTP authentication "Basic authentication" Authentication of the HTTP protocol is detected and automatically completed. A secondary account where the primary username is inserted automatically.
Secondary authentication "IIS integrated Windows authentication" This mode of authentication is specific to Microsoft IIS servers, using strong authentication through Kerberos or NTLMv2. Evidian Web Access Manager automatically detects the type of authentication and the type of server protected and inserts a secondary or primary account.
Data input  All the known user data coming from his personal attributes or his session context can be injected into the HTTP headers, HTTP requests or in the content of the protected server’s response. Some pieces of this data can be encoded in base64 depending on the needs and usage of the application.
Secondary authentication in the HTTP feed Evidian Web Access Manager can inject data from the secondary account bases into the HTTP streams. This allows managing the authentication mechanisms of certain non-HTML applications, such as Adobe Flash/Flex applications that exchange the identifiers between the client in the browser and the application server.This same mechanism is used to manage the authentications in the Microsoft ActiveSync protocol.
Renewing secondary passwords The password renewal forms of protected applications are detected. The forms are automatically filled-in and new passwords respecting the secondary password policy (complexity and history) are generated automatically.
Detecting incorrect secondary passwords After several failed connection attempts to a protected application, the secondary bad password detection prompts the user to perform a self-provisioning action if this service is enabled.
Using the E-SSO account base  With the Mobile E-SSO option, Evidian Web Access Manager can use the already-provisioned secondary account bases thanks to E-SSO. The sequestration of the primary passwords enables to inject the primary identifier and its Active Directory password without the user knowing it. For example: the user authenticates with a strong authentication mean such as a token but the primary password is necessary to access Outlook Web Access.

User interface, customisation and main APIs

For more information, if you are partners, click here

Customisable user interface homepage The web-based user interface homepage brings together all the services accessible to the user after authentication. These services can be shared across several "portal" or "remote web agent" instances, on one or several machines. All the interfaces can be customised to respect the company branding, and partly integrated into the company portal that is protected by Evidian Web Access Manager. The interface homepage is natively multilingual and can be easily adapted to be displayed on mobile phones or tablets.
Self-management of user data, multiple accounts and delegation Through his profile management interface, the user can modify his personal information, secondary passwords, questions to lost passwords, primary password, or choose his secondary passwords and his role in case of multiple account applications.When the Mobile E-SSO option is available, the user can access his delegated accounts and the E-SSO delegation portal.
Self-enrolment for users Users can self-enroll through the Evidian Web Access Manager portal. They will be dynamically created in the user directory and their information will be collected. The self-enrolment panels are entirely customizable, the choice of attributes to collect, the look & feel, the directory and collect branch are configurable. Thanks to the multi-directory management, the self-enrolled users can declare themselves in a dedicated directory and retrieve rights different than the users who are provisioned or who already exist in other directories.
Post-Authentication API Modules can be integrated to perform additional treatments after authentication and to validate or not the authentication according to schemes that are specific to the corporate environment.
Post-Authorization API The authorization mechanisms can be extended by integrating modules that use a logic and mechanisms specific to the corporate environment.
API for managing the SSO and identities APIs enable to reroute the different points of decision making into the secondary data injection or in the user identification management. All these APIs are documented and illustrated with concrete examples. They enable Evidian Web Access Manager to open up to external mechanisms.
CIAM connect SDK A JavaScript SDK that can turn any exiting web page/login form into an Evidian WAM access portal. It only requires to include the provided JavaScript script and add attributes to existing HTML elements to activate available hooks (list of endpoints below)
- Automatic registration with social Identity, with URLs notification to synchronously push new users records to marketing tools/CRM
- Users data access REST APIs for asynchronous feeding of marketing tools/CRM
- Google Analytics integration. Evidian WAM proposes a bring your own "tracking ID" approach to feed Google Analytics with access related actions from the end users
-Step-up Authentication on top of social authentication for sensitive interactions
- Browser DNA to force a user to use an complementary OOB authentication, if her browsing environment is not recognized
- Integrated consent management in self-service fashion
- Build-in regulation (GDPR) compliance assistance feature
- Self-service, one click malicious access reporting
- Self-service profile management, right to be forgotten and authentication methods management (registration, revocation)

Infrastructure, high availability and load balancing

For more information, if you are partners, click here

Reverse Proxy The main components of Evidian Web Access Manager are HTTP/HTTPS reverse-proxies. These reverse-proxies have advanced capabilities such as URL translation in the protocol headers or in-depth in the query content. Cookies or JavaScript parameters are also treated to completely hide all references to the protected servers. Protected applications sometimes contain absolute or non-relative URLs to the root; they are rewritten properly with external URLs.Applications do not need to be modified, even if they do not meet modern writing standards. This technology allows to modify, delete or add elements to Web pages delivered to client browsers.
User directory Evidian Web Access Manager is based on the concept of user multi-directory. It uses simultaneously multiple identity sources dispatched in several directories. Each directory can be used in high availability mode or load balancing, if it has replicates or several domain controllers in this Active Directory case.
Compatible with Forward Proxies Some protected applications can be accessed only through a Forward-proxy; this is the case for external applications. Evidian Web Access Manager takes into account the Forward-proxies and can inject a primary or secondary authentication if these proxies require an authentication.
Front-end Reverse-Proxy A Reverse-proxy acting as a WAF (Web Application Firewall) can be positioned in front of Evidian Web Access Manager. With the URL translation engine, the URLs are renamed directly with the external name of this Reverse-proxy, therefore helping the reverse-proxy.
Multiple contact points Deploying on several workstations within a unique configuration enables to control multiple access points and to respect the geographical, organizational or load-balancing constraints.
Resilient architecture The internal components of Evidian Web Access Manager can be used in several instances, with multiple couplings with E-SSO or IGA to ensure load balancing and high availability.
Authentication server Evidian WAM can act as a OAuth 2.0 Authorization server, in this case it supports:
- Client credentials Grant Type (Two legged)
- Authorization Grant Type (Three legged)
- Implicit Grand Type ( Three legged)
- Client registration end-point
- Access and Refresh tokens
- Token introspection
- Tokens/protocols Translation
- OIDC/OAuth client registration endpoint
Evidian WAM using reverse proxy technology can also be used as an API Gateway/Authorization enforcement point. In this case it supports:
- Authentication and authorization (intercepting APIs requests and responses)
- Bearer token authentication
- Filtering on URL/Verbs
- Monitoring metrics generation
- API translation/consolidation/monetization/dev portal are not supported
in "Web Access Manager Customization Guide" sections 15 and 14
note: the reverse proxy can be used to protect SOAP webservices in addition to REST APIs.
API gatewway - OAuth 2.0 Client credentials Grant Type and Client registration end-point
- OAuth 2.0 Authorization Grant Type and OAuth 2.0 Implicit Grand Type
- Filtering on Verbs and URLs
- HTTPS (TLS 1.3) can be enforced on the access point (when Evidian WAM acts as a reverse proxy incoming and outgoing traffic are respectively decrypted and re-encrypted)
- Evidian WAM can act as OAuth 2.0 Authorization server, thus issues OAuth tokens
- Standard and custom OAuth scopes are supported
- Translation among SAML assertions and OAuth tokens is supported
- DOS protection must be configured at platform level or using third party solutions
- Evidian WAM doesn't provide yet any developers portal. However the OAuth "Client registration end-point" is supported.
SafeKit Option: High Availability and Load Balancing As an option, SafeKit allows transparent load balancing and high availability for the Evidian Web Access Manager contact points and high availability for its dedicated configuration directory.
Easier installation and updates Evidian Web Access Manager is an off-the-shelf product which can be installed on any platform (e.g. Linux, Windows) using a simple and rapid graphic interface, or by command line for machines without an imported user interface. The updates use the same installer, and are not destructive of the current configuration. They allow updates and new functionality to be added in accordance with the Evidian support policy. The configurations can be exported and imported, and the implementation of the pre-production and post-production phases are facilitated. Evidian Web Access Manager is independent of the system on which it is installed, no additional components are necessary, and it can be installed on a clean system which has been newly built and virtualised.
Business to Employee Several features are natively integrated into Evidian AM suite to support B2E use cases:
- Self registration for new employees with URLs notification to integrate with IAM solutions. URL notifications mechanism calls external URLs upon actions completion such as new user record creation, profile modifications... with attributes of the user as parameters (JSON)
- In conjunction with Evidian IGA: "Cost Efficient provisioning" where the user's application (SaaS or on-prem) accounts are created on the fly upon first connection on the service
- more generally: tight integration with Evidian IGA for provisioning access rights into Evidian AM suite as well as into applications
- Ability to aggregate several identity sources (LDAP Directories) in various scenarios: users from different directories, users in a single directory and attributes in other directories
- Programmatic interfaces to extend existing capabilities (post-* hooks)
- Ability to provides several portals (for internal organizations or subsidiaries) with dedicated configurations and customizations
- Bulk import of users
- Native mobile apps support, context aware authentication and VPN integration to address itinerant employees scenarios
- Single consistent access point for SaaS and traditional (i.e. not federated) applications with SSO
- Ability to address mixed use cases include web and thick clients
- Self-service features, such as password reset, authentication methods management, profile management, help with IT/helpdesk costs reduction
While not a feature per se, the ability to keep identity/access management on-prem and being able to benefit from SaaS applications is highly praised by some of our customers. Especially with the current regulatory context (Cloud Act) and for sensitive businesses, as this prevents access to data by impersonification of users.
Business to Business Evidian WAM can be deployed as an IdP proxy with assertion/token rewriting rules, and target IdP selection based on user's email address. Advanced assertion/token translation can be achieved with available programmatic interfaces (post-* hooks), in an almost "access as code" fashion.
The IdP proxy can be used in conjunction with Evidian WAM as an standalone IdP, which with user self-registration permits to conveniently address the mixed partners with IdP and partners without IdP scenario. In this case URL notifications can be used for validation of the new users, this can also be achieved, more basically, with email address domain filtering.
In addition the ability to turn an existing application into a Service Provider (Evidian WAM as a Reverse Proxy and SAML/OIDC Service Provider) allows for opening legacy landscape to partners.
Evidian WAM can also leverage the Evidian IGA ORBAC (Organizational RBAC) model, for access provisioning in various partner scenarios. This is a powerful mean to modelized B2B interactions, and delegate part of identity management to partners.
Dedicated partners access portals can be created, with appropriate configuration and customization.
Business to Customer Evidian WAM offers several features to support B2C scenarios:
- CIAM Connect SDK: a JavaScript SDK that can turn any exiting web page/login form into an Evidian WAM access portal. It only requires to include the provided JavaScript script and add attributes to existing HTML elements to activate available hooks (list of endpoints below)
- Automatic registration with social Identity, with URLs notification to synchronously push new users records to marketing tools/CRM
- Users data access REST APIs for asynchronous feeding of marketing tools/CRM
- Google Analytics integration. Evidian WAM proposes a bring your own "tracking ID" approach to feed Google Analytics with access related actions from the end users
-Step-up Authentication on top of social authentication for sensitive interactions
- Browser DNA to force a user to use an complementary OOB authentication, if her browsing environment is not recognized
- Integrated consent management in self-service fashion
- Build-in regulation (GDPR) compliance assistance feature
- Self-service, one click malicious access reporting
- Self-service profile management, right to be forgotten and authentication methods management (registration, revocation)