Accept
Identity verification is simple and effective with IdP. It can accept any ID, including all industry-standard, social identity providers, and in-house solutions. Once an identity is submitted to IdP, the system maps it to on-premises directories to extract the necessary information for authentication.
Assert
Secure Access Control
for Mobile, Cloud, and Web Apps
SecureAuth IdP is a revolutionary platform that provides flexible and secure access
control through strong authentication, single sign-on, and user management in a single
solution. Not only does it mitigate external attacks, it also offers flexible options for
enterprises to create an improved experience for all end-users.
Authenticate
Our patented and versatile 2-Factor Authentication meets regulations for all industries and protects corporate data from external attacks. Risk analysis is also included in IdP, which increases your security posture with automated detection and challenge of questionable users.
Assert
Once authenticated, a security identity token for web, cloud, and mobile resources is asserted without any additional coding. Users can access virtually any present and future application securely from any device with a single set of credentials.
Enterprises are not required to alter their pre-existing infrastructure because IdP can extract information required for authentication. This eliminates the need to duplicate or migrate the data stores already residing securely in your network.
• AD • v3 LDAP • MS-SQL • MySQL
In addition to post-authentication SSO, IdP enables logging and auditing of all actions from users, applications, and devices. Admins can record all events that transpire and use the data for compliance reporting.
• Text • Syslog • SQL Oracle CRM Microsoft ASP.NET
Business Execution Software
• ODBC • REST APIs • Web Service IdP can consume any enterprise ID and
translate it into artifacts specific to any application. This allows users to employ only one set of credentials for all resources.
• User Login (Browser) • SecureAuth Web SSO Token • Third-party Web Token • SAML / OpenID • WS-Fed / Trust • IWA (Kerberos) • X.509 Certificate • CAC / PIV • Basic Auth
IdP offers over 20 different authentication methods, which are configured by you and enforced by us.
• X.509 • SMS OTP • Telephony OTP • E-mail OTP • Yubikey (USB) • CAC / PIV • Static PIN • Help Desk • Kerberos (IWA) • Password • NFC
• Mobile OATH Token • PUSH
• And more
Accept Authorize
DIRECTORY
IDENTITY TYPE AUTHENTICATION PROTOCOL AUDIT
Authenticate Analyze
ASSERT YOUR IDENTITY
ANALYSIS
IdP includes risk analysis in its workflow to immediately respond to flagged users and events. It analyzes user login behavior for anomalies and challenges their identity if any are found.
• Device Type • IP Address • Location • Domain • Geo-velocity • Browser Fingerprint • Login History • TOR / Robot Detection
Mobile SAML/OpenID/WS-* Web Token X.509 C ertificate
Tel: +1 949-777-6959
www.secureauth.com
The SecureAuth IdP
Appliance
• Integrates easily with existing systems
• Comes with:
• Hardened OS
• Embedded Web Server
• Data Store Connectors
• Pre-built Web Pages
• Packaged Encrypted Modules
• Web Service Client Connectors
• Physical appliance available as either standard or advanced model
• Virtual appliance available for the following platforms:
• VMWare
SecureAuth IdP
2-Factor Authentication
Secure and Flexible Authentication Solution
IdP 2-Factor Authentication deploys quickly and integrates into current infrastructures, utilizing data from established directories. IdP pulls the necessary information from the enterprise data store that corresponds to the user’s profile to validate the identity without storing or moving profile information to the cloud.
Customizable Authentication
Enterprises are given full control of their security configurations. They can designate access to individual users, groups, devices, or applications; and can choose from over 20 different authentication mechanisms, including SMS, Telephony, and E-mail OTPs, Device Fingerprinting, and PUSH Notifications.
Admins can also design authentication workflows that evaluate various risk factors (contextual authentication). By simply modifying the parameters using the SecureAuth GUI console, an administrator can customize the access control workflow for the various corporate resources, whether cloud, mobile, web, or network-based.
Flexible Workflow Integration
• Multi-factor Authentication • 20+ Forms of Authentication • Mobile or Desktop (BYOD) • Cloud, Mobile, Web, Network
No Coding Required
• GUI Drop-downs • No APIs
Flexible Configuration Options
• ID + PW • ID + 2FA + PW • ID + 2FA + 3FA + PW • ID + Device • ID + Device + PW • ID Token (SAML, OpenID) • ID Token + 2FA • ID Token + 2FA + PW Flexible Persistency: • Device Fingerprinting • Desktop/Mobile • Mobile/Desktop X.509 Certs • Java Certificates
2FA based on Data Stores
• AD, v3, LDAPs, SQL
• ODBC, REST APIs, Web Services
Authentication Mechanisms
OTP: One-time Password
A one-time password delivered via Short Message Service, Telephonically, or E-mail to the phone number or address recorded in the user’s profile.
Static PIN
A personal, unchanging PIN code.
Yubikey (USB)
A USB key that plugs into a user’s device and transmits a one-time passcode to the device.
Password
A user’s known password.
KBA/KBQ: Knowledge-based Authentication
Knowledge-based answers/questions that are stored in the user’s profile.
Kerberos (IWA)
A desktop SSO system that uses Microsoft’s Active Directory.
X.509 Certificate
An X.509 certificate that is placed in a device’s built-in OS certificate store (native) or in a browser’s Java certificate store (Java).
Help Desk
A one-time password delivered by the help desk after verifying the user’s identity.
PUSH Notification
A one-time password delivered to a user’s pre-registered mobile device (smartphone, tablet).
Risk-based Authentication for
• Internal/External • Desktop/Mobile • Group, Country • IP Address User Self-services • 2-Factor Enrollment • Password Reset
Voice
SMS
Submit
Please choose the delivery method for
your registration code.
YOUR COMPANY NAME
Device Fingerprinting
A patent-pending process in which IdP pulls unique characteristics from a device and then maps that identifying value to the user’s profile. This enables frictionless subsequent authentications for mobile or desktop users.
Social ID
A form of user authentication that uses data from social identity providers, such as Facebook, LinkedIn, Twitter, and Google.
Federated ID
A token that is issued in a trusted language (SAML, WS-Fed, OAuth) that validates the user’s identity without transferring password information.
NFC Object
Any object that utilizes Near Field Communication for information regarding the object’s identity, like cards or tags.
Smart Card
Cards such as CAC/PIV Cards, NFC Proximity Cards, NFC MiFare Cards, Entrust IdentityGuard Gridcards,
and HID Cards.
OATH Token
A time-based one-time OATH password generated on a user’s mobile device, browser interface, desktop,
or from a third-party provider. Can be hardware- or software-based.
Symantec VIP
Symantec’s cloud-based VIP service used for
USER’S DESKTOP
IP Reputation
Utilizing a real time threat intelligence service, the
user’s IP Address is examined and a risk score is
returned based on various criteria. Administrators
can set risk thresholds, which determine what
the acceptable risk should be for that particular
application. The options are low, medium, high,
and extreme.
SecureAuth IdP
Analysis
Complete Access Control Solution
To enhance the security of access control, SecureAuth has
included risk analysis feature into its latest release.
IdP’s analysis includes four factors that work together to
mitigate attacks and to automate an organization’s desired
response.
• IP Address
• IP Reputation
• Group Membership
• Geo-location / Geo-velocity
Automated Responses
Each of the four analysis elements can be
enabled and configured independently along
with their responses. The automated responses
to an analysis failure include URL redirection,
2-Factor Authentication, or hard stop.
SecureAuth’s risk analysis data and responses
are all logged for reports and audits alongside
other authentication events to continually
maintain security and to mitigate
potential attacks.
IP Address
The first level of analysis concerns
the IP Address. This immediately
determines whether the user
is working from a recognized
IP address and whether they
are currently in the network or
accessing the resources externally.
UNKNOWN DEVICE USER’S LAPTOP Voice E-mail SMS Submit
Please choose the delivery method for your registration code.
YOUR COMPANY NAME
UNRECOGNIZED LOCATION RECOGNIZED LOCATION
SecureAuth Analysis
• Included in IdP
• IP Address, Group Membership, Geo-location / Geo-velocity • Integrate with Third-party Sources
• IP Reputation Automatic Responses • 2-Factor Authentication • URL Redirection • Hard Stop Configurable • By each Feature
• For each Realm / Workflow
Over 40 Different Items
• Included in Analysis
• CnC, Bot, Spam, SpywareCnC • DDoSTarget, Brute_Force • IPCheck, Compromised • Mobile_Spyware_CnC, others
Group Membership
The step following IP Reputation
(right, above) in the analysis works
with the user’s existing group
membership information. Here,
administrators can allow or deny
access to an application based on
the group list provided.
Geo-location / Geo-velocity
Using the IP Address to calculate the
user’s current coordinates, IdP can
compare the current log-in attempt’s
time and location with the previous
attempt. Based on the acceptable
velocity that the administrator
defines, users that normally log in
from California can be prevented
access from Russia one hour later.
Instant and Simple Integration
IdP easily integrates with existing
infrastructures, including user data stores. The information from the stores is used to authenticate the user, and then that authenticated ID is asserted to the target application(s).
IdP creates an SSO token to the relying party; and can then authorize SSO into additional apps.
IdP SSO can be enabled for any corporate app,
whether it is in your network or on external devices.
SecureAuth IdP
Single Sign-on
IdP for Access to All Resources
IdP provides revolutionary Single Sign-on (SSO) capabilities without thick clients or third-party tools to enterprise cloud, web, network, and even native mobile applications.
IdP combines strong authentication and SSO in a single solution, ensuring secure access control no matter the target and subsequent resources. Having one login for all applications is not only user-friendly, but it also simplifies and secures the application deployment lifecycle, therefore reducing maintenance costs.
Full and Secure Identity Assertion
No matter where corporate resources lie (cloud, mobile, web, or network), IdP can assert authenticated identities to them without requiring additional logins.
IdP includes a Security Token Service (STS), which consumes the ID and transforms it into an appropriate artifact in which to communicate with applications (e.g. SAML, OpenID, WS-Fed, OAuth, etc.), and works as a turnkey to continually generate the appropriate token for all applications.
Uniquely, IdP enables SSO to native mobile applications, using the same iOS, Android, or Windows apps that users already know and understand.
One Password; Any App
The list of application protocols with which we operate is massive. Through IdP, your business can continue to work with your existing applications and ensure integrations of future additions.SSO from IdP to:
• Cloud Applications • Mobile Applications • Web Applications • Network Resources No Coding Required: • No APIs, No Agents • ID Assertion via SAML, • OpenID, WS-Trust, etc.
No Thick Clients Required Generates SSO Token:
• Security Token Services (STS) • GUI Selected
SSO Enabled by:
• Individual User, Group • Application, Device
App-to-App SSO:
• Web App -- Cloud App • Cloud App -- Mobile App • Mobile App -- Mobile App
Integration with Popular SaaS Apps:
• Salesforce • Google Apps • WebEx • SuccessFactors • Workday, and more
Web Apps:
• .NET • J2EE • SharePoint
• WebSphere, and more
Mobile Apps:
• iOS, Android • Windows, Blackberry
SecureAuth IdP
for Mobile
The Ideal Mobile Solution
IdP for Mobile enables 2-Factor Authentication through a variety of mechanisms and single sign-on to web, cloud, and native mobile applications without requiring any hardware or thick clients. With IdP, employees, partners, contractors, and customers can securely access corporate applications from their personal devices without relinquishing control or the convenience of mobility.
SecureAuth solves the dilemma of native application and mobile device integration by deploying into existing
infrastructures, making this solution is ideal for enterprises that deploy mobile applications to large populations of users, such as banking portals.
Risk-based Authentication
for Mobile Users
IdP 2-Factor Authentication is flexible and secure, but it can also be
stepped up for remote access or for unrecognized devices.
Mobile users will experience the same look and feel as those on desktops, but organizations can also implement 2-, 3-, or even 4-Factor Authentication to ensure protection outside of the secured network.
IdP for Mobile can be deployed on any iOS, Android, Windows, or Blackberry device.
Users can employ their personal devices and because of IdP’s user self-service, they can enroll their own device, provision their own account for 2-Factor Authentication, and even revoke access from a device if lost or stolen.
Device Fingerprinting
IdP Device Fingerprinting allows users to securely work on anything by utilizing the uniqueness of each device as a “fingerprint.” It is 100% browser-based and works with the device that the user already owns, but enables enterprise control over the user’s access.
Device Fingerprinting not only pulls device information, it also tags each device with a unique identifier. These two mechanisms are then combined to ensure that the device is registered to a specific enterprise user. For subsequent authentications, IdP scans the device and if recognized, Device Fingerprinting is utilized as the second factor.
Single Sign-on to Native Mobile Apps
Through IdP’s Mobile Applications Management, SSO to native mobile apps is achieved without any rooting or MDM required. By simply incorporating the IdP code into an application, organizations can enable strong authentication and SSO to and between mobile apps without burdening the user experience.
Not only can users achieve transparent SSO between mobile applications, but IdP also enables SSO to web and cloud applications from mobile devices.
The same security is extended to all resources with IdP SSO and end-users will appreciate the convenient workflow.
Enterprise-grade Security and SSO to Mobile Apps
• iOS, Android • Windows, Blackberry • Smartphones, Tablets
2FA and SSO based on:
• AD, v3 LDAPs, SQL, ODBC, REST APIs
SSO to Native Mobile Apps No Rooting or MDM for Devices Full Enterprise Integration:
• Multi-Factor Authentication • Single Sign-on
• Federation to SaaS Apps
Device Fingerprinting
Device Fingerprinting authentication for all enterprise deployments
Supports all desktop and mobile devices
Deployed without any thick client or download
Ideal for B2C and BYOD environments
Integrates with Existing Infrastructure
• Active Directory, LDAP, SQL
Fully Integrated Authentication System
• 2-Factor User Registration • Configurable Device Duration • 1-Touch Device-based Revocation
Integration to All Platforms
SecureAuth is checking your browser for a user credential.
Restart Login
YOUR COMPANY NAME
Voice E-mail SMS PUSH
Submit
Please choose the delivery method for your registration code.
YOUR COMPANY NAME
User ID:
This is a public computer This is a private computer
Submit Registration Code: 1 2 3 4 5 6 7 8 9 0 C Submit
Please enter the password associated with your User ID.
User ID: Password:
Submit
YOUR COMPANY NAME
YOUR COMPANY NAME
SecureAuth IdP
Identity Management Services
Identity and Access Management Made Simple
IdP enables full enterprise control of identities and access, which ensures security and lowers administration costs. Enterprises can configure their own authentication and SSO workflow based on users, groups, devices, or applications. Also within the Identity Management suite, admins can utilize numerous tools, including:
• Help Desk User Management • Create User
• Audit Reporting of Authentication Events • Meets Stringent Compliance Regulations
• 2-Factor Authentication Provisioning
• Native Certificate Revocation (1-Touch Revocation) • Portal Page
• Mobile App Store
Logging and Auditing
IdP provides appropriate event reporting that deploys easily into the existing infrastructure.
IdP meets the most stringent compliance regulations for various industries:
• Retail
• Financial / Banking • Law Enforcement
IdP’s multi-factor authentication, secure federation, and logging and reporting capabilities are suitable for all compliance standards, including:
• PCI DSS • NCUA • FFIEC
IdP enables organizations to log, audit, and report all authentication events, from identity acceptance to identity assertion.
Mobile App Store
The IdP Mobile App store can be deployed on iOS and Androiddevices to provide easy downloads of necessary corporate applications. Admins can control security and access to applications within the store by making them only visible and downloadable to specific users or groups. • Healthcare • Government • CJIS / GFIPM • HIPAA / HITECH X.509 Services
• For Both On-premises and Cloud Services
• Certificate Provisioning, Validation, and Revocation
• No CAs, CRLs, or OCSPs Required
Easy-to-use GUI Admin Console No Coding, Third-party Tools, or Specialized Training Required.
Logging and Auditing
• Meets Compliance Regulations • PCI DSS, FFIEC, NCUA
• CJIS / GFIPM, HIPAA/HITECH, etc. • Syslog, Text, SIEM, SQL
• Log of All Authentication Events
1-Touch Revocation of Certificates, Access, and Device Registration
Mobile App Store
• Easy Access to Corporate Apps • iOS and Android Devices
• Control Visibility and Download Access by User / Group
Easy to Add and Manage Applications Personalized Interface with Company Logos and Preferred Designs
Successful Authentications Failed Authentications 6 4 2 0 01/10/14 01/09/14 01/08/14 01/07/14 01/06/14 01/05/14 01/04/14 01/03/14 01/02/14 E-mail Phone SMS 30 20 10 0 16 18 21 Successful Authentications (per hour)
Hours
Mobile App Store
Corporate App Corporate App Corporate App
YOUR COMPANY NAME
X.509 Services
Offered in both IdP’s on-premises and cloud services are X.509 services, including: • User Certificate Provisioning
• Device Certificate Provisioning
IdP has a powerful IdP-to-cloud ecosystem that allows an enterprise to create an X.509 certificate based on enterprise IDs and then have a user conduct a self-registration involving integrated SecureAuth 2-Factor Authentication.* Not only can an admin create certificates without knowledge of PKI, but they can also revoke certificates from the native directory without the use of archaic CRLs and OCSPs. SecureAuth supports PKCS #12, PFX, SCEP inbound, SCEP outbound, WSE3, BKS, DER, and CAC/PIV PKI standards; and the X.509 certificates can be used for:
• Validation to Web, Cloud, Mobile, and Network Resources
• VPN/WiFi Authentication
• User Certificate Validation • User Certificate Revocation
• App Authentication • MDM Registration • Data Encryption
SecureAuth IdP
User Self-service
Lower Costs and Help Desk Calls
IdP provides user self-service that removes time-consuming procedures from admins’ responsibility and enables more self-control over user profiles. To reduce costs and unburden help desks, IdP enables user:
• 2-Factor Enrollment and Provisioning • Profile Maintenance
• Self or Device Revocation • Password Reset
Easy Password Reset
Traditionally, when users’ passwords have been forgotten or compromised, corporate time and money has been wasted to reset them. With IdP, not only can users self-enroll for 2-Factor Authentication, but they can also reset their own passwords at any time. The process to reset passwords is very simple:
From the IdP portal or the enterprise portal,
users select
“Reset Password”
IdP prompts the user for his/her
username
A
2-Factor Authentication mechanism
is
then chosen by the user
Any of the
20+ Authentication Mechanisms
can be utilized for this process
Once authenticated, the user can
create a
new password
Many solutions enable
password reset with question
and answers only, but this can
be problematic and insecure.
By leveraging our flexible
2-Factor engine, users can
employ stronger methods
of authentication to ensure
password security.
Self-service Console
The self-service console is easy to use and accessible only after successful 2-Factor Authentication to ensure security.
Users can enroll themselves into 2-Factor Authentication based on the existing profile information and the mechanisms chosen by the organization. Enterprises dictate which authentication mechanisms can be employed, and users then set up and maintain their profiles.
Users can also update their profiles with current phone numbers, e-mail addresses, static PINs, and knowledge-based questions and answers; and can keep track of their registered devices and instantly revoke them in the event of compromise.
SecureAuth IdP
What’s New
Account Provisioning and Synchronization
This is a time-based provisioning mechanism that synchronizes
user identities from the local databases to external repositories,
like Google Apps, Workday, and Salesforce.
Administrators can create or update a user in the local directory
and have that information provision an associated identity to the
cloud repository.
Most importantly, when administrators delete users from the local
directory, the usernames will automatically be removed from the
other resources, thereby immediately disabling all access.
IdP Configurator
The visual IdP Configurator makes configuring each
workflow as easy as the workflows themselves are for
end-users
The IdP Configurator guides administrators through
application configuration, using the 5 “A”s of SecureAuth’s
funnel: Accept, Authorize, Analyze, Authenticate, and Assert.
By using simple “drag-and-drop” movements alongside
preassembled templates to design each realm, configuring
IdP has never been easier (or more attractive).
Transformation Engine
IdP now includes dynamic post-authentication attribute
transformation to map manipulated data to resources.
With this feature, information that is missing from the data
store or that require calculations for specific applications
can be added to a user’s post-authentication token for
appropriate assertion, resulting in a delivery of a single
token to the consuming application.
This reduces the amount of information stored in directories
and management of user profiles.
2-Factor Login for Windows
For Windows Vista, Windows 7, Windows 8, Windows 2008,
and Windows 2012 operating systems, users can employ
2-Factor Authentication for initial login as well as to unlock
the system.
Using SecureAuth’s mobile and desktop, and third-party
OATH tokens, users can secure their devices via low-friction
authentication.
ACCEPT AUTHORIZE ANALYZE AUTHENTICATE
ASSERT - Resource Types
AirWatch AWS Concur Juniper
Office 365 Salesforce Workday SharePoint Dropbox ACCEPT AUTHORIZE ANALYZE AUTHENTICATA
ASSERT
Google Apps
Log on to: SecureAuth
Username Password OTP
OAuth 2.0 and OpenID Connect
SecureAuth has built into IdP full support for OAuth 2.0 with OpenID Connect, enabling IdP to
be an OpenID Connect Provider and an OAuth 2.0 Authorization Server.
The combined support of OAuth 2.0 and OpenID Connect creates a more trusted relationship
between IdP and relying parties with JSON Web Tokens (“JWTs”), while utilizing the flexibility of
the protocol framework.
IdP acts as the Authorization Server in the relationship, authorizing, authenticating, and then
generating trusted access tokens for the purpose of accessing secured resources, such as APIs.
Both two-legged and three-legged OAuth flows are supported, as well as the four
authorization grant types: authorization code, implicit grant, resource owner password
credentials, and client credentials.
IdP via OAuth 2.0 with OpenID Connect enables organizations to assert identities securely to
OAuth 2.0 and OpenID Connect native and mobile applications in the same trusted manner as
with SAML or WS-Federation.
About SecureAuth
SecureAuth is a technology leader, providing 2-Factor Access Control for hundreds of customers and more
than 10 million users worldwide. SecureAuth’s Identity Provider (IdP), winner of numerous awards and named
Network World’s best authentication product, uniquely delivers multi-factor authentication and single
sign-on together in a powerful solutisign-on for mobile, cloud, web, and network resources without the requirements
of supplementary components or add-ons. SecureAuth delivers on the vision of “Security as a Productivity
Enabler” in every deployment by providing a streamlined workflow of secure access to corporate data from any
device. The company has consolidated all key components: engineering, product management, support, sales,
and executive in its Irvine, California headquarters, resulting in numerous patents, major customer wins, and
the highest ranking customer service, acknowledged by both Forrester and Gartner. For the latest insights read
the SecureAuth Blog, follow @SecureAuth on Twitter, or visit www.secureauth.com.
SecureAuth Corporation
SecureAuth IdP Awarded 5 Stars from SC Magazine
2013 & 2014
“Visionary” Vendor 2013 Magic Quadrant for User Authentication
“Positive” Rating 2013 WAM Marketscope
SecureAuth IdP wins test of 8 software-based
authentication systems
SecureAuth IdP - Best Mobile Identity, Safeguard
& Security Product
2012 Winner for Favorite New
Product - Security Solution
SecureAuth:
One of Fifteen Solutions to Watch
Info Security Products Guide
Winner
Best Authentication Solution
Best Single Sign-on Solution
#1 in Customer Satisfaction
Fastest
Growing
Company
2012
SecureAuth Top 100
Analysts and the Media Agree
SecureAuth has been honored with numerous awards, U.S. patents, and recognition from major analyst groups,
including Gartner and Forrester.
Over 10 million users assert their identity on
cloud, mobile and web with SecureAuth IdP
