SERVICE DESCRIPTION Web Authentication

(1)

SERVICE DESCRIPTION

Web Authentication

(2)

TABLE OF CONTENTS Page 1 INTRODUCTION 3 2 SERVICE DESCRIPTION 4 2.1 Basic service 4 2.2 Options 6 2.2.1 Captive Portal 6 2.2.2 Federation 7 2.2.3 Single Sign-On 8 2.2.4 Strong Authentication 9 2.2.5 Test Instance 10 2.2.6 SMS Flat 11 3 ADDITIONAL DOCUMENTS 12 4 DISCLAIMER 12

(3)

1 INTRODUCTION

This document describes the Web Authentication managed service with all the options available from USP. This document. together with the agreed Service Level Agreement, constitutes the binding basis for the provision of the managed service.

Field of application

The Web Authentication service offers flexible technologies and concepts for the authentication of users. The service allows complete single sign-on solutions for different applications, taking account of the need for transaction protection and a seamless integration into your IAM processes.

Benefits

The Web Authentication service offers your users a uniform interface for all web applications. Centralized holding of user data makes the work of your IT department easier, saving valuable time and resources. Should the data structure change, the modifications need only be made at one place for all your applications. This

considerably reduces the risk of errors and, in addition, changes can be implemented much more quickly.

(4)

2 SERVICE DESCRIPTION

2.1 Basic service

USP's Web Authentication service offers a uniform and easy-to-use interface the authentication of your users.

Name of service Web Authentication Service abbreviation MSS-WA

Service version 2.0

Status Operational

Operating hours OH1: Monday – Friday, 08:00 – 18:00 CET OH2: Monday – Saturday, 07:00 – 21:00 CET OH3: Monday – Sunday, 0:00 – 23:59 CET

Availability guarantee ACA: Best effort

ACB: 99.5% availability during operating hours ACC: 99.7% availability during operating hours ACD: 99.9% availability during operating hours

Usage parameter The service is assessed on the basis of the number of concurrent users. Description The Web Authentication service provides a standardized interface between

upstream services, such as the Web Application Firewall service, and the user database. The service consolidates different authentication systems and makes these further services available in a single interface.

Benefits Modern applications, particularly web-based applications, take their user data from a wide range of sources. Different interfaces lead to very high degrees of complexity in all applications. Thanks to the Web Authentication service, all your web applications access user data on a common interface. If changes are made to the data structure, only the Web Authentication service has to implement these changes. Development costs are saved while the risk is minimized because your applications do not have to be modified. Key Performance Indicators

(KPIs)

Compliance with the SLA parameters is measured against the availability of the service infrastructure.

Reporting The following service-specific values are collated in the monthly reports: - infrastructure workload

- number of valid/invalid logins - number of sessions

Measuring points The following measuring points are some of those watched to monitor the service:

(5)

- listener processes

- connection to the backend - accessibility

Conditions of use An availability guarantee in excess of "best effort", requires redundant design of the service infrastructure.

(6)

2.2 Options

2.2.1 Captive Portal

A self-registration portal is provided for your guest users.

Name of the service option Captive Portal

Abbreviation MSS-WA

Usage parameter The service option is measured on the basis of the size of the basic service. Description This option makes a Captive Portal available to your guest users for self

registration. When a user connects to the network, the request is first redirected to a web portal in which he must enter his user information including his mobile number. The correctness of his input is verified by means of a SMS challenge code. Once he passes the verification, the guest can use the network resources.

Benefits Where users are offered a public WLAN, the provider must make

identification of the users possible according to the provisions of the Swiss Federal law on Surveillance of Post and Telecommunications Traffic (BÜPF). The identification required is made possible by this options, so that you can meet your legal obligations in this regard in full.

Your guests are registered automatically without further intervention by your staff. This means that you can even make access to network resources, for example Internet access, available to a large number of users without further effort.

Key Performance Indicators (KPIs)

Compliance with the SLA is determined using the KPIs for the basic service.

Reporting The number of users is added to the reported data. User activity information is provided following a corresponding request to the USP Security

Operations Center.

Measuring points Accessibility of the web interface is checked.

Conditions of use The Captive Portal must ether provide the network addresses to users itself, or forward these to the guests.

Costs generated by sending text messages are not included in the monthly costs of the service.

(7)

2.2.2 Federation

This option provides support for SAML.

Name of the service option Federation

Abbreviation MSS-WA-FED

Usage parameter The service option is measured on the basis of the size of the basic service. Description Modern IT environments are increasingly active across businesses. The

Federation option makes the relevant user data available across companies for authorisation so that customers, partners and also staff can use their own, existing identities.

Federation offers full SAML (Security Assertion Markup Language) support, both as an Identity Provider and as a Service Provider.

Benefits This option gives you a user-friendly capability of mapping trustworthy and cross-company IT environments. You can, for example, give your staff access to Office 365 or to applications hosted by partners, without additional user accounts having to be created and administered. In Federation, you have control over what information is forwarded to service providers. You gain considerably in security as the user data stays where it belongs.

Reporting This option is not listed separately in the reports. Measuring points This option is not monitored separately.

(8)

2.2.3 Single Sign-On

Users access various different applications but need only log in once to do this.

Name of the service option Single Sign-On

Abbreviation MSS-WA-SSO

Usage parameter The service option is measured on the basis of the size of the basic service. Description Different web applications have different authentication methods and the

user needs to enter different user data. With the Single Sign-On option, the login process is standardized for all applications: the users enter their user name and the associated password (and, if need be, a further factor, see section 2.2.4) to start. The Single Sign-On option forwards this information to the applications so that the users are automatically logged in to them. Benefits Where users have to remember a number of passwords they tend to use simple passwords, or even to write the passwords down. With the Single Sign-On option your users need learn only one password. In this way, you achieve greater user-friendliness which is reflected in your users'

satisfaction and in greater security, as the simplest passwords and writing down of passwords are avoided.

The service option is measured on the basis of the size of the basic service.

Reporting This option is not listed separately in the reports. Measuring points This option is not monitored separately.

(9)

2.2.4 Strong Authentication

A second factor is introduced alongside a password for user authentication.

Name of the service option Strong Authentication

Abbreviation MSS-WA-SA

Usage parameter The service option is measured on the basis of the size of the basic service. Description This option introduces a second factor for user authentication. In addition to

entering the password (something that he knows), the user has to enter a second attribute (something that he has or is) to confirm his identity. Various different adapters for linking different attributes are available for this. For example, interfaces are offered to SuisseID, to Mobile ID, to a variety of hard tokens, to text messaging and much more.

Benefits Introducing a second factor for the authentication of your users considerably enhances your security. A potential attacker does not need to know just his victim's user name and password, but also has to possess a further factor, or purport to be something.

Reporting This option is not generally listed separately in the reports. Individual factors can be listed separately if required, the status of certificates or the number of text messages sent, for example.

Measuring points This option is not generally monitored separately. Individual factors can, however, require special measuring points; the availability of the text messaging gateway is checked, for instance.

Conditions of use Any costs for the two-factor authentication infrastructure are not included in the monthly service fees and must be covered separately by the customer. The customer is responsible for the rollout of infrastructure components for two-factor authentication, for example hard tokens or certificates.

(10)

2.2.5 Test Instance

Operation of an additional instance which is not used in production.

Name of the service option Non-Prod Licence

Abbreviation MSS-WA-TEST

Usage parameter The service option is assessed on the basis of the number of instances. Description This option operates another instance of the Web Authentication

infrastructure. The additional instance is not used operationally and can thus be used as a test or development environment for example. The additional instance will be equipped with the same options as the operational

instances.

Benefits Changes can be tested before implementation in an environment similar to the production environment by the use of a non-operational instance. The risk of an error in a subsequent live implementation of amendments on the production environment is considerably reduced by the option of first testing modifications on a non-operational environment.

Test instances are operated on a best-effort level during office hours, whatever the SLA for the basic service. This option has no particular KPIs. Reporting No reports are prepared for test instances.

Measuring points The availability of the instance will be monitored.

Conditions of use MSS-WA-TEST is not offered until at least two operational instances have been procured.

(11)

2.2.6 SMS Flat

The SMS messages required for the SMS token are made available through this option.

Name of the service option SMS Flat

Abbreviation MSS-WA-SMS

Usage parameter The service option is included on the basis of the number SMS messages included. The following numbers are possible:

- 1000 SMS - 2000 SMS - 5000 SMS - 10000 SMS

Description A predefined number of SMS messages is procured in advance through this option. The procurement of the SMS messages is not restricted in time. Benefits This option makes the costs for sending the SMS messages required easy to

calculate. Key Performance Indicators

(KPIs)

This option has no influence on the compliance with the SLA.

Reporting The number of text messages sent are reported in monthly reporting. Measuring points No additional measuring points are introduced for this option.

(12)

3 ADDITIONAL DOCUMENTS

The present document describes the functional scope of USP's Web Authentication service. General information on the Service Level Agreement and on operation may be found in the additional documents.

Service management and SL catalogue

This document contains all the information relating to the Service Level Agreement parameters. It defines the support processes and collaboration obligations, for instance, along with operating hours and availability guarantees.

Services catalogue The services catalogue defines the operation tasks and the standard changes. The document also describes the processes by which the corresponding changes can be triggered in a qualified fashion. Price list The prices of all services and options are laid down in the price list.

4 DISCLAIMER

This document is the intellectual property of USP AG and may not be copied, reproduced, handed on or used for execution without its permission. Unauthorized use is punishable in accordance with section 23 in conjunction with section 5 of the Swiss Federal Act against Unfair Competition. This work is protected under copyright. The rights consequently justified, particularly of translation, reproduction, the use of illustrations, distribution by photomechanical or other means and storage in data processing systems, even in extract, remain reserved. The functions, data and illustrations described in this documentation are applicable with the reservation that amendment is possible at any time. They are provided for better understanding of the material, without claiming completeness and correctness in detail. The programs described in this document are only provided on the basis of a valid licence agreement with USP AG and can only be used in compliance with the conditions laid down in the licence agreement.

USP's General Terms and Conditions shall apply unless higher-ranking provisions apply.