Standards and interoperability
Standards and authentication adapters are the two key focal areas for this Identity Platform 2021.2 release.
Ubisecure has supported the OpenID Connect (OIDC) framework for many years. This connection workflow uses lightweight secure JSON tokens, in place of SAML’s heavier XML messages, as a method for integrating two or more applications with each other. Using OIDC for modern mobile applications and single webpage applications helps to ensure security while keeping connections smooth and responsive.
To demonstrate that we follow the specification and adhere to the OpenID Connect standards, we have completed the conformance test with our Identity Service 2021.2 and applied for formal certification. The OpenID Foundation supports many different profiles, the most commonly used and the one that we certified for is the Basic OpenID Profile. From this link you will find the information published by the OpenID Foundation on our certification.
Another standard that we have been supporting even before the finalisation of the specification is the Client Initiated Backchannel Authentication or CIBA Core 1.0. CIBA enables the smooth integration of a wide range of modern authenticator use cases – typically where the authentication is performed on a different device to the one you are trying to access.
We initially announced our pre-spec CIBA authenticator with our Swedish BankID Adapter in the summer release of 2018. Since there have been minor changes to the final CIBA specification and updates to the Swedish BankID authentication method, we have made a few updates to our implementation. With this release the Identity Platform is up to date with the current OpenID Connect Client Initiated Backchannel Authentication specifications provided by the OpenID Foundation, and will provide future possibilities for customers to develop their own CIBA adapter against our SSO.
For our Swedish customers, we have tested and verified that Freja eID can be safely integrated and supported in our IDS 2021.2 release. This provides yet another possibility for customers to choose how they authenticate to, and access, your services. To get more information and try out Freja eID, please follow our instructions on how to configure this in SSO.
Easier OpenID Connect configurations
Administrators are now able to view and configure their OpenID Connect methods directly in the SSO Management UI, meaning no more switching between API calls and UI menus. This will help Administrators to set up, view and debug OpenID Connect methods in their systems.
After creating a new method, there is a configuration tab available in the method view where Administrators are asked to input needed information. Detailed installation instructions can be found on our Developer Portal.
CIBA as 2FA
With CIBA Core 1.0, if your system does use an external authenticator, like Swedish BankID, you can now use that CIBA-based external authenticator as a step-up method for your registered users. This provides added security, for example to your more critical applications that handle personal or monetary information.
The new SPI OpenID Connect CIBA is configured in similar way as our rebranded Unregistered OpenID Connect CIBA (previously named Backchannel Authentication Adapter). To enable the step-up method, a mapping towards your registered users is needed. For example, in the case of Swedish BankID the mapping should be done against the Swedish personnummer (social security number/SSN) through SSO’s Directory User Mapping.
Enhanced step-up user experience
In connection to the added CIBA 2FA method, we have enhanced the usability of all the SPI methods (step-up methods). Previously, if there was only a single step-up method configured for an application, the user still needed to select that one, hit next and then offer their 2FA input. With this release, if there is only one 2FA present in the user profile, then the user is automatically redirected to the available step-up method and does not need to do any extra selections. If there are multiple methods to choose between, they will still be presented with the choices and the user can choose which fits best for that specific login.
Insights to your application usage
Within our Accounting & Statistics Service, we have included more detailed information that can be collected from your accounting records found within the PostgreSQL database. Via new API calls, an administrator can access near real-time information that displays the configured methods and which applications are being accessed. This information can be used to see the most active applications, during a day or during certain hours. The output is returned in JSON format that can be utilised in your monitoring system to detect any anomalies. The userIDs are still pseudonymised, so it is not possible to track individual users, while still being sure that you are seeing total unique user counts on each integrated application.
Most secure software to date
With the above noted items – OpenID certification, CIBA improvements, added authentication method with Freja eID, as well as our continuous updates to our 3rd party libraries and dependencies – we are committed to make sure that the software delivered to you, our customers, is up to date, reviewed and tested to make sure that there are as few vulnerabilities included as possible.
For a full list of features, enhancements and corrections, please see https://developer.ubisecure.com/docs/display/IDS20212/Identity+Server+2021.2+Release+Notes
Head over to https://www.ubisecure.com/developers/ to download the latest version of Ubisecure Identity Platform.