Blitz Identity Provider functional specification

Single Sign On Technologies

Functions group	Functions
OpenID Connect and OAuth 2.0	RFC 6749 “The OAuth 2.0 Authorization Framework”
	OpenID Connect Core 1.0
	Sending user attributes as part of id_token/access_token into JSON Web Token (JWT)
	Configurable REST service UserInfo, customizable returned attributes depending on scope
	RFC 7636 “Proof Key for Code Exchange by OAuth Public Clients”
	RFC 7662 “OAuth 2.0 Token Introspection”
	RFC 7591 “OAuth 2.0 Dynamic Client Registration Protocol”
	RFC 7592 “OAuth 2.0 Dynamic Client Registration Management Protocol”
	RFC 8252 “OAuth 2.0 for Native Apps”
	RFC 8414 “OAuth 2.0 Authorization Server Metadata”
	OpenID Connect RP-Initiated Logout 1.0
	OpenID Connect Front-Channel Logout 1.0
	OpenID Connect Back-Channel Logout 1.0
SAML	SAML Web Browser SSO Profile
	SAML Single Logout Profile
RADIUS	RFC 2865 “Remote Authentication Dial In User Service (RADIUS)”
WS-Federation	WS-Federation (to connect Microsoft applications)
Proxy SSO	Connections of web applications receiving session status from HTTP headers and cookies
	Supports ability to send user account login/password to proxy hosted web application, that doesn’t have default support for SSO connections
Other	Single Sign-On works between applications that are connected to IDP using any supported technology (for example, SSO between OpenID Connect and SAML applications)
	Supports SSO login using Kerberos SSO
	Supports SSO with IBM applications using Ltpa2Token for Single Sign-on

Identification and authentication

Functions group	Functions
Logging in using login and password	Login/password verification during authentication
	Ability to use several entities (phone, email, login) as login simultaneously and enter login in different formats (e.g. phone as +7…, 8…, with different brackets, hyphens, spaces)
	Remembering login if user has logged in from device before
	Remembering multiple users on the device. Ability to change the current user account without having to logout
	Event handling “password must be changed” on login. Changing password during login
	Verifying password for compliance with existing password policy during login. Recommendation to change password
	Built-in protection against password brute force (trying to brute force passwords for one account) and login brute force (trying to brute force a password for a set of accounts): CAPTCHA verification (reCAPTCHA or other service chosen by the Customer) temporary blocking of login by account password in event of detecting brute force attempts user login slowdown (login delay, browser solving a computationally complex task - Proof of Work)
	User notification when attempting to login with a recently changed password
Logging in based on session	User identification based on domain login (Kerberos)
	Capability to connect login simultaneously to multiple domains and provide end-to-end user login of from different domains
	Capability to configure that OS session-based login applies only to logins from internal networks and PCs, but not for mobile app logins and logins outside of the internal network
Logging in via social network account/external identify provider	Social networks and external identity providers that support log in of users without the need to edit or code connectors: Apple ID, Google, Facebook [1].
	Logging in via an external identity provider with OIDC support
	Logging in via an external identity provider with SAML support
	Account matching/registration during initial login via a social network
	Ability to bind multiple external provider accounts simultaneously to a single user account
	Ability to bind multiple user accounts simultaneously to single external provider account
	Ability to program your own algorithm for account binding and attribute matching
Logging in based on remembered device	Automated identification of the user if the he/she has logged in from that device before and agreed to remember the login
	Allows the user to track which devices have remembered their login and log out from those devices
	Automatic logout from remembered devices if user changes/recovers password
Automatic identification by session properties	Automatic identification of the user by session properties. All properties are supported. sessions that can be defined by the Customer and provided in Blitz Identity Provider. Flexible method configuration and full customization of interface texts.
Logging in via WebAuthn, Passkey, FIDO2	Logging in via platform-independent security keys FIDO2
	Logging in via platform-specific Passkey / FIDO2 security keys - Windows Hello (pin code, fingerprint), Passkey, password or Touch ID from MacBook, Passkey, Face ID or Touch ID of iOS or Android smartphone or tablet
Logging in via smart card / USB key	Logging in via qualified electronic signature
	Supported User OS: Windows 8.1/10/11, macOS 10.13/10.14/10.15/11/12/13, Linux Debian 9, Ubuntu 18.
	Supported browsers: Internet Explorer 11, Chrome, Firefox.
	Account matching/registration during initial login based on data from qualified electronic signature certificate
	Ability to verify signature/certificate validity using built-in software features
	Ability to verify signature/certificate validity via external verification service
Two-factor authentication	Login confirmation with one-time password sent by SMS (SMS-gateway is provided by Customer)
	Login confirmation with a one-time password from email
	Login confirmation with a one-time TOTP application password (RFC 6238 “TOTP: Time-Based One-Time Password Algorithm”)
	Login confirmation with a one-time password from the hardware keyfob. Support for HOTP keyfobs (RFC 4226 “HOTP: An HMAC-Based One-Time Password Algorithm”). The keyfobs are provided by the customer
	Login confirmation with security key WebAuthn, Passkey, FIDO2
	Login confirmation with U2F security key
	Login confirmation by one-time password in push-notification in customer’s mobile application (service for sending push-notifications and mobile application are provided by the Customer)
	Login confirmation with Flash Call
Other	Ability for a customer to add their own authentication method
	Ability for a customer to customize the appearance of the login page separately for each application
	Providing API, that allows mobile apps to register a login event and receive security tokens when using PIN, Touch ID and Face ID logins
	Blocking accounts in case of long inactivity
	Prohibition of deleted account ID reuse within a specified time
	Ability to analyze user geodata

Logout

Functions group	Functions
Logout	Ending user session when user logs out
	Ending user session when the user’s password changes in another session, or when resetting/recovering the user’s password
	Limitation on acceptable links to return to application after successful logout
	Application notification of a single logout via browser (front channel)
	Application notification of a single logout via server (back channel)

Access control

Functions group	Functions
Access control	Verifying access rules when a user logs into applications. Verifying user access rights, membership in user groups, attributes with required values
	Verifying access rules when applications call protected REST services via Blitz Keeper (API Security Gateway)

Account management

Functions group	Functions
Registration	Customizable self-registration web application. You can customize the set of attributes to be filled in by the user during registration, email/phone confirmation requirements, customize the appearance of the registration page, call the Customer’s verification services
	You can configure different user self-service login web application settings for different scenarios of registration invoke
	The ability to invoke an external registration application and pass it the login information and data obtained from an external provider during the login process
	After successful registration, the user automatically logs in to the application, that originally initiated the registration procedure
	CAPTCHA verification (reCAPTCHA or other service chosen by the Customer)
Account security settings	A web application that allows the user to self-manage his/her account security setting: ability to change password; ability to edit some attributes. Including the ability to edit phone number with confirmation via SMS code and the ability to edit email with confirmation via code/link via email; ability to set up two-factor authentication for your user account; ability to view/edit list of remembered devices, bound accounts of external login providers; ability to view security events with your user account.
	Providing an API to be able to embed all of the above features to manage account security settings in the external web application
Forgotten password recovery	A web application that allows to recover a forgotten password with email or mobile confirmation
	Additional checks during password recovery from an account for which two-factor authentication is enabled
	After successful password recovery, the user automatically logs in to the application, that originally initiated the recovery procedure
	CAPTCHA verification (reCAPTCHA or other service chosen by the Customer)
Account actions when login	Ability to set a phone number (if not present) in the account at login time or confirm phone relevance (if it is time to confirm relevance)
	Ability to set a phone number (if not present) in the account at login time or confirm phone relevance (if it is time to confirm relevance)
	Ability to set an email address (if missing) in the account at login time or to confirm the relevance of the email address (if it is time to confirm relevance)
	Ability to issue a Passkey at the moment of login (customize Face ID / Touch ID login)
	Ability to show the user an announcement
	Ability to request consent from the user
	Ability to request the user to fill in a text attribute
	Ability to ask a security question at the moment of login
	Ability to build your own business process of interaction with the user at login to the application (e.g., display an informational message to the user in some situations or request to lead something)
Password policies	Password verification for compliance with password policies: minimum length, alphabetical requirements, prohibition of dictionary passwords, no duplicate passwords, expiration validation

Advanced features

Functions group	Functions
Customization of the logic of work using Java programming	Setting user login rules for applications through login and registration procedures
	Customization of data storage operations

Monitoring and auditing

Functions group	Functions
Alerts users about security events	Notification of users of security events with their accounts: login from an unusual device, password change (changed it yourself, password reset by administrator, password reset due to password recovery), binding to a social network, enabling/disabling two-factor authentication
	Ability to configure notification events and notification texts for SMS and email
Security events logging	Logging of successful and unsuccessful security events with the account: login events, registration, change of security settings, password recovery. Both user-initiated and administrator-initiated actions should be logged
	Logging of successful and unsuccessful security events with the account: login events, registration, change of security settings, password recovery. Both user-initiated and administrator-initiated actions should be logged
	Matching IP-addresses to geodata in events and notifications (database in mmdb format with geodata is provided by the Customer)
	Administrators interface for searching/viewing security events
	Logging security events: to the database, to a log file, to Kafka
Monitoring	Ability to invoke metrics and statistics collection systems, antifraud systems at user login
	Ability to monitor components from external monitoring system (Zabbix and similar). Ability to provide Prometheus metrics
	Grafana dashboard templates and Prometheus job assignments are available
Queues	Ability to queue RabbitMQ events associated with user accounts and access groups
	Ability to send security events to Kafka

Administration

Functions group	Functions
Administration	Admin web application: Configuring connected application settings (application parameters, allowed interaction modes, access control rules) configuring user attributes and mapping attributes to an account store configuring connection to LDAP-based account stores configuring connection to random stores (service is provided by the Customer) support of simultaneous connection to multiple account stores configuring identity/authentication methods and external login providers configuring the connection to SMTP service and SMS gateway support for role-based access for logging into the administrator web application. Ability to set different actions available for different users administration of web application registration settings, security settings, password recovery settings user account administration (search, view, manage attributes, two-factor authentication settings, bindings of memorized devices and social networks, memorized user browsers, reset sessions, reset password, lock/unlock account, manage security keys, manage membership in user groups, assign/revoke access rights) administration of user groups, management of user group memberships configuring web applications login page themes viewing and filtering of logged security events ability to enter admin web application via SSO
	Admin interface in English and Russian
	ability to add additional languages

[1] (1,2)

Meta is recognized as an extremist organization and is banned in Russia, while the activities of its social networks Facebook and Instagram are also banned in Russia.