Blitz Identity Provider functional specification#
Product overview#
Download product feature presentation
Blitz Identity Provider provides Internet users access to company websites and mobile applications, as well as employee access to internal company resources and cloud services.
Key features of Blitz Identity Provider:
providing a single end-to-end user login to applications (Single Sign-On);
two-factor authentication
configurable user interface of the login, registration, access recovery, account management pages;
login using external identity providers: login using social network accounts, federated login using external identity providers;
checking access rights for user logins to applications;
verification of user and application access rights using REST-services;
logging of access history and account activities.
Specification#
Single Sign On technologies#
Functions group |
Functions |
|---|---|
OpenID Connect and OAuth 2.0 |
RFC 6749 “The OAuth 2.0 Authorization Framework” |
OpenID Connect Core 1.0 |
|
Sending user attributes as part of id_token/access_token into JSON Web Token (JWT) |
|
Configurable REST service UserInfo, customizable returned attributes depending on scope |
|
RFC 7636 “Proof Key for Code Exchange by OAuth Public Clients” |
|
RFC 7662 “OAuth 2.0 Token Introspection” |
|
RFC 7591 “OAuth 2.0 Dynamic Client Registration Protocol” |
|
RFC 7592 “OAuth 2.0 Dynamic Client Registration Management Protocol” |
|
RFC 8252 “OAuth 2.0 for Native Apps” |
|
RFC 8414 “OAuth 2.0 Authorization Server Metadata” |
|
OpenID Connect RP-Initiated Logout 1.0 |
|
OpenID Connect Front-Channel Logout 1.0 |
|
OpenID Connect Back-Channel Logout 1.0 |
|
SAML |
SAML Web Browser SSO Profile |
SAML Single Logout Profile |
|
RADIUS |
RFC 2865 “Remote Authentication Dial In User Service (RADIUS)” |
WS-Federation |
WS-Federation (to connect Microsoft applications) |
Proxy SSO |
Connections of web applications receiving session status from HTTP headers and cookies |
Supports ability to send user account login/password to proxy hosted web application, that doesn’t have default support for SSO connections |
|
Other |
Single Sign-On works between applications that are connected to IDP using any supported technology (for example, SSO between OpenID Connect and SAML applications) |
Supports SSO login using Kerberos SSO |
|
Supports SSO with IBM applications using Ltpa2Token for Single Sign-on |
Identification and authentication#
Functions group |
Functions |
|---|---|
Logging in using login and password |
Login/password verification during authentication |
Ability to use several entities (phone, email, login) as login simultaneously and enter login in different formats (e.g. phone as +7…, 8…, with different brackets, hyphens, spaces) |
|
Remembering login if user has logged in from device before |
|
Remembering multiple users on the device. Ability to change the current user account without having to logout |
|
Event handling “password must be changed” on login. Changing password during login |
|
Verifying password for compliance with existing password policy during login. Recommendation to change password |
|
Built-in protection against password brute force (trying to brute force passwords for one account) and login brute force (trying to brute force a password for a set of accounts):
|
|
User notification when attempting to login with a recently changed password |
|
Logging in based on session |
User identification based on domain login (Kerberos) |
Capability to connect login simultaneously to multiple domains and provide end-to-end user login of from different domains |
|
Capability to configure that OS session-based login applies only to logins from internal networks and PCs, but not for mobile app logins and logins outside of the internal network |
|
Logging in via social network account/external identify provider |
Social networks and external identity providers that support log in of users without the need to edit or code connectors: Apple ID, Google, Facebook [1]. |
Logging in via an external identity provider with OIDC support |
|
Logging in via an external identity provider with SAML support |
|
Account matching/registration during initial login via a social network |
|
Ability to bind multiple external provider accounts simultaneously to a single user account |
|
Ability to bind multiple user accounts simultaneously to single external provider account |
|
Ability to program your own algorithm for account binding and attribute matching |
|
Logging in based on remembered device |
Automated identification of the user if the he/she has logged in from that device before and agreed to remember the login |
Allows the user to track which devices have remembered their login and log out from those devices |
|
Automatic logout from remembered devices if user changes/recovers password |
|
Automatic identification by session properties |
Automatic identification of the user by session properties. All properties are supported. sessions that can be defined by the Customer and provided in Blitz Identity Provider. Flexible method configuration and full customization of interface texts. |
Logging in via WebAuthn, Passkey, FIDO2 |
Logging in via platform-independent security keys FIDO2 |
Logging in via platform-specific Passkey / FIDO2 security keys - Windows Hello (pin code, fingerprint), Passkey, password or Touch ID from MacBook, Passkey, Face ID or Touch ID of iOS or Android smartphone or tablet |
|
Logging in via smart card / USB key |
Logging in via qualified electronic signature |
Supported User OS: Windows 8.1/10/11, macOS 10.13/10.14/10.15/11/12/13, Linux Debian 9, Ubuntu 18. |
|
Supported browsers: Internet Explorer 11, Chrome, Firefox. |
|
Account matching/registration during initial login based on data from qualified electronic signature certificate |
|
Ability to verify signature/certificate validity using built-in software features |
|
Ability to verify signature/certificate validity via external verification service |
|
Two-factor authentication |
Login confirmation with one-time password sent by SMS (SMS-gateway is provided by Customer) |
Login confirmation with a one-time password from email |
|
Login confirmation with a one-time TOTP application password (RFC 6238 “TOTP: Time-Based One-Time Password Algorithm”) |
|
Login confirmation with a one-time password from the hardware keyfob. Support for HOTP keyfobs (RFC 4226 “HOTP: An HMAC-Based One-Time Password Algorithm”). The keyfobs are provided by the customer |
|
Login confirmation with security key WebAuthn, Passkey, FIDO2 |
|
Login confirmation with U2F security key |
|
Login confirmation by one-time password in push-notification in customer’s mobile application (service for sending push-notifications and mobile application are provided by the Customer) |
|
Login confirmation with Flash Call |
|
Other |
Ability for a customer to add their own authentication method |
Ability for a customer to customize the appearance of the login page separately for each application |
|
Providing API, that allows mobile apps to register a login event and receive security tokens when using PIN, Touch ID and Face ID logins |
|
Blocking accounts in case of long inactivity |
|
Prohibition of deleted account ID reuse within a specified time |
|
Ability to analyze user geodata |
Logout#
Functions group |
Functions |
|---|---|
Logout |
Ending user session when user logs out |
Ending user session when the user’s password changes in another session, or when resetting/recovering the user’s password |
|
Limitation on acceptable links to return to application after successful logout |
|
Application notification of a single logout via browser (front channel) |
|
Application notification of a single logout via server (back channel) |
Access control#
Functions group |
Functions |
|---|---|
Access control |
Verifying access rules when a user logs into applications. Verifying user access rights, membership in user groups, attributes with required values |
Verifying access rules when applications call protected REST services via Blitz Keeper (API Security Gateway) |
Account management#
Functions group |
Functions |
|---|---|
Registration |
Customizable self-registration web application. You can customize the set of attributes to be filled in by the user during registration, email/phone confirmation requirements, customize the appearance of the registration page, call the Customer’s verification services |
You can configure different user self-service login web application settings for different scenarios of registration invoke |
|
The ability to invoke an external registration application and pass it the login information and data obtained from an external provider during the login process |
|
After successful registration, the user automatically logs in to the application, that originally initiated the registration procedure |
|
CAPTCHA verification (reCAPTCHA or other service chosen by the Customer) |
|
Account security settings |
A web application that allows the user to self-manage his/her account security setting:
|
Providing an API to be able to embed all of the above features to manage account security settings in the external web application |
|
Forgotten password recovery |
A web application that allows to recover a forgotten password with email or mobile confirmation |
Additional checks during password recovery from an account for which two-factor authentication is enabled |
|
After successful password recovery, the user automatically logs in to the application, that originally initiated the recovery procedure |
|
CAPTCHA verification (reCAPTCHA or other service chosen by the Customer) |
|
Account actions when login |
Ability to set a phone number (if not present) in the account at login time or confirm phone relevance (if it is time to confirm relevance) |
Ability to set a phone number (if not present) in the account at login time or confirm phone relevance (if it is time to confirm relevance) |
|
Ability to set an email address (if missing) in the account at login time or to confirm the relevance of the email address (if it is time to confirm relevance) |
|
Ability to issue a Passkey at the moment of login (customize Face ID / Touch ID login) |
|
Ability to show the user an announcement |
|
Ability to request consent from the user |
|
Ability to request the user to fill in a text attribute |
|
Ability to ask a security question at the moment of login |
|
Ability to build your own business process of interaction with the user at login to the application (e.g., display an informational message to the user in some situations or request to lead something) |
|
Password policies |
Password verification for compliance with password policies: minimum length, alphabetical requirements, prohibition of dictionary passwords, no duplicate passwords, expiration validation |
Advanced features#
Functions group |
Functions |
|---|---|
Customization of the logic of work using Java programming |
Setting user login rules for applications through login and registration procedures |
Customization of data storage operations |
Monitoring and auditing#
Functions group |
Functions |
|---|---|
Alerts users about security events |
Notification of users of security events with their accounts: login from an unusual device, password change (changed it yourself, password reset by administrator, password reset due to password recovery), binding to a social network, enabling/disabling two-factor authentication |
Ability to configure notification events and notification texts for SMS and email |
|
Security events logging |
Logging of successful and unsuccessful security events with the account: login events, registration, change of security settings, password recovery. Both user-initiated and administrator-initiated actions should be logged |
Logging of successful and unsuccessful security events with the account: login events, registration, change of security settings, password recovery. Both user-initiated and administrator-initiated actions should be logged |
|
Matching IP-addresses to geodata in events and notifications (database in mmdb format with geodata is provided by the Customer) |
|
Administrators interface for searching/viewing security events |
|
Logging security events: to the database, to a log file, to Kafka |
|
Monitoring |
Ability to invoke metrics and statistics collection systems, antifraud systems at user login |
Ability to monitor components from external monitoring system (Zabbix and similar). Ability to provide Prometheus metrics |
|
Grafana dashboard templates and Prometheus job assignments are available |
|
Queues |
Ability to queue RabbitMQ events associated with user accounts and access groups |
Ability to send security events to Kafka |
Administration#
Functions group |
Functions |
|---|---|
Administration |
Admin web application:
|
Admin interface in English and Russian |
|
Ability to add additional languages |