Blitz Identity Provider functional specification#

Account management#

Functions group

Functions

Registration

Customizable self-registration web application. You can customize the set of attributes to be filled in by the user during registration, email/phone confirmation requirements, customize the appearance of the registration page, call the Customer’s verification services

You can configure different user self-service login web application settings for different scenarios of registration invoke

The ability to invoke an external registration application and pass it the login information and data obtained from an external provider during the login process

After successful registration, the user automatically logs in to the application, that originally initiated the registration procedure

CAPTCHA verification (reCAPTCHA or other service chosen by the Customer)

Account security settings

A web application that allows the user to self-manage his/her account security setting:

  • ability to change password;

  • ability to edit some attributes. Including the ability to edit phone number with confirmation via SMS code and the ability to edit email with confirmation via code/link via email;

  • ability to set up two-factor authentication for your user account;

  • ability to view/edit list of remembered devices, bound accounts of external login providers;

  • ability to view security events with your user account.

Providing an API to be able to embed all of the above features to manage account security settings in the external web application

Forgotten password recovery

A web application that allows to recover a forgotten password with email or mobile confirmation

Additional checks during password recovery from an account for which two-factor authentication is enabled

After successful password recovery, the user automatically logs in to the application, that originally initiated the recovery procedure

CAPTCHA verification (reCAPTCHA or other service chosen by the Customer)

Account actions when login

Ability to set a phone number (if not present) in the account at login time or confirm phone relevance (if it is time to confirm relevance)

Ability to set a phone number (if not present) in the account at login time or confirm phone relevance (if it is time to confirm relevance)

Ability to set an email address (if missing) in the account at login time or to confirm the relevance of the email address (if it is time to confirm relevance)

Ability to issue a Passkey at the moment of login (customize Face ID / Touch ID login)

Ability to show the user an announcement

Ability to request consent from the user

Ability to request the user to fill in a text attribute

Ability to ask a security question at the moment of login

Ability to build your own business process of interaction with the user at login to the application (e.g., display an informational message to the user in some situations or request to lead something)

Password policies

Password verification for compliance with password policies: minimum length, alphabetical requirements, prohibition of dictionary passwords, no duplicate passwords, expiration validation

Single Sign On technologies#

Functions group

Functions

OpenID Connect and OAuth 2.0

RFC 6749 “The OAuth 2.0 Authorization Framework”

OpenID Connect Core 1.0

Sending user attributes as part of id_token/access_token into JSON Web Token (JWT)

Configurable REST service UserInfo, customizable returned attributes depending on scope

RFC 7636 “Proof Key for Code Exchange by OAuth Public Clients”

RFC 7662 “OAuth 2.0 Token Introspection”

RFC 7591 “OAuth 2.0 Dynamic Client Registration Protocol”

RFC 7592 “OAuth 2.0 Dynamic Client Registration Management Protocol”

RFC 8252 “OAuth 2.0 for Native Apps”

RFC 8414 “OAuth 2.0 Authorization Server Metadata”

OpenID Connect RP-Initiated Logout 1.0

OpenID Connect Front-Channel Logout 1.0

OpenID Connect Back-Channel Logout 1.0

SAML

SAML Web Browser SSO Profile

SAML Single Logout Profile

RADIUS

RFC 2865 “Remote Authentication Dial In User Service (RADIUS)”

WS-Federation

WS-Federation (to connect Microsoft applications)

Proxy SSO

Connections of web applications receiving session status from HTTP headers and cookies

Supports ability to send user account login/password to proxy hosted web application, that doesn’t have default support for SSO connections

Other

Single Sign-On works between applications that are connected to IDP using any supported technology (for example, SSO between OpenID Connect and SAML applications)

Supports SSO login using Kerberos SSO

Supports SSO with IBM applications using Ltpa2Token for Single Sign-on

Identification and authentication#

Functions group

Functions

Logging in using login and password

Login/password verification during authentication

Ability to use several entities (phone, email, login) as login simultaneously and enter login in different formats (e.g. phone as +7…, 8…, with different brackets, hyphens, spaces)

Remembering login if user has logged in from device before

Remembering multiple users on the device. Ability to change the current user account without having to logout

Event handling “password must be changed” on login. Changing password during login

Verifying password for compliance with existing password policy during login. Recommendation to change password

Built-in protection against password brute force (trying to brute force passwords for one account) and login brute force (trying to brute force a password for a set of accounts):

  • CAPTCHA verification (reCAPTCHA or other service chosen by the Customer)

  • temporary blocking of login by account password in event of detecting brute force attempts

  • user login slowdown (login delay, browser solving a computationally complex task - Proof of Work)

User notification when attempting to login with a recently changed password

Logging in based on session

User identification based on domain login (Kerberos)

Capability to connect login simultaneously to multiple domains and provide end-to-end user login of from different domains

Capability to configure that OS session-based login applies only to logins from internal networks and PCs, but not for mobile app logins and logins outside of the internal network

Logging in via social network account/external identify provider

Social networks and external identity providers that support log in of users without the need to edit or code connectors: Apple ID, Google, Facebook [1].

Logging in via an external identity provider with OIDC support

Logging in via an external identity provider with SAML support

Account matching/registration during initial login via a social network

Ability to bind multiple external provider accounts simultaneously to a single user account

Ability to bind multiple user accounts simultaneously to single external provider account

Ability to program your own algorithm for account binding and attribute matching

Logging in based on remembered device

Automated identification of the user if the he/she has logged in from that device before and agreed to remember the login

Allows the user to track which devices have remembered their login and log out from those devices

Automatic logout from remembered devices if user changes/recovers password

Automatic identification by session properties

Automatic identification of the user by session properties. All properties are supported. sessions that can be defined by the Customer and provided in Blitz Identity Provider. Flexible method configuration and full customization of interface texts.

Logging in via WebAuthn, Passkey, FIDO2

Logging in via platform-independent security keys FIDO2

Logging in via platform-specific Passkey / FIDO2 security keys - Windows Hello (pin code, fingerprint), Passkey, password or Touch ID from MacBook, Passkey, Face ID or Touch ID of iOS or Android smartphone or tablet

Logging in via smart card / USB key

Logging in via qualified electronic signature

Supported User OS: Windows 8.1/10/11, macOS 10.13/10.14/10.15/11/12/13, Linux Debian 9, Ubuntu 18.

Supported browsers: Internet Explorer 11, Chrome, Firefox.

Account matching/registration during initial login based on data from qualified electronic signature certificate

Ability to verify signature/certificate validity using built-in software features

Ability to verify signature/certificate validity via external verification service

Two-factor authentication

Login confirmation with one-time password sent by SMS (SMS-gateway is provided by Customer)

Login confirmation with a one-time password from email

Login confirmation with a one-time TOTP application password (RFC 6238 “TOTP: Time-Based One-Time Password Algorithm”)

Login confirmation with a one-time password from the hardware keyfob. Support for HOTP keyfobs (RFC 4226 “HOTP: An HMAC-Based One-Time Password Algorithm”). The keyfobs are provided by the customer

Login confirmation with security key WebAuthn, Passkey, FIDO2

Login confirmation with U2F security key

Login confirmation by one-time password in push-notification in customer’s mobile application (service for sending push-notifications and mobile application are provided by the Customer)

Login confirmation with Flash Call

Other

Ability for a customer to add their own authentication method

Ability for a customer to customize the appearance of the login page separately for each application

Providing API, that allows mobile apps to register a login event and receive security tokens when using PIN, Touch ID and Face ID logins

Blocking accounts in case of long inactivity

Prohibition of deleted account ID reuse within a specified time

Ability to analyze user geodata

Logout#

Functions group

Functions

Logout

Ending user session when user logs out

Ending user session when the user’s password changes in another session, or when resetting/recovering the user’s password

Limitation on acceptable links to return to application after successful logout

Application notification of a single logout via browser (front channel)

Application notification of a single logout via server (back channel)

Access control#

Functions group

Functions

Access control

Verifying access rules when a user logs into applications. Verifying user access rights, membership in user groups, attributes with required values

Verifying access rules when applications call protected REST services via Blitz Keeper (API Security Gateway)

Advanced features#

Functions group

Functions

Customization of the logic of work using Java programming

Setting user login rules for applications through login and registration procedures

Customization of data storage operations

Monitoring and auditing#

Functions group

Functions

Alerts users about security events

Notification of users of security events with their accounts: login from an unusual device, password change (changed it yourself, password reset by administrator, password reset due to password recovery), binding to a social network, enabling/disabling two-factor authentication

Ability to configure notification events and notification texts for SMS and email

Security events logging

Logging of successful and unsuccessful security events with the account: login events, registration, change of security settings, password recovery. Both user-initiated and administrator-initiated actions should be logged

Logging of successful and unsuccessful security events with the account: login events, registration, change of security settings, password recovery. Both user-initiated and administrator-initiated actions should be logged

Matching IP-addresses to geodata in events and notifications (database in mmdb format with geodata is provided by the Customer)

Administrators interface for searching/viewing security events

Logging security events: to the database, to a log file, to Kafka

Monitoring

Ability to invoke metrics and statistics collection systems, antifraud systems at user login

Ability to monitor components from external monitoring system (Zabbix and similar). Ability to provide Prometheus metrics

Grafana dashboard templates and Prometheus job assignments are available

Queues

Ability to queue RabbitMQ events associated with user accounts and access groups

Ability to send security events to Kafka

Administration#

Functions group

Functions

Administration

Admin web application:

  • configuring connected application settings (application parameters, allowed interaction modes, access control rules)

  • configuring user attributes and mapping attributes to an account store

  • configuring connection to LDAP-based account stores

  • configuring connection to random stores (service is provided by the Customer)

  • support of simultaneous connection to multiple account stores

  • configuring identity/authentication methods and external login providers

  • configuring the connection to SMTP service and SMS gateway

  • support for role-based access for logging into the administrator web application. Ability to set different actions available for different users

  • administration of web application registration settings, security settings, password recovery settings

  • user account administration (search, view, manage attributes, two-factor authentication settings, bindings of memorized devices and social networks, memorized user browsers, reset sessions, reset password, lock/unlock account, manage security keys, manage membership in user groups, assign/revoke access rights)

  • administration of user groups, management of user group memberships

  • configuring web applications login page themes

  • viewing and filtering of logged security events

  • ability to enter admin web application via SSO

Admin interface in English and Russian

Ability to add additional languages