1.0 Introduction
1.1 Purpose
This article provides an overview of the Fortanix Armor Identity and Access Management (IAM) solution and the associated functionalities – Users, Groups, and Authentication management.
1.2 Intended Audience
This article is intended to be used by the Fortanix Armor administrators to manage users, groups, and authentication inside the Fortanix Armor platform.
2.0 Overview
The Identity and Access Management (IAM) service integrates seamlessly with the Fortanix Armor platform to provide secure and centralized user and access management for Fortanix products or services.
User and Access Management (UAM) helps manage user identities and their access to resources within Fortanix Armor. This also encompasses processes, policies, and technologies aimed at effectively provisioning, managing, and revoking user accounts and their access privileges.
Implementing IAM offers numerous advantages for organizations in terms of security, compliance, efficiency, and user experience.
Here are some key benefits:
Enhanced Security: Fortanix Armor IAM helps improve security by ensuring that only authorized individuals and systems have access to resources. It reduces the risk of unauthorized access, data breaches, and insider threats by enforcing strong authentication, access controls, and least privilege principles.
Reduced Risk: By centralizing user and group access controls, IAM helps organizations mitigate security risks associated with weak passwords, identity theft, and unauthorized access. It provides visibility into user activities and enables organizations to detect and respond to suspicious behavior more effectively.
Compliance: IAM solutions help organizations comply with regulatory requirements and industry standards by enforcing access controls, auditing user activities, and maintaining detailed audit trails.
Improved Operational Efficiency: IAM streamlines user provisioning, management, and de-provisioning processes, reducing administrative overhead and ensuring consistency across the organization. Automated workflows, self-service capabilities and role-based access controls help improve efficiency and productivity.
Scalability and Flexibility: IAM solutions are designed to scale with the growing needs of organizations, supporting many users, devices, and applications across diverse environments. They are adaptable to changing business requirements and can integrate with existing IT systems and cloud services.
Centralized Management: IAM provides a centralized platform for managing user identities and access controls across the organization. This simplifies administration, improves visibility, and enables consistent enforcement of security policies and access controls.
This article provides an overview of the Fortanix Armor IAM solution, including functionalities such as Users and Groups management.
3.0 Users
User management is the process of creating, modifying, and maintaining user accounts within Fortanix Armor. It involves tasks such as account provisioning and user lifecycle management.
The following are some of the key aspects of user management:
User Provisioning: This involves creating new user accounts and granting them access to the necessary resources based on their roles and responsibilities within the platform. User provisioning may include assigning usernames, email addresses, passwords, and access privileges.
User Lifecycle Management: User lifecycle management involves managing user accounts throughout their lifecycle, from creation to deletion. This includes tasks such as account activation, suspension, password resets, role changes, and account de-provisioning when users leave the platform or change roles.
Access Control: Access control mechanisms ensure that users only have access to the resources and data necessary to perform their job functions. This includes enforcing the principle of least privilege, where users are granted the minimum level of access required to fulfill their duties.
3.1 List Users Associated with Your Account
To list the users on your account:
Navigate to Fortanix IAM → Users.
On the Users page, the list of users that are part of your selected account will be displayed. For each user, you can view the following information:
NAME: Name of the user. By default, your profile will be listed as <Your User Profile Name (You)>. For example, Demo User (You).
EMAIL: Email ID of the user.
ROLE: The role assigned to the user. The available roles are Account Administrator, Account Member, or Account Auditor. An Account Auditor can view data but cannot edit it. An Account Member can view and edit data. An Account Administrator can view and edit data, as well as manage the account and its members.
Refer to the following table to understand more about the available roles and permissions for Fortanix Fortanix Key Insight:ACTION
ACCOUNT AUDITOR
ACCOUNT MEMBER
ACCOUNT ADMINISTRATOR
List Users
Yes
Yes
Yes
List Groups
Yes
Yes
Yes
Invite Users
No
No
Yes
Create or Modify Group
No
Yes
Yes
Key Insight Cloud Account Management
No
No
Yes
CREATED: User-created date and time.
LAST LOGIN: Last login date and time.
On the Users page, you can perform the following actions:
Search: Use this feature to search for a specific user in the list.
Invite User: Use this feature to add a new user to your Fortanix Armor account. Refer to “Section 3.2: Invite a User" for more details.
User Menu: Use this feature to copy the selected user ID, edit, and remove the selected user. Refer to “Section 3.3: Copy User ID", “Section 3.4: Edit User", and “Section 3.5: Remove User" for more details.
Figure 1: Access List Of Users
3.2 Invite a User
As an administrator of the account, you can invite a user to join your Fortanix Armor account.
Prerequisites:
The email ID of the user is required.
You need to be an account administrator to invite a user to an account.
To invite a new user,
On the Users page, click INVITE USER.
Fill in all the required details:
Email: The email of the user; the email is case-insensitive.
First name: User’s first name.
Last name: User’s last name.
Role: Select the role from Account Administrator, Account Viewer, or Account Editor.
Figure 2: Invite a User to IAM
NOTE
When you invite a user to an account,
In an Account Administrator role, the user will have the Administrator permissions mentioned in "Section 3.1: List Users Associated with the Account" and they cannot be removed from the group.
In a Account Member role, the user will have the Member permissions mentioned in "Section 3.1: List Users Associated with the Account" by default and they cannot be removed from the group.
In an Account Auditor role, the user will have the Auditor permissions mentioned in "Section 3.1: List Users Associated with the Account". These users can be removed from the group.
Click INVITE USER to invite the user. The invited user will get an email to join this account.

Figure 3: Confirm to Join the Account
After the user accepts the invitation, during the next login, the user can see the Pending Invitations on the Accounts page on Fortanix Armor. The user must click ACCEPT to join the account.
Figure 4: Accept the Invitation
After the user accepts the invitation to join the Fortanix Armor account, the user will be added to the Users list on your account.
3.3 Copy User ID
As an administrator of an account, you can copy the user ID of the user.
From the list of users, select a user to copy the ID and click the ellipses icon for the selected user. From this menu, click COPY USER ID to copy the ID to the Clipboard.

Figure 5: Copy the User ID
3.4 Edit User
As an administrator of an account, you can edit access within this account.
To perform this:
Click the Users menu item in the Fortanix IAM left navigation bar.
From the list of users, select a user to edit and click the ellipses icon for the selected user. From this menu, click EDIT USER to edit the user access details.
Figure 6: Edit a User
On the Edit User Permissions page, update the user’s role, and click UPDATE USER. The role will be updated accordingly.
Figure 7: Update User's Role
NOTE
If you want to edit your user profile, go to your user profile page instead. You can edit your own details like First Name and Last Name under the user profile. For more details, refer to User Guide: Fortanix Armor Getting Started Guide – Manage User Profile.
You can Leave Account if you no longer wish to continue with that account. For more details, refer to User Guide: Fortanix Armor Getting Started Guide.
3.5 Remove User
As an administrator of an account, you can remove a user from your account.
From the list of users, select a user to remove and click the ellipses icon for the selected user. From this menu, click REMOVE USER to remove that user from your account.

Figure 8: Remove the User from Your Account
If selected, on the confirmation pop-up, click REMOVE to remove the selected user. After the user is removed, his role and the related permissions will also be revoked.

Figure 9: User Removal Confirmation
4.0 Groups
After configuring a cloud and on-premises connection on Fortanix Key Insight, a group with the same name will be created on the Fortanix IAM Groups page. For each group, you can view the group name and the creation time stamp.
For more details about configuring a connection, refer to User Guide: Fortanix Key Insight-Getting Started with Cloud Connection and User Guide: Fortanix Key Insight-Getting Started with On-Premises Connection.

Figure 10: Access Groups
4.1 Access Group Detailed View
On the Groups page, click any group to access its details.

Figure 11: Access Group General Details
The GENERAL tab provides the following details:
The number of Users belonging to the group. You can also add a user to the group using
. For more details, Refer to "Section 4.2: Update Group Permission for a User."
Available group labels if any. You can add or edit the labels for the group using the ADD OR EDIT LABELS option.
The USERS tab lists all the users of the group. Only account administrators can remove users using this tab.

Figure 12: Access Users in a Group
All users on the Fortanix Armor account with an account administrator role will be added to the groups by default as Group Administrators and they cannot be removed from the group.
All users on the Fortanix Armor account with an account auditor role will be added to the groups by default as Group Auditors. These users cannot be removed from the group.
All users on the Fortanix Armor account with an account member role must manually be added to a group as Group Administrator or Group Auditor. These users can be removed from the group. For more details, Refer to "Section 4.2: Update Group Permission for a User."
4.2 Update Group Permission for a User
Users with Account Member roles on the Fortanix IAM Users page must be manually added to a group as Group Administrator or Group Auditor using the following steps:
In the detailed view of a Fortanix IAM group, click the USERS tab.
On the Users page, click +USERS to add a new user.
Figure 13: Access to Add a New User
In the ADD USERS form, select the user in the first column.
Figure 14: Select the New User
For the new user, select the appropriate group permission and click SAVE CHANGES to update the group permission.
Figure 15: Select the Role
4.3 Update a Group
To edit a group:
On the Groups page, click
on any group.
Select EDIT GROUP for the group you want to edit.
In the Edit group form, make the necessary updates to the name, description, and label(s).
Click SAVE.

Figure 16: Edit the Group
4.4 Remove a Group
To remove a group:
On the Groups page, click
on any group.
Select REMOVE GROUP for the group you want to delete.
On the delete confirmation dialog box, click DELETE to remove the group from the Groups page.

Figure 17: Delete a Group
5.0 Authentication
All users must authenticate to Fortanix Armor to use its functions. Users can authenticate with Fortanix Armor either using a password or Single Sign On (SSO), offering varying degrees of integration with existing enterprise IAM (Identity and Access Management) systems and security.
For more details on authenticating using a password and a single sign on, refer to the Fortanix Armor - Getting Started.
After authentication, a detailed access control system determines which entity is authorized to perform specific actions under particular conditions.
5.1 Access Authentication Details
To access the authentications configured for your account,
Navigate to the Identity and Access Management solution.
Select Authentication on the left navigation bar.
Figure 18: Access Authentication
The Authentication page has two sections:
Access Type
Single sign-on integrations
NOTE
Only the Account Administrator can set the access type and manage SSO integrations on Fortanix Armor.
5.2 Configure Permissions
You can configure permissions that govern access and authentication during the login process.
To update the permissions,
Click EDIT PERMISSIONS in the Access Type section.
On the Edit Permissions dialog box, select the appropriate option based on the requirement.
Only account administrators can login with password: If the SSO mechanism is misconfigured, account administrators on Fortanix Armor may be unable to log in. To avoid this issue, ensure to select this option when updating the SSO configuration. This allows account administrators to access the account with their password.
All roles can log in with password: If the SSO mechanism is misconfigured, select this option during SSO configuration to allow any user role to log in to the Fortanix Armor account using their local password. This option is selected by default.
No roles can log in with password: If the SSO mechanism is misconfigured, select this option during the SSO configuration, if you want no user role including the administrator to log in to the Fortanix Armor account using their local password when the SSO mechanism is misconfigured.
NOTE
You can only select the No roles can log in with password option if you have configured an OAuth SSO integration.
Click SAVE to update that permission.

Figure 19: Configure the Permissions
5.3 Configure Two-factor Authentication (2FA) at Account Level
Two-factor authentication (2FA) in Fortanix Armor can be configured at the account level.
Perform the following steps to configure two-factor authentication (2FA) at the Fortanix Armor account level for password-based authentication:
Click UPDATE TWO FACTOR AUTH in the Access Type section.
On the Update Two Factor Authentication dialog box, enable Mandatory two-factor authentication for all team members toggle. This is disabled by default.
Click SAVE. After enabling 2FA, you can see the label Mandatory two-factor authentication for all team members: in the Access Type section will be updated to Enabled.

Figure 20: Configure 2FA at Account Level
After 2FA is enabled at the account level, every user within the account will be required to set up 2FA at the user level through the My Profile page. For more details on setting 2FA at user level, refer to the Fortanix Armor - Getting Started.
Enabling 2FA at both the account and user levels adds an extra layer of security, ensuring that only authorized users can access the account. Without completing this configuration, you will not be able to log in to Fortanix Armor.
5.4 Manage SSO Integrations
The Fortanix Armor accounts can be integrated with third-party Single Sign-On (SSO) providers. When an account is configured for SSO, users in that account will be able to log in with their SSO credentials.
You can manage the SSO integrations on the Single sign-on integrations section. Here, you can view the list of OAuth integrations configured for the selected account.

Figure 21: Access SSO Integrations
Additionally, you can perform the following:
Add an OAuth integration
Edit the details of an OAuth integration
Delete an OAuth integration
5.4.1 Add an OAuth Integration
You must register Fortanix Armor with your IdP. When registering, provide the following information to your IdP:
Application type: web application
Redirect URL: https://<fortanix_armor_url>/oauth
For example, https://armor.fortanix.com/oauth.
After you register your IdP, obtain the following information from your Identity Provider (IdP) to enable SSO using OAuth/Open ID Connect for your account:
Client ID
Client Secret
OpenID Connect / OAuth Identity Provider Requirements:
To use an OAuth / OpenID Connect IdP with Fortanix Armor, the IdP must:
Support Authorization Code Flow described in OpenID Connect Core Specification.
Support email scope.
Provide user’s email address to Fortanix Armor in Token or UserInfo response.
Provide non-encrypted ID token during Token response.
To add a new OAuth integration,
Click ADD OAUTH INTEGRATION in the Single sign-on integrations section.
On the Add OAuth Integration dialog box, add the following details about the OAuth provider:
Provider name
Logo URL (optional)
Authentication Method- Select any of the following based on what you have configured in your IdP.
Basic Authentication
POST Authentication
TLS configuration- Select any of the following based on your requirement:
Global Root CAs
Custom CA certificate
Client ID
Client Secret
Validate host: Enable Verify that the above host matches the host name in the server certificate check box if required.
Authorization Endpoint URL
Token Endpoint URL
User Info Endpoint URL (optional)
Most of these parameters are published in a
.well-known
file provided by the identity providers. For example: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.Click ADD OAUTH INTEGRATION to add the new integration for the selected Armor account.

Figure 22: Add an OAuth Integration
Example:
Setting up OAuth Integration between Fortanix Armor and PingId
Perform the steps below to configure the OAuth integration between Fortanix Armor and PingId:
In Your PingId Environment:
Create an app of type "OIDC Web App".
Ensure the following settings:
On the "Configuration" tab:
"Token Endpoint Authentication Method" must match the authentication method you configure on Fortanix Armor.
If set to "Client Secret Basic" (the default value), select "Basic Authentication" in Fortanix Armor.
If set to "Client Secret Post", select "POST Authentication" in Fortanix Armor.
Redirect URIs must be set to https://armor.fortanix.com/oauth.
Leave all other settings at their default value. In particular, Response Type must be set to "Code" and Grant Type must be set to "Authorization Code" with PKCE Enforcement set to "OPTIONAL".
On the "Resources" tab:
Ensure the following scopes are allowed: "openid", "email", "profile".
Ensure the app is enabled to save all configurations.
In Your Armor Account's Authentication Settings:
Add a new OAuth integration with the following settings:
Provider name: Enter the unique name.
Logo URL: This is optional.
Authentication Method: This must match the setting configured at PingId in Step 2 above.
TLS configuration: Set this to Global Root CAs.
Validate host: Enable this for security reasons.
Client ID: Use the Client ID from the "Overview" tab of the PingId application.
Client Secret: Use the Client Secret from the "Overview" tab of the PingId application.
Authorization Endpoint URL: Use the Authorization URL from the "Overview" tab of the PingId application.
User Info Endpoint URL: Use the User Info Endpoint from the "Overview" tab of the PingId application.
Token Endpoint URL (Optional): Use the Token Endpoint from the "Overview" tab of the PingId application.
In addition to the above, any user who wishes to use PingId to authenticate with Fortanix Armor must have their "email" field in PingId set to match their username/email in Fortanix Armor.
5.4.2 Edit the OAuth Integration Details
To edit the OAuth configuration details:
On the Single sign-on integrations section, click
on any OAuth integration.
On the Update OAuth Integration form, make the necessary updates to the required fields.
Click SAVE to update the new values.
5.4.3 Delete an OAuth Integration
To remove the OAuth integration:
On the Single sign-on integrations section, click
on any OAuth integration.
On the delete confirmation dialog box, click DELETE to remove the OAuth integration from the selected Fortanix Armor account. This integration will also be removed next time you log in with SSO.