Fortanix Armor Identity and Access Management (IAM)

1.0 Introduction

This article provides an overview of the Fortanix Armor Identity and Access Management (IAM) solution and the associated functionalities – Users, Groups, and Authentication management.

2.0 Overview

The Identity and Access Management (IAM) service integrates seamlessly with the Fortanix Armor platform to provide secure and centralized user and access management for Fortanix products or services.

User and Access Management (UAM) helps manage user identities and their access to resources within Fortanix Armor. This also encompasses processes, policies, and technologies aimed at effectively provisioning, managing, and revoking user accounts and their access privileges.

Implementing IAM offers numerous advantages for organizations in terms of security, compliance, efficiency, and user experience.
Here are some key benefits:

• Enhanced Security: Fortanix Armor IAM helps improve security by ensuring that only authorized individuals and systems have access to resources. It reduces the risk of unauthorized access, data breaches, and insider threats by enforcing strong authentication, access controls, and least privilege principles.

• Reduced Risk: By centralizing user and group access controls, IAM helps organizations mitigate security risks associated with weak passwords, identity theft, and unauthorized access. It provides visibility into user activities and enables organizations to detect and respond to suspicious behavior more effectively.

• Compliance: IAM solutions help organizations comply with regulatory requirements and industry standards by enforcing access controls, auditing user activities, and maintaining detailed audit trails.

• Improved Operational Efficiency: IAM streamlines user provisioning, management, and de-provisioning processes, reducing administrative overhead and ensuring consistency across the organization. Automated workflows, self-service capabilities and role-based access controls help improve efficiency and productivity.

• Scalability and Flexibility: IAM solutions are designed to scale with the growing needs of organizations, supporting many users, devices, and applications across diverse environments. They are adaptable to changing business requirements and can integrate with existing IT systems and cloud services.

• Centralized Management: IAM provides a centralized platform for managing user identities and access controls across the organization. This simplifies administration, improves visibility, and enables consistent enforcement of security policies and access controls.

This article provides an overview of the Fortanix Armor IAM solution, including functionalities such as Users and Groups management.

3.0 Users

User management is the process of creating, modifying, and maintaining user accounts within Fortanix Armor. It involves tasks such as account provisioning and user lifecycle management.

The following are some of the key aspects of user management:

• User Provisioning: This involves creating new user accounts and granting them access to the necessary resources based on their roles and responsibilities within the platform. User provisioning may include assigning usernames, email addresses, passwords, and access privileges.

• User Lifecycle Management: User lifecycle management involves managing user accounts throughout their lifecycle, from creation to deletion. This includes tasks such as account activation, suspension, password resets, role changes, and account de-provisioning when users leave the platform or change roles.

• Access Control: Access control mechanisms ensure that users only have access to the resources and data necessary to perform their job functions. This includes enforcing the principle of least privilege, where users are granted the minimum level of access required to fulfill their duties.

3.1 List Users Associated with Your Account

To list the users on your account:

1. Navigate to Fortanix IAM → Users.

2. On the Users page, the list of users that are part of your selected account will be displayed. For each user, you can view the following information:

   • NAME: Name of the user. By default, your profile will be listed as <Your User Profile Name (You)>. For example, Demo User (You).

   • EMAIL: Email ID of the user.

   • ROLE: The role assigned to the user. The available roles are Account Administrator, Account Member, or Account Auditor. An Account Auditor can view data but cannot edit it. An Account Member can view and edit data. An Account Administrator can view and edit data, as well as manage the account and its members.
     Refer to the following table to understand more about the available roles and permissions for Fortanix Fortanix Key Insight:

     ACTION	ACCOUNT AUDITOR	ACCOUNT MEMBER	ACCOUNT ADMINISTRATOR
     List Users	Yes	Yes	Yes
     List Groups	Yes	Yes	Yes
     Invite Users	No	No	Yes
     Create or Modify Group	No	Yes	Yes
     Key Insight Cloud Account Management	No	No	Yes

   • CREATED: User-created date and time.

   • LAST LOGIN: Last login date and time.

3. On the Users page, you can perform the following actions:

   • Search: Use this feature to search for a specific user in the list.

   • Invite User: Use this feature to add a new user to your Fortanix Armor account. Refer to “Section 3.2: Invite a User" for more details.

   • User Menu: Use this feature to copy the selected user ID, edit, and remove the selected user. Refer to “Section 3.3: Copy User ID", “Section 3.4: Edit User", and “Section 3.5: Remove User" for more details.

     

3.2 Invite a User

As an administrator of the account, you can invite a user to join your Fortanix Armor account.
Prerequisites:

• The email ID of the user is required.

• You need to be an account administrator to invite a user to an account.

To invite a new user,

1. On the Users page, click INVITE USER.

2. Fill in all the required details:

   • Email: The email of the user; the email is case-insensitive.

   • First name: User’s first name.

   • Last name: User’s last name.

   • Role: Select the role from Account Administrator, Account Viewer, or Account Editor.

     

     NOTE

     When you invite a user to an account,

     • In an Account Administrator role, the user will have the Administrator permissions mentioned in "Section 3.1: List Users Associated with the Account" and they cannot be removed from the group.

     • In a Account Member role, the user will have the Member permissions mentioned in "Section 3.1: List Users Associated with the Account" by default and they cannot be removed from the group.

     • In an Account Auditor role, the user will have the Auditor permissions mentioned in "Section 3.1: List Users Associated with the Account". These users can be removed from the group.

3. Click INVITE USER to invite the user. The invited user will get an email to join this account.

4. After the user accepts the invitation, during the next login, the user can see the Pending Invitations on the Accounts page on Fortanix Armor. The user must click ACCEPT to join the account.

   

5. After the user accepts the invitation to join the Fortanix Armor account, the user will be added to the Users list on your account.

3.3 Copy User ID

As an administrator of an account, you can copy the user ID of the user.
From the list of users, select a user to copy the ID and click the ellipses icon for the selected user. From this menu, click COPY USER ID to copy the ID to the Clipboard.

3.4 Edit User

As an administrator of an account, you can edit access within this account.
To perform this:

1. Click the Users menu item in the Fortanix IAM left navigation panel.

2. From the list of users, select a user to edit and click the ellipses icon for the selected user. From this menu, click EDIT USER to edit the user access details.

   

3. On the Edit User Permissions page, update the user’s role, and click UPDATE USER. The role will be updated accordingly.

   

3.5 Remove User

As an administrator of an account, you can remove a user from your account.

From the list of users, select a user to remove and click the ellipses icon for the selected user. From this menu, click REMOVE USER to remove that user from your account.

If selected, on the confirmation pop-up, click REMOVE to remove the selected user. After the user is removed, his role and the related permissions will also be revoked.

4.0 Groups

After configuring a cloud and on-premises connection on Fortanix Key Insight, a group with the same name will be created on the Fortanix IAM Groups page. For each group, you can view the group name and the creation time stamp.

For more details about configuring a connection, refer to User Guide: Fortanix Key Insight-Getting Started with Cloud Connection and User Guide: Fortanix Key Insight-Getting Started with On-Premises Connection.

4.1 Access Group Detailed View

On the Groups page, click any group to access its details.

• The GENERAL tab provides the following details:

  • The number of Users belonging to the group. You can also add a user to the group using. For more details, Refer to "Section 4.2: Update Group Permission for a User."

  • Available group labels if any. You can add or edit the labels for the group using the ADD OR EDIT LABELS option.

• The USERS tab lists all the users of the group. Only account administrators can remove users using this tab.

• • All users on the Fortanix Armor account with an account administrator role will be added to the groups by default as Group Administrators and they cannot be removed from the group.

  • All users on the Fortanix Armor account with an account auditor role will be added to the groups by default as Group Auditors. These users cannot be removed from the group.

  • All users on the Fortanix Armor account with an account member role must manually be added to a group as Group Administrator or Group Auditor. These users can be removed from the group. For more details, Refer to "Section 4.2: Update Group Permission for a User."

4.2 Update Group Permission for a User

Users with Account Member roles on the Fortanix IAM Users page must be manually added to a group as Group Administrator or Group Auditor using the following steps:

1. In the detailed view of a Fortanix IAM group, click the USERS tab.

2. On the Users page, click +USERS to add a new user.

   

3. In the ADD USERS form, select the user in the first column.

   

4. For the new user, select the appropriate group permission and click SAVE CHANGES to update the group permission.

   NOTE

   The new user's role will only be updated within the group.

   

4.3 Update a Group

To edit a group:

1. On the Groups page, click on any group.

2. Select EDIT GROUP for the group you want to edit.

3. In the Edit group form, make the necessary updates to the name, description, and label(s).

4. Click SAVE.

4.4 Remove a Group

To remove a group:

1. On the Groups page, click on any group.

2. Select REMOVE GROUP for the group you want to delete.

3. On the delete confirmation dialog box, click DELETE to remove the group from the Groups page.

5.0 Authentication

All users must authenticate to Fortanix Armor to use its functions. Users can authenticate with Fortanix Armor either using a password or Single Sign On (SSO), offering varying degrees of integration with existing enterprise IAM (Identity and Access Management) systems and security.

For more details on authenticating using a password and a single sign on, refer to the Fortanix Armor - Getting Started.

After authentication, a detailed access control system determines which entity is authorized to perform specific actions under particular conditions.

5.1 Access Authentication Details

To access the authentications configured for your account,

1. Navigate to the Identity and Access Management solution.

2. Select Authentication on the left navigation panel.

   

   The Authentication page has two sections:

   • Access Type

   • Single sign-on integrations

   NOTE

   Only the Account Administrator can set the access type and manage SSO integrations on Fortanix Armor.

5.2 Configure Permissions

You can configure permissions that govern access and authentication during the login process.

To update the permissions,

1. Click EDIT PERMISSIONS in the Access Type section.

2. On the Edit Permissions dialog box, select the appropriate option based on the requirement.

   • Only account administrators can login with password: If the SSO mechanism is misconfigured, account administrators on Fortanix Armor may be unable to log in. To avoid this issue, ensure to select this option when updating the SSO configuration. This allows account administrators to access the account with their password.

   • All roles can log in with password: If the SSO mechanism is misconfigured, select this option during SSO configuration to allow any user role to log in to the Fortanix Armor account using their local password. This option is selected by default.

   • No roles can log in with password: If the SSO mechanism is misconfigured, select this option during the SSO configuration, if you want no user role including the administrator to log in to the Fortanix Armor account using their local password when the SSO mechanism is misconfigured.

   NOTE

   You can only select the No roles can log in with password option if you have configured an OAuth SSO integration.

3. Click SAVE to update that permission.

5.3 Configure Two-factor Authentication (2FA) at Account Level

Two-factor authentication (2FA) in Fortanix Armor can be configured at the account level.

Perform the following steps to configure two-factor authentication (2FA) at the Fortanix Armor account level for password-based authentication:

1. Click UPDATE TWO FACTOR AUTH in the Access Type section.

2. On the Update Two Factor Authentication dialog box, enable Mandatory two-factor authentication for all team members toggle. This is disabled by default.

3. Click SAVE. After enabling 2FA, you can see the label Mandatory two-factor authentication for all team members:  in the Access Type section will be updated to Enabled.

After 2FA is enabled at the account level, every user within the account will be required to set up 2FA at the user level through the My Profile page. For more details on setting 2FA at user level, refer to the Fortanix Armor - Getting Started.

Enabling 2FA at both the account and user levels adds an extra layer of security, ensuring that only authorized users can access the account. Without completing this configuration, you will not be able to log in to Fortanix Armor.

5.4 Manage SSO Integrations

The Fortanix Armor accounts can be integrated with third-party Single Sign-On (SSO) providers. When an account is configured for SSO, users in that account will be able to log in with their SSO credentials.

You can manage the SSO integrations on the Single sign-on integrations section. Here, you can view the list of OAuth integrations configured for the selected account.

Additionally, you can perform the following:

• Add an OAuth integration

• Edit the details of an OAuth integration

• Delete an OAuth integration

5.4.1 Add an OAuth Integration

You must register Fortanix Armor with your IdP. When registering, provide the following information to your IdP:

• Application type: web application

• Redirect URL: https://<fortanix_armor_url>/oauth

  For example, https://armor.fortanix.com/oauth.

After you register your IdP, obtain the following information from your Identity Provider (IdP) to enable SSO using OAuth/Open ID Connect for your account:

• Client ID

• Client Secret

OpenID Connect / OAuth Identity Provider Requirements:

To use an OAuth / OpenID Connect IdP with Fortanix Armor, the IdP must:

• Support Authorization Code Flow described in OpenID Connect Core Specification.

• Support email scope.

• Provide user’s email address to Fortanix Armor in Token or UserInfo response.

• Provide non-encrypted ID token during Token response.

To add a new OAuth integration,

1. Click ADD OAUTH INTEGRATION in the Single sign-on integrations section.

2. On the Add OAuth Integration dialog box, add the following details about the OAuth provider:

   • Provider name

   • Logo URL (optional)

   • Authentication Method- Select any of the following based on what you have configured in your IdP.

     • Basic Authentication

     • POST Authentication

   • TLS configuration- Select any of the following based on your requirement:

     • Global Root CAs

     • Custom CA certificate

   • Client ID

   • Client Secret

   • Validate host: Enable Verify that the above host matches the host name in the server certificate check box if required.

   • Authorization Endpoint URL

   • Token Endpoint URL

   • User Info Endpoint URL (optional)

   Most of these parameters are published in a .well-known file provided by the identity providers. For example: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.

3. Click ADD OAUTH INTEGRATION to add the new integration for the selected Armor account.

Example:

Setting up OAuth Integration between Fortanix Armor and PingId

Perform the steps below to configure the OAuth integration between Fortanix Armor and PingId:

In Your PingId Environment:

1. Create an app of type "OIDC Web App".

2. Ensure the following settings:

   • On the "Configuration" tab:

     • "Token Endpoint Authentication Method" must match the authentication method you configure on Fortanix Armor.

       • If set to "Client Secret Basic" (the default value), select "Basic Authentication" in Fortanix Armor.

       • If set to "Client Secret Post", select "POST Authentication" in Fortanix Armor.

     • Redirect URIs must be set to https://armor.fortanix.com/oauth.

     • Leave all other settings at their default value. In particular, Response Type must be set to "Code" and Grant Type must be set to "Authorization Code" with PKCE Enforcement set to "OPTIONAL".

   • On the "Resources" tab:

     • Ensure the following scopes are allowed: "openid", "email", "profile".

3. Ensure the app is enabled to save all configurations.

In Your Armor Account's Authentication Settings:

Add a new OAuth integration with the following settings:

• Provider name: Enter the unique name.

• Logo URL: This is optional.

• Authentication Method: This must match the setting configured at PingId in Step 2 above.

• TLS configuration: Set this to Global Root CAs.

• Validate host: Enable this for security reasons.

• Client ID: Use the Client ID from the "Overview" tab of the PingId application.

• Client Secret: Use the Client Secret from the "Overview" tab of the PingId application.

• Authorization Endpoint URL: Use the Authorization URL from the "Overview" tab of the PingId application.

• User Info Endpoint URL: Use the User Info Endpoint from the "Overview" tab of the PingId application.

• Token Endpoint URL (Optional): Use the Token Endpoint from the "Overview" tab of the PingId application.

In addition to the above, any user who wishes to use PingId to authenticate with Fortanix Armor must have their "email" field in PingId set to match their username/email in Fortanix Armor.

5.4.2 Edit the OAuth Integration Details

To edit the OAuth configuration details:

1. On the Single sign-on integrations section, click on any OAuth integration.

2. On the Update OAuth Integration form, make the necessary updates to the required fields.

3. Click SAVE to update the new values.

5.4.3 Delete an OAuth Integration

To remove the OAuth integration:

1. On the Single sign-on integrations section, click on any OAuth integration.

2. On the delete confirmation dialog box, click DELETE to remove the OAuth integration from the selected Fortanix Armor account. This integration will also be removed next time you log in with SSO.