Fortanix SDKMS provides access to its functions and APIs to two types of entities – humans (users), and machines (applications). There are many ways to authenticate to SDKMS for both users and applications, which vary in terms of ease of use, integration with existing enterprise IAM (Identity and Access Management Systems), and level of security. Once authenticated, there is an elaborate access control mechanism which controls which entity has authorization to perform which function under what conditions.
User Authentication Using Password
The below forms of authentication is supported for users using password:
Username and password stored in SDKMS
This is done using the “log in without SSO” option.
- In the SDKMS login screen, select the option “LOG IN WITHOUT SSO".
- Enter your password, and then click LOG IN.
Username and password stored in SDKMS along with second factor authentication
Using a U2F (Universal 2nd Factor) device, such as a YubiKey or a Google Titan Key. To configure this, follow the steps below:
- Click My profile to go to your profile settings.
- In the option for Two-step Authentication, click ENABLE to enable two-factor authentication. Figure 4: Enable 2-Step Authentication
User Authentication Using SSO - Configuration
SDKMS accounts can be integrated with third-party Single Sign-On (SSO) providers. When an account is configured for SSO, users in that account will be able to login with their SSO credentials.
To setup SSO for your account:
- Login as administrator, and click the Settings icon in the SDKMS UI, and then click the AUTHENTICATION tab in Account Settings page.
- Select SINGLE SIGN-ON, and then add the desired SSO mechanism and provide the required configuration values.
Warning: Administrator lock-out: If the SSO mechanism is mis-configured, you will not be able to log in to your account. When updating the SSO configuration, make sure to select the Account administrators can log in with password option. This way, account administrators can continue to log in with password and access the account.
Currently, the below SSO mechanism is available for users:
SSO using a third-party identity provider
The following protocols are supported:
- OAuth / Open ID Connect
To Configure user authentication using SAML, follow the below steps:
- In the Authentication page, select ADD SAML INTEGRATION to configure SAML.
- In the Add SAML Integration form, click UPLOAD A FILE to upload the configuration file (IdP metadata XML file), and then click ADD INTEGRATION to complete SAML configuration for user authentication.
For more information on SAML provider configuration, refer to User Guide: Single Sign-On
OAuth / OpenID Connect
To configure user authentication using OAuth, follow the below steps:
- In the Authentication page, click ADD OAUTH INTEGRATION to configure OAuth.
- In the Add OAuth Integration form, add all the required details about the OAuth provider, and then click ADD INTEGRATION to complete OAuth configuration for user authentication.
- For more information on OAuth / OpenID Connect provider configuration, refer to User Guide: Single Sign-On
To configure user authentication using LDAP, follow the below steps:
- In the Authentication page, click ADD LDAP INTEGRATION to configure LDAP.
- In the Add LDAP Integration form, add all the required details about the LDAP provider, and then click ADD INTEGRATION to complete LDAP configuration for user authentication.
For more information on LDAP authentication, refer to User Guide: Single Sign-On
User Authentication Using SSO - Usage
Once the configuration steps for user authentication using SSO are complete, the user can test the various authentication mechanisms using LOG IN WITH SSO option in the SDKMS login screen. The user will now be presented with all the SSO authentication mechanisms that were configured for logging in to SDKMS.
Multiple Accounts: Different accounts might have different SSO providers. A user can be in multiple accounts with different SSO providers. In these scenarios, the user will need to select which SSO provider to use during the login process. When switching accounts, a user might need to re-authenticate to satisfy the new account’s authentication requirements.
Currently, there are four forms of authentication methods supported for applications:
Figure 12 - Application Authorization.
Using a system generated API Key
When you create an application in SDKMS, an API key is used to authenticate the application. The user can copy this API key using the COPY API KEY button for the application.
Figure 13: Copy API Key
Using a client TLS certificate
You can also use a TLS certificate to authenticate your application in SDKMS. To do this, select the Certificate option as the authentication method, and then upload a certificate using the UPLOAD CERTIFICATE button when you create a new application.
Figure 14: Upload Certificate
“Trusted CA” or using a client TLS certificate issued by a trusted root CA
You can use a certificate that is signed by a trusted CA to authenticate your application or a client TLS certificate that is issued by a trusted root CA in SDKMS. To do this, select the Trusted CA option as the authentication method, and then upload a certificate using the UPLOAD CERTIFICATE button when you create a new application.
Google Service Account Identifier
Google Service Account Identifier is used by a service account in Google Cloud to use the external KMS interface from GCP KMS.