Fortanix Armor Identity and Access Management (IAM)

1.0 Introduction

This article provides an overview of the Fortanix Armor Identity and Access Management (IAM) solution and the associated functionalities – Users, Groups, Client Applications (Apps), and Authentication management.

2.0 Overview

The IAM service integrates seamlessly with the Fortanix Armor platform to provide secure and centralized user and access management for Fortanix products or services.

User and Access Management (UAM) helps manage user identities and their access to resources within Fortanix Armor. This also encompasses processes, policies, and technologies aimed at effectively provisioning, managing, and revoking user accounts and their access privileges.

Implementing IAM offers numerous advantages for organizations in terms of security, compliance, efficiency, and user experience.
Here are some key benefits:

• Enhanced Security: Fortanix Armor IAM helps improve security by ensuring that only authorized individuals and systems have access to resources. It reduces the risk of unauthorized access, data breaches, and insider threats by enforcing strong authentication, access controls, and least privilege principles.

• Reduced Risk: By centralizing user and group access controls, IAM helps organizations mitigate security risks associated with weak passwords, identity theft, and unauthorized access. It provides visibility into user activities and enables organizations to detect and respond to suspicious behavior more effectively.

• Compliance: IAM solutions help organizations comply with regulatory requirements and industry standards by enforcing access controls, auditing user activities, and maintaining detailed audit trails.

• Improved Operational Efficiency: IAM streamlines user provisioning, management, and de-provisioning processes, reducing administrative overhead and ensuring consistency across the organization. Automated workflows, self-service capabilities, and role-based access controls help improve efficiency and productivity.

• Scalability and Flexibility: IAM solutions are designed to scale with the growing needs of organizations, supporting many users, devices, and applications across diverse environments. They are adaptable to changing business requirements and can integrate with existing IT systems and cloud services.

• Centralized Management: IAM provides a centralized platform for managing user identities and access controls across the organization. This simplifies administration, improves visibility, and enables consistent enforcement of security policies and access controls.

3.0 Users

User management is the process of creating, modifying, and maintaining user accounts within Fortanix Armor. It involves tasks such as account provisioning and user lifecycle management.

The following are some of the key aspects of user management:

• User Provisioning: This involves creating new user accounts and granting them access to the necessary resources based on their roles and responsibilities within the platform. User provisioning may include assigning usernames, email addresses, passwords, and access privileges.

• User Lifecycle Management: User lifecycle management involves managing user accounts throughout their lifecycle, from creation to deletion. This includes tasks such as account activation, suspension, password resets, role changes, and account de-provisioning when users leave the platform or change roles.

• Access Control: Access control mechanisms ensure that users only have access to the resources and data necessary to perform their job functions. This includes enforcing the principle of least privilege, where users are granted the minimum level of access required to fulfill their duties.

3.1 View the List of Users Associated with Your Account

To view the list of users on your account, navigate to Fortanix IAM → Users.

On the Users page, the list of users associated with your selected account will be displayed.

For each user, you can view the following information:

• NAME: Name of the user. By default, your profile will be listed as <Your User Profile Name (You)>. For example, Demo User (You).

• EMAIL: Email ID of the user.

• ROLE: The role assigned to the user. The available roles are Account Administrator, Account Member, or Account Auditor. An Account Auditor can view data but cannot edit it. An Account Member can view and edit data. An Account Administrator can view and edit data, as well as manage the account and its members. For more information, refer to Section 3.1.1: Available Roles and Permissions.

• CREATED: User-created date and time.

• LAST LOGIN: Last login date and time.

You can also perform the following actions:

1. Search: Use this feature to search for a specific user in the list.

2. Invite User: Use this feature to add a new user to your Fortanix Armor account. Refer to “Section 3.2: Invite a User" for more information.

3. Use this feature to copy the selected user ID, edit, and remove the selected user. Refer to “Section 3.3: Copy User ID", “Section 3.4: Edit User", and “Section 3.6: Remove User" for more information.

3.1.1 Available Roles and Permissions

The following table lists the available roles and permissions within Fortanix Armor:

3.2 Invite a User

As an administrator of the account, you can invite a user to join your Fortanix Armor account.

Prerequisites:

• The email ID of the user is required.

• You need to be an account administrator to invite a user to an account.

To invite a new user,

1. On the Users page, click INVITE USER.

2. On the Invite user to account dialog box, fill in all the required details:

   • Email: The email of the user; the email is case-insensitive.

   • First name: User’s first name.

   • Last name: User’s last name.

   • Role: Select the role from Account Administrator, Account Member, or Account Auditor.

     NOTE

     When you invite a user to an account,

     • In an Account Administrator role, the user will have the Administrator permissions mentioned in "Section 3.1.1: Available Roles and Permissions" and they cannot be removed from the group.

     • In an Account Member role, the user will have the Member permissions mentioned in "Section 3.1.1: Available Roles and Permissions" by default and they cannot be removed from the group.

     • In an Account Auditor role, the user will have the Auditor permissions mentioned in "Section 3.1.1: Available Roles and Permissions". These users can be removed from the group.

3. Click INVITE USER to invite the user. The invited user will get an email to join this account.

4. After the user accepts the invitation, during the next login, the user can see the Pending Invitations on the Accounts page on Fortanix Armor. The user must click ACCEPT to join the account.

   

5. After the user accepts the invitation to join the Fortanix Armor account, the user will be added to the Users list on your account.

3.3 Copy User ID

As an administrator of an account, you can copy the user ID of the user.

To copy the user ID,

1. On the Users page, from the list of users, click for the selected user.

2. Click Copy user ID to copy the ID to the clipboard.

3.4 Edit a User

As an administrator of an account, you can edit access within this account.

To edit the user’s details,

1. On the Users page, from the list of users, click for the selected user.

2. Click Edit user to edit the user access details.

3. On the Edit user page, update the user’s role, and click SUBMIT. The role will be updated accordingly.

3.5 Leave Account

You can leave the account if you no longer wish to continue with that account. This option is available only for the logged-in user.

To leave the account,

1. On the Users page, click  for yourself. For example, Fortanix User (You).

2. Click Leave account to leave the selected account.

For more information, refer to the Fortanix Armor-Getting Started.

3.6 Remove a User

As an administrator of an account, you can remove a user from your account.

To remove a user,

1. On the Users page, from the list of users, click for the selected user.

2. Click Remove user.

3. If selected, on the confirmation pop-up, click REMOVE to remove the selected user. After the user is removed from your account, his role and the related permissions will also be revoked.

4.0 Groups

To view the list of groups in your account, navigate to Fortanix IAM → Groups.

For each group, you can view the group name and the creation time stamp.

After configuring the connection on Fortanix Key Insight, a group with the same name will be created on the Fortanix IAM Groups page. For each group, you can view the group name and the creation time stamp.

For more information about configuring a connection, refer to the following:

• Getting Started with Cloud Connection

• Getting Started with On-Premises Connection

• Getting Started With External Key Source Connection

4.1 Add a Group

To add a new group,

1. Click ADD GROUP on the top-right corner of the Groups page.

2. On the Create group dialog box,

   1. Enter the group Name.

   2. Click Add description to add a description, if needed.

   3. Add a label using a Key and Value pair, if required. You can add multiple labels using ADD LABEL.

   4. Click CREATE GROUP to add a new group.

The new group will be added to the Groups list.

4.2 Access Group Detailed View

On the Groups page, click any group to access its details.

• The GENERAL tab provides the following details:

  • The number of Users belonging to the group.

    You can also update the group permissions for a user using MANAGE. For more information, refer to "Section 4.3: Update Group Permission for a User."

  • Available group labels, if any. You can add or edit the labels for the group using ADD OR EDIT LABELS.

• The USERS tab lists all the users of the group.

• • All users on the Fortanix Armor account with an account administrator role will be added to the groups by default as Group Administrators and they cannot be removed from the group.

  • All users on the Fortanix Armor account with an account auditor role will be added to the groups by default as Group Auditors. These users cannot be removed from the group.

  • All users on the Fortanix Armor account with an account member role must be manually added to a group as Group Administrator or Group Auditor. Only account administrators can remove these users from the group using → Remove user. For more information, refer to "Section 4.3: Update Group Permission for a User".

4.3 Update Group Permission for a User

Users with Account Member roles on the Fortanix IAM Users page must be manually added to a group as Group Administrator or Group Auditor using the following steps:

1. In the detailed view of a Fortanix IAM group, click the USERS tab.

2. Click MANAGE USERS to update the group permission.

   

3. In the ADD USERS form, select the user in the first column.

   

4. For the new user, select the appropriate group permission and click SAVE CHANGES to update the group permission.

   NOTE

   The new user's role will only be updated within the group.

   

4.4 Edit a Group

To edit a group,

1. On the Groups page, click on any group.

2. Select Edit group for the group you want to edit.

3. In the Edit group dialog box, make the necessary updates to the name, description, and label(s).

4. Click SAVE.

4.5 Remove a Group

To remove a group,

1. On the Groups page, click on any group.

2. Select Remove group for the group you want to delete.

3. On the delete confirmation dialog box, click DELETE to remove the group from the Groups page.

NOTE

You cannot delete a group if it has any associated dependent services.

5.0 Client Apps

Client applications can programmatically interact with Fortanix Armor through a REST API using API key–based authentication.

For example, administrators can use client apps to view the count of keys scanned and download reporting data without accessing the Fortanix Armor user interface (UI).

This automation is enabled through the Fortanix Armor Client Apps feature at the account level.

The process involves two main steps:

• Managing client apps

• Accessing solutions using client apps

5.1 Manage Client Apps

To view and manage the list of client apps in your Fortanix Armor account, navigate to Fortanix IAM → Client apps.

On the Client apps page, the list of apps associated with your selected account will be displayed.

5.1.1 Add a Client App

To create a client app,

1. Click ADD CLIENT APP on the top-right corner of the Client apps page.

2. On the Add Client App dialog box, provide the following details:

   1. Client app name: Enter a name for the client app.

   2. Description (Optional): Enter a brief description of the app.

   3. Authentication method: This is set to API key by default and cannot be modified.

   4. Secret size: Select the required app secret key size in bytes. The available values are 16, 32, and 64.

   5. Roles: This is preselected as Auditor. This indicates that the client app is granted read-only access. For more information on the roles and permissions, refer to Section 3.1.1: Available Roles and Permissions.

   6. Click SAVE to add a new client app.

The new client app will be added to the Client apps list with an Enabled status. To retrieve its credentials, click View API Key under the CREDENTIALS column, and copy the API key value. You will need this key later to perform REST API operations.

NOTE

Only the Account Administrator can create and manage the client apps in Fortanix Armor IAM.

5.1.2 Edit a Client App

To edit a client app:

1. On the Client apps page, click icon next to the desired app.

2. Select Edit client app.

3. In the Edit Client App dialog box, update the name, description, or status as needed.

NOTE

If you disable a client app, it will no longer be able to authenticate or perform any operations. This is useful when the app is inactive, under investigation, or needs to be temporarily blocked from accessing the system. Disabling also helps prevent potential misuse of its API keys.

4. Click SAVE.

5.1.3 Delete a Client App

To delete a client app:

1. On the Client apps page, click icon next to the desired app.

2. Select Delete client app.

3. In the Delete Client App dialog box, click DELETE to remove the client app.

WARNING

Deleting a client app permanently revokes all associated services and API access. This action cannot be undone.

5.1.4 View a Client App Details

Click the NAME of the required client app on the Client apps page to view its details.  

On the client app details page,

• Click EDIT CLIENT APP to edit the details of the client app. For more information, refer to Section 5.1.2: Edit the Client App.

• Click and click Delete client app to remove the client app. For more information, refer to Section 5.1.3: Delete the Client App.

• View details about the app’s connection such as status, description, created timestamp, roles and app ID.

• Authentication method: This section offers details about the app’s API key, including the following:

  • Click VIEW API KEY to view the API key details. On the API Key Details dialog box, click COPY API KEY to copy the API key. You can use the API key to authenticate and access Fortanix Armor solutions. For more information, refer to Section 5.2: Programmatic Access to Fortanix Armor Solutions Using Client Apps.

NOTE

Only users with Account Administrator permissions can edit or delete the client apps, and view or copy its API keys from the client app details page.

5.2 Programmatic Access to Fortanix Armor Solutions Using Client Apps

Client Apps enable programmatic authentication and interaction with Fortanix Armor solutions, including Fortanix Armor IAM and Fortanix Key Insight, and their associated services, using an API key instead of a user login. This provides secure, automated access to Fortanix Armor solutions without requiring manual interaction with the UI.

• When a client app is created, Fortanix Armor IAM generates an API key. This API key must be stored securely, as it will be required for authentication.

• The API key is used to generate an access token, which must be included in the request headers to authenticate Fortanix Key Insight REST API calls. For more information on generating an access token, refer to Programmatic Access to Fortanix Armor IAM.

  NOTE

  The access token is valid for 60 seconds. After it expires, you must generate a new token to continue performing API requests.

• The client app’s access is automatically scoped to the Account Auditor role, along with the associated permissions granted to that role.

  For example, an app with the Account Auditor role can use Fortanix Key Insight REST API to retrieve an assessment report. For more information, refer to Programmatic Access to Fortanix Key Insight APIs.

6.0 Authentication

All users must authenticate to Fortanix Armor to use its functions. Users can authenticate with Fortanix Armor either using a password or Single Sign On (SSO), offering varying degrees of integration with existing enterprise IAM (Identity and Access Management) systems and security.

For more information on authenticating using a password and a single sign-on, refer to Fortanix Armor - Getting Started.

After authentication, a detailed access control system determines which entity is authorized to perform specific actions under particular conditions.

6.1 Access Authentication Details

To access the authentications configured for your account,

1. Navigate to the Identity & Access Management solution.

2. Select Authentication on the left navigation panel.

   

   The Authentication page has two sections:

   • Access Type

   • Single sign-on integrations

   NOTE

   Only the Account Administrator can set the access type and manage SSO integrations on Fortanix Armor.

6.2 Configure Permissions

You can configure permissions that govern access and authentication during the login process.

To update the permissions,

1. Click EDIT PERMISSIONS in the Access Type section.

2. On the Edit Permissions dialog box, select the appropriate option based on the requirement.

   • Only account administrators can login with password: If the SSO mechanism is misconfigured, account administrators on Fortanix Armor may be unable to log in. To avoid this issue, ensure to select this option when updating the SSO configuration. This allows account administrators to access the account with their password.

   • All roles can log in with password: If the SSO mechanism is misconfigured, select this option during SSO configuration to allow any user role to log in to the Fortanix Armor account using their local password. This option is selected by default.

   • No roles can log in with password: If the SSO mechanism is misconfigured, select this option during the SSO configuration, if you want no user role, including the administrator, to log in to the Fortanix Armor account using their local password when the SSO mechanism is misconfigured.

   NOTE

   You can only select the No roles can log in with password option if you have configured an OAuth SSO integration.

3. Click SAVE to update the permission.

6.3 Configure Two-factor Authentication (2FA) at Account Level

Two-factor authentication (2FA) in Fortanix Armor can be configured at the account level.

To configure two-factor authentication (2FA) at the Fortanix Armor account level for password-based authentication,

1. Click UPDATE TWO FACTOR AUTH in the Access Type section.

2. On the Update Two Factor Authentication dialog box, enable Mandatory two-factor authentication for all team members toggle. This is disabled by default.

3. Click SAVE. After enabling 2FA, you can see the label Mandatory two-factor authentication for all team members:  in the Access Type section will be updated to Enabled.

After 2FA is enabled at the account level, every user within the account will be required to set up 2FA at the user level through the My Profile page. For more information on setting 2FA at the user level, refer to Fortanix Armor - Getting Started.

Enabling 2FA at both the account and user levels adds an extra layer of security, ensuring that only authorized users can access the account. Without completing this configuration, you will not be able to log in to Fortanix Armor.

6.4 Manage SSO Integrations

The Fortanix Armor accounts can be integrated with third-party Single Sign-On (SSO) providers. When an account is configured for SSO, users in that account will be able to log in with their SSO credentials.

You can manage the SSO integrations on the Single sign-on integrations section. Here, you can view the list of OAuth integrations configured for the selected account.

Additionally, you can perform the following:

• Add an OAuth integration

• Edit the details of an OAuth integration

• Delete an OAuth integration

6.4.1 Add an OAuth Integration

You must register Fortanix Armor with your IdP. When registering, provide the following information to your IdP:

• Application type: web application

• Redirect URL: https://<fortanix_armor_url>/oauth

  For example, https://armor.fortanix.com/oauth.

After you register your IdP, obtain the following information from your Identity Provider (IdP) to enable SSO using OAuth/Open ID Connect for your account:

• Client ID

• Client Secret

OpenID Connect / OAuth Identity Provider Requirements:

To use an OAuth / OpenID Connect IdP with Fortanix Armor, the IdP must:

• Support Authorization Code Flow described in OpenID Connect Core Specification.

• Support email scope.

• Provide user’s email address to Fortanix Armor in Token or UserInfo response.

• Provide non-encrypted ID token during Token response.

To add a new OAuth integration,

1. Click ADD OAUTH INTEGRATION in the Single sign-on integrations section.

2. On the Add OAuth Integration dialog box, add the following details about the OAuth provider:

   • Provider name

   • Logo URL (optional)

   • Authentication Method- Select any of the following based on what you have configured in your IdP.

     • Basic Authentication

     • POST Authentication

   • TLS configuration- Select any of the following based on your requirement:

     • Global Root CAs

     • Custom CA certificate

   • Client ID

   • Client Secret

   • Validate host: Enable Verify that the above host matches the host name in the server certificate check box if required.

   • Authorization Endpoint URL

   • Token Endpoint URL

   • User Info Endpoint URL (optional)

   Most of these parameters are published in a .well-known file provided by the identity providers. For example: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.

3. Click ADD OAUTH INTEGRATION to add the new integration for the selected Armor account.

Example:

Setting up OAuth Integration between Fortanix Armor and PingId

Perform the steps below to configure the OAuth integration between Fortanix Armor and PingId:

In Your PingId Environment:

1. Create an app of type "OIDC Web App".

2. Ensure the following settings:

   • On the "Configuration" tab:

     • "Token Endpoint Authentication Method" must match the authentication method you configure on Fortanix Armor.

       • If set to "Client Secret Basic" (the default value), select "Basic Authentication" in Fortanix Armor.

       • If set to "Client Secret Post", select "POST Authentication" in Fortanix Armor.

     • Redirect URIs must be set to https://armor.fortanix.com/oauth.

     • Leave all other settings at their default value. In particular, Response Type must be set to "Code" and Grant Type must be set to "Authorization Code" with PKCE Enforcement set to "OPTIONAL".

   • On the "Resources" tab:

     • Ensure the following scopes are allowed: "openid", "email", "profile".

3. Ensure the app is enabled to save all configurations.

In Your Armor Account's Authentication Settings:

Add a new OAuth integration with the following settings:

• Provider name: Enter the unique name.

• Logo URL: This is optional.

• Authentication Method: This must match the setting configured at PingId in Step 2 above.

• TLS configuration: Set this to Global Root CAs.

• Validate host: Enable this for security reasons.

• Client ID: Use the Client ID from the "Overview" tab of the PingId application.

• Client Secret: Use the Client Secret from the "Overview" tab of the PingId application.

• Authorization Endpoint URL: Use the Authorization URL from the "Overview" tab of the PingId application.

• User Info Endpoint URL: Use the User Info Endpoint from the "Overview" tab of the PingId application.

• Token Endpoint URL (Optional): Use the Token Endpoint from the "Overview" tab of the PingId application.

In addition to the above, any user who wishes to use PingId to authenticate with Fortanix Armor must have their "email" field in PingId set to match their username/email in Fortanix Armor.

6.4.2 Edit the OAuth Integration Details

To edit the OAuth configuration details,

1. On the Single sign-on integrations section, click on any OAuth integration.

2. On the Update OAuth Integration form, make the necessary updates to the required fields.

3. Click SAVE to update the new values.

6.4.3 Delete an OAuth Integration

To remove the OAuth integration,

1. On the Single sign-on integrations section, click on any OAuth integration.

2. On the delete confirmation dialog box, click DELETE to remove the OAuth integration from the selected Fortanix Armor account. This integration will also be removed next time you log in with SSO.