1.0 Introduction
This article provides an overview of the Fortanix Armor Identity and Access Management (IAM) solution and the associated functionalities – Users, Groups, and Authentication management.
2.0 Overview
The IAM service integrates seamlessly with the Fortanix Armor platform to provide secure and centralized user and access management for Fortanix products or services.
User and Access Management (UAM) helps manage user identities and their access to resources within Fortanix Armor. This also encompasses processes, policies, and technologies aimed at effectively provisioning, managing, and revoking user accounts and their access privileges.
Implementing IAM offers numerous advantages for organizations in terms of security, compliance, efficiency, and user experience.
Here are some key benefits:
Enhanced Security: Fortanix Armor IAM helps improve security by ensuring that only authorized individuals and systems have access to resources. It reduces the risk of unauthorized access, data breaches, and insider threats by enforcing strong authentication, access controls, and least privilege principles.
Reduced Risk: By centralizing user and group access controls, IAM helps organizations mitigate security risks associated with weak passwords, identity theft, and unauthorized access. It provides visibility into user activities and enables organizations to detect and respond to suspicious behavior more effectively.
Compliance: IAM solutions help organizations comply with regulatory requirements and industry standards by enforcing access controls, auditing user activities, and maintaining detailed audit trails.
Improved Operational Efficiency: IAM streamlines user provisioning, management, and de-provisioning processes, reducing administrative overhead and ensuring consistency across the organization. Automated workflows, self-service capabilities, and role-based access controls help improve efficiency and productivity.
Scalability and Flexibility: IAM solutions are designed to scale with the growing needs of organizations, supporting many users, devices, and applications across diverse environments. They are adaptable to changing business requirements and can integrate with existing IT systems and cloud services.
Centralized Management: IAM provides a centralized platform for managing user identities and access controls across the organization. This simplifies administration, improves visibility, and enables consistent enforcement of security policies and access controls.
3.0 Users
User management is the process of creating, modifying, and maintaining user accounts within Fortanix Armor. It involves tasks such as account provisioning and user lifecycle management.
The following are some of the key aspects of user management:
User Provisioning: This involves creating new user accounts and granting them access to the necessary resources based on their roles and responsibilities within the platform. User provisioning may include assigning usernames, email addresses, passwords, and access privileges.
User Lifecycle Management: User lifecycle management involves managing user accounts throughout their lifecycle, from creation to deletion. This includes tasks such as account activation, suspension, password resets, role changes, and account de-provisioning when users leave the platform or change roles.
Access Control: Access control mechanisms ensure that users only have access to the resources and data necessary to perform their job functions. This includes enforcing the principle of least privilege, where users are granted the minimum level of access required to fulfill their duties.
3.1 List Users Associated with Your Account
To view the list of users on your account, navigate to Fortanix IAM → Users.
On the Users page, the list of users associated with your selected account will be displayed.
For each user, you can view the following information:
NAME: Name of the user. By default, your profile will be listed as <Your User Profile Name (You)>. For example, Demo User (You).
EMAIL: Email ID of the user.
ROLE: The role assigned to the user. The available roles are Account Administrator, Account Member, or Account Auditor. An Account Auditor can view data but cannot edit it. An Account Member can view and edit data. An Account Administrator can view and edit data, as well as manage the account and its members.
Refer to the following table to understand more about the available roles and permissions for Fortanix Key Insight:ACTION
ACCOUNT AUDITOR
ACCOUNT MEMBER
ACCOUNT ADMINISTRATOR
List Users
Yes
Yes
Yes
List Groups
Yes
Yes
Yes
Invite Users
No
No
Yes
Create or Modify Group
No
Yes
Yes
Key Insight Cloud Account Management
No
No
Yes
CREATED: User-created date and time.
LAST LOGIN: Last login date and time.
You can also perform the following actions:
Figure 1: Access the users
Search: Use this feature to search for a specific user in the list.
Invite User: Use this feature to add a new user to your Fortanix Armor account. Refer to “Section 3.2: Invite a User" for more information.
Use this feature to copy the selected user ID, edit, and remove the selected user. Refer to “Section 3.3: Copy User ID", “Section 3.4: Edit User", and “Section 3.6: Remove User" for more information.
3.2 Invite a User
As an administrator of the account, you can invite a user to join your Fortanix Armor account.
Prerequisites:
The email ID of the user is required.
You need to be an account administrator to invite a user to an account.
To invite a new user,
On the Users page, click INVITE USER.
On the Invite user to account dialog box, fill in all the required details:
Email: The email of the user; the email is case-insensitive.
First name: User’s first name.
Last name: User’s last name.
Role: Select the role from Account Administrator, Account Member, or Account Auditor.
NOTE
When you invite a user to an account,
In an Account Administrator role, the user will have the Administrator permissions mentioned in "Section 3.1: List Users Associated with the Account" and they cannot be removed from the group.
In an Account Member role, the user will have the Member permissions mentioned in "Section 3.1: List Users Associated with the Account" by default and they cannot be removed from the group.
In an Account Auditor role, the user will have the Auditor permissions mentioned in "Section 3.1: List Users Associated with the Account". These users can be removed from the group.
Click INVITE USER to invite the user. The invited user will get an email to join this account.
Figure 2: Confirm to join the account
After the user accepts the invitation, during the next login, the user can see the Pending Invitations on the Accounts page on Fortanix Armor. The user must click ACCEPT to join the account.
Figure 3: Accept the invitation
After the user accepts the invitation to join the Fortanix Armor account, the user will be added to the Users list on your account.
3.3 Copy User ID
As an administrator of an account, you can copy the user ID of the user.
To copy the user ID,
On the Users page, from the list of users, click
for the selected user. Click Copy user ID to copy the ID to the clipboard.
3.4 Edit User
As an administrator of an account, you can edit access within this account.
To edit the user’s details,
On the Users page, from the list of users, click
for the selected user.Click Edit user to edit the user access details.
On the Edit user page, update the user’s role, and click SUBMIT. The role will be updated accordingly.
NOTE
If you want to edit your user profile, go to your user profile page instead. You can edit your own details like First Name and Last Name under the user profile. For more information, refer to the User Guide: Fortanix Armor Getting Started Guide – Manage User Profile.
3.5 Leave Account
You can leave the account if you no longer wish to continue with that account. This option is available only for the logged-in user.
To leave the account,
On the Users page, click
for yourself. For example, Fortanix User (You).Click Leave account to leave the selected account.
For more information, refer to the User Guide: Fortanix Armor Getting Started Guide.
3.6 Remove User
As an administrator of an account, you can remove a user from your account.
To remove a user,
On the Users page, from the list of users, click
for the selected user.Click Remove user.
If selected, on the confirmation pop-up, click REMOVE to remove the selected user. After the user is removed from your account, his role and the related permissions will also be revoked.
4.0 Groups
After configuring the connection on Fortanix Key Insight, a group with the same name will be created on the Fortanix IAM Groups page. For each group, you can view the group name and the creation time stamp.
For more information about configuring a connection, refer to the following:
Fortanix Key Insight-Getting Started with On-Premises Connection
Fortanix Key Insight - Getting Started With External Key Source Connection
NOTE
An Account Member or an Account Administrator of a Fortanix Armor account can create a group.
Figure 4: Access Groups
4.1 Access Group Detailed View
On the Groups page, click any group to access its details.
Figure 5: Access group general details
The GENERAL tab provides the following details:
The number of Users belonging to the group.
You can also update the group permissions for a user using MANAGE. For more information, refer to "Section 4.2: Update Group Permission for a User."
Available group labels, if any. You can add or edit the labels for the group using ADD OR EDIT LABELS.
The USERS tab lists all the users of the group.
All users on the Fortanix Armor account with an account administrator role will be added to the groups by default as Group Administrators and they cannot be removed from the group.
All users on the Fortanix Armor account with an account auditor role will be added to the groups by default as Group Auditors. These users cannot be removed from the group.
All users on the Fortanix Armor account with an account member role must be manually added to a group as Group Administrator or Group Auditor. Only account administrators can remove these users from the group using
→ Remove user. For more information, refer to "Section 4.2: Update Group Permission for a User."
4.2 Update Group Permission for a User
Users with Account Member roles on the Fortanix IAM Users page must be manually added to a group as Group Administrator or Group Auditor using the following steps:
In the detailed view of a Fortanix IAM group, click the USERS tab.
Click MANAGE USERS to update the group permission.
Figure 6: Access to add a new user
In the ADD USERS form, select the user in the first column.
Figure 7: Select the new user
For the new user, select the appropriate group permission and click SAVE CHANGES to update the group permission.
NOTE
The new user's role will only be updated within the group.
Figure 8: Select the role
4.3 Update a Group
To edit a group,
On the Groups page, click
on any group.Select Edit group for the group you want to edit.
In the Edit group dialog box, make the necessary updates to the name, description, and label(s).
Click SAVE.
4.4 Remove a Group
To remove a group,
On the Groups page, click
on any group.Select Remove group for the group you want to delete.
On the delete confirmation dialog box, click DELETE to remove the group from the Groups page.
NOTE
You cannot delete a group if it has any associated dependent services.
5.0 Authentication
All users must authenticate to Fortanix Armor to use its functions. Users can authenticate with Fortanix Armor either using a password or Single Sign On (SSO), offering varying degrees of integration with existing enterprise IAM (Identity and Access Management) systems and security.
For more information on authenticating using a password and a single sign-on, refer to Fortanix Armor - Getting Started.
After authentication, a detailed access control system determines which entity is authorized to perform specific actions under particular conditions.
5.1 Access Authentication Details
To access the authentications configured for your account,
Navigate to the Identity & Access Management solution.
Select Authentication on the left navigation panel.
Figure 9: Access authentication
The Authentication page has two sections:
Access Type
Single sign-on integrations
NOTE
Only the Account Administrator can set the access type and manage SSO integrations on Fortanix Armor.
5.2 Configure Permissions
You can configure permissions that govern access and authentication during the login process.
To update the permissions,
Click EDIT PERMISSIONS in the Access Type section.
On the Edit Permissions dialog box, select the appropriate option based on the requirement.
Only account administrators can login with password: If the SSO mechanism is misconfigured, account administrators on Fortanix Armor may be unable to log in. To avoid this issue, ensure to select this option when updating the SSO configuration. This allows account administrators to access the account with their password.
All roles can log in with password: If the SSO mechanism is misconfigured, select this option during SSO configuration to allow any user role to log in to the Fortanix Armor account using their local password. This option is selected by default.
No roles can log in with password: If the SSO mechanism is misconfigured, select this option during the SSO configuration, if you want no user role, including the administrator, to log in to the Fortanix Armor account using their local password when the SSO mechanism is misconfigured.
NOTE
You can only select the No roles can log in with password option if you have configured an OAuth SSO integration.
Click SAVE to update the permission.
5.3 Configure Two-factor Authentication (2FA) at Account Level
Two-factor authentication (2FA) in Fortanix Armor can be configured at the account level.
To configure two-factor authentication (2FA) at the Fortanix Armor account level for password-based authentication,
Click UPDATE TWO FACTOR AUTH in the Access Type section.
On the Update Two Factor Authentication dialog box, enable Mandatory two-factor authentication for all team members toggle. This is disabled by default.
Click SAVE. After enabling 2FA, you can see the label Mandatory two-factor authentication for all team members: in the Access Type section will be updated to Enabled.
Figure 10: Configure 2FA at account level
After 2FA is enabled at the account level, every user within the account will be required to set up 2FA at the user level through the My Profile page. For more information on setting 2FA at the user level, refer to Fortanix Armor - Getting Started.
Enabling 2FA at both the account and user levels adds an extra layer of security, ensuring that only authorized users can access the account. Without completing this configuration, you will not be able to log in to Fortanix Armor.
5.4 Manage SSO Integrations
The Fortanix Armor accounts can be integrated with third-party Single Sign-On (SSO) providers. When an account is configured for SSO, users in that account will be able to log in with their SSO credentials.
You can manage the SSO integrations on the Single sign-on integrations section. Here, you can view the list of OAuth integrations configured for the selected account.
Additionally, you can perform the following:
Add an OAuth integration
Edit the details of an OAuth integration
Delete an OAuth integration
5.4.1 Add an OAuth Integration
You must register Fortanix Armor with your IdP. When registering, provide the following information to your IdP:
Application type: web application
Redirect URL: https://<fortanix_armor_url>/oauth
For example, https://armor.fortanix.com/oauth.
After you register your IdP, obtain the following information from your Identity Provider (IdP) to enable SSO using OAuth/Open ID Connect for your account:
Client ID
Client Secret
OpenID Connect / OAuth Identity Provider Requirements:
To use an OAuth / OpenID Connect IdP with Fortanix Armor, the IdP must:
Support Authorization Code Flow described in OpenID Connect Core Specification.
Support email scope.
Provide user’s email address to Fortanix Armor in Token or UserInfo response.
Provide non-encrypted ID token during Token response.
To add a new OAuth integration,
Click ADD OAUTH INTEGRATION in the Single sign-on integrations section.
On the Add OAuth Integration dialog box, add the following details about the OAuth provider:
Provider name
Logo URL (optional)
Authentication Method- Select any of the following based on what you have configured in your IdP.
Basic Authentication
POST Authentication
TLS configuration- Select any of the following based on your requirement:
Global Root CAs
Custom CA certificate
Client ID
Client Secret
Validate host: Enable Verify that the above host matches the host name in the server certificate check box if required.
Authorization Endpoint URL
Token Endpoint URL
User Info Endpoint URL (optional)
Most of these parameters are published in a
.well-knownfile provided by the identity providers. For example: https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration.Click ADD OAUTH INTEGRATION to add the new integration for the selected Armor account.
Figure 11: Add an OAuth integration
Example:
Setting up OAuth Integration between Fortanix Armor and PingId
Perform the steps below to configure the OAuth integration between Fortanix Armor and PingId:
In Your PingId Environment:
Create an app of type "OIDC Web App".
Ensure the following settings:
On the "Configuration" tab:
"Token Endpoint Authentication Method" must match the authentication method you configure on Fortanix Armor.
If set to "Client Secret Basic" (the default value), select "Basic Authentication" in Fortanix Armor.
If set to "Client Secret Post", select "POST Authentication" in Fortanix Armor.
Redirect URIs must be set to https://armor.fortanix.com/oauth.
Leave all other settings at their default value. In particular, Response Type must be set to "Code" and Grant Type must be set to "Authorization Code" with PKCE Enforcement set to "OPTIONAL".
On the "Resources" tab:
Ensure the following scopes are allowed: "openid", "email", "profile".
Ensure the app is enabled to save all configurations.
In Your Armor Account's Authentication Settings:
Add a new OAuth integration with the following settings:
Provider name: Enter the unique name.
Logo URL: This is optional.
Authentication Method: This must match the setting configured at PingId in Step 2 above.
TLS configuration: Set this to Global Root CAs.
Validate host: Enable this for security reasons.
Client ID: Use the Client ID from the "Overview" tab of the PingId application.
Client Secret: Use the Client Secret from the "Overview" tab of the PingId application.
Authorization Endpoint URL: Use the Authorization URL from the "Overview" tab of the PingId application.
User Info Endpoint URL: Use the User Info Endpoint from the "Overview" tab of the PingId application.
Token Endpoint URL (Optional): Use the Token Endpoint from the "Overview" tab of the PingId application.
In addition to the above, any user who wishes to use PingId to authenticate with Fortanix Armor must have their "email" field in PingId set to match their username/email in Fortanix Armor.
5.4.2 Edit the OAuth Integration Details
To edit the OAuth configuration details,
On the Single sign-on integrations section, click
on any OAuth integration.On the Update OAuth Integration form, make the necessary updates to the required fields.
Click SAVE to update the new values.
5.4.3 Delete an OAuth Integration
To remove the OAuth integration,
On the Single sign-on integrations section, click
on any OAuth integration.On the delete confirmation dialog box, click DELETE to remove the OAuth integration from the selected Fortanix Armor account. This integration will also be removed next time you log in with SSO.