OpenID Connect and the Dashboard
Last year we introduced a new authentication mechanism to the Dashboard, OpenID Connect. This provides a form of SSO (Single Sign On) for users of the dashboard. Before I go into OpenID Connect, let's have a look at SSO.
SSO stands for single sign on. The idea is that in corporate environments you sign on once (or have one set of credentials) to gain access to all the applications you will need to use.
This is useful because it cuts down on the number of credentials a user needs to remember (or store), cuts down on the administration required to manage users across multiple applications and potentially reduces the number of sign-in prompts a user is exposed to.
In my opinion having less places to input your work credentials also helps protect against compromise because users are less likely to accidentally enter it elsewhere (for example if hit by a phishing attempt).
Panintelligence was recently awarded with the ECSC Cyber Essentials Security Certificate
One of the types of SSO that people might commonly associate with the term SSO is Windows Authentication.
Windows Auth allows your browser to log you directly into the application without a prompt based on your Windows user account and the Active Directory. This is convenient but it has several issues:
- It's Windows only and dependent on particular browsers and configuration
- The implementation is black-box and closed source and it's difficult to understand, diagnose issues etc.
- It requires you to be logged into your Windows account
- It doesn't work well from remote locations
To use an authentication method such as Windows Authentication or Open ID Connect you need an identity provider. This is an external database of user accounts to which users will be authenticated and then details passed to the system requesting the user’s identity.
With Windows Authentication your identity provider is Microsoft Active Directory, Microsoft can also be your identity provider for Open ID Connect - their cloud-based Azure Active Directory fully supports Open ID Connect and will work well for companies using Office 365. Some other providers are Identity Server, Keycloak, Auth0.
There are both commercial, cloud-based providers and open source local options.
Authorisation vs Authentication
There are two technical terms that we need to understand before we can fully appreciate some of the technologies we are using here.
Authorisation is the process of identifying WHAT a user is allowed to do. For example, can access email, cannot access calendar.
Authentication is the process of identifying WHO a user is. For example, this person is this user (and therefore can access their account).
OAuth 2.0 is an authorisation protocol which was created in 2012. This isn't what we are trying to achieve with SSO for the Dashboard (right now at least, but that might change) and it's more applicable to when you share access to your account from one service, with another (for example share your Gmail with a mobile app).
We've established OAuth 2.0 isn't what we need, so why mention it? Well OAuth 2.0 is really cool tech and it works well. The main reason it can work for us though is the development of OpenID Connect which is built on top of OAuth 2.0.
Open ID Connect
OpenID connect is a more recent development which effectively mixes OpenID (an authorisation protocol) with OAuth 2.0. It marries the functionality of OpenID with the simple tech of OAuth.
OAuth and therefore OpenID Connect use easy-to-use standards like TLS (used for web traffic encryption), JSON (for storage/transit of text data), and JWT (for data encryption and verification).
It has a number of advantages over Windows Authentication:
- It's using fully open technologies
- It's built on standards
- It's very transparent in use and easy to debug if something goes wrong
- It works anywhere there is a web browser and internet connection; that could be phones, tablets, Linux, Mac, Windows and others.
Open ID Connect in the Dashboard
This brings us to the functionality available in the Dashboard. If a company has an identity provider that supports OpenID Connect, they can link that to the Dashboard.
This means that the user doesn't need to remember a separate set of Dashboard credentials, they simply log in their company's identity provider.
If a user is already logged in (quite likely), they won't need to do anything, and they can get straight in. It's very quick, easy, better for system admins, and secure.
There are some security benefits to using OpenID Connect for authentication.
Firstly, the protocols and technologies are all very secure (as far as we know right now) but in addition identity provider products are able to provide greater security protections for companies such as multi-factor authentication, threat intelligence and blocking of login based on characteristics of the request (such as location).
OpenID Connect is a great way to setup authentication to the Dashboard and if you have an appropriate setup you should give it a try! Support can provide guides and assistance with setup.
If you have any feedback, let us know, we're always looking to improve functionality to make it robust, easy-to-use, and fully featured.
TLS - Transport layer security. This is the encryption that is used for web sites, it ensures that all traffic is encrypted between the server and client.
JWT - JSON Web Token. This is a standard for access tokens which uses the JSON format which is then signed and encrypted to make it unreadable and immutable if found while in transit.
Written by Neil
Neil is our security-focused developer at Panintelligence, who constantly strives to improve our product in his specialist area. Neil has around 10 years’ experience in the software industry and likes to fix PCs and phones in his spare time.