nevisProxy is a secure entry gateway with an integrated web application firewall (WAF). nevisProxy controls user access and protects sensitive data, applications, services, and systems from internal and external threats.
nevisAuth implements strong user and system authentication for identity and access management solutions. It offers secure execution of multi-step authentication and is able to dynamically adjust authentication strengths. nevisAuth is highly flexible, easily integrated and supports plug-ins to various authentication methods.
nevisIDM is a multi-client capable identity management solution that enables central management of users, applications, and permissions. To permit efficient management of users and credentials, nevisIDM supports delegated administration as well as self-administration.
nevisReports provides detailed reports on topics such as utilization, performance, security incidents and identity administration. The product is fully integrated in the NEVIS Security Suite. Access and indexing of relevant data as well as preparation and distribution of predefined reports is done automatically or requires minimum configuration. It is possible to extend the standard reports of nevisReports at any time and tailor them to the customer's needs.
Access data for the customer's logbook are often sent via a PIN letter. This identification method may e.g. In order to supplement a faster procedure based on the eID function of the new ID card. This gives customers the opportunity to get their customer logs within minutes.
The customer needs:
After an online contract conclusion, the customer can be informed of the minute-fast procedure via any channel. In addition, an information page is provided on the company's website, on which the procedure is explained. There, a possibly required consent for data storage can also be implemented. Consent is the prerequisite for the continuation of the identification process. A button can be displayed on the information page, with which the nPA identification dialog is started.
The customer launches the ID card app and places the ID card in the card reader. After entering the nPA-PIN, the identification-app transfers the relevant technical data and the necessary technical data:
Subsequently, the ID data must be matched in the contract stock. If the customer is found, this data is displayed to the customer. After confirmation by checkbox, the customer is given access to the customer's log, including digital customer contacts (DKA). If the customer can not be found in the inventory, a clearing is to be made via the contract department (KSC / KS) (for example, a call back from the customer).
Optionally, the e-mail address and mobile phone number can be integrated into the clearing process via mTAN or Double-Opt-in.
The data collected by the customer as well as the metadata (date, time, ID type) and further technically necessary data (certificate ID, token, credentials, etc.) must be stored in the relevant company system.
For subsequent subsequent recurring access to the customer's log via nPA (authentication), the nPA can be an option next to user name / password. Clicking on an nPA symbol opens a dialog asking the user to start the ID card app and insert the nPA into the card reader. As a result, the customer enters his nPA PIN in the dialogue of the ID card app and starts the data exchange dialog for authentication. In case of agreement, access to the customer's logbook including DKA is released.
Both identification and authentication by the nPA should provide 24/7 availability.
FSP provides the nPA connection for the customer website and the access to the eID server of the federal government incl. Certificate hosting as well as the necessary technical and technical information via the blackbox solution described below.
Premises of the solution:
These requirements are achieved by using already available standard components in the solution.
For the realization of the nPA integration into the company web environment, a NEVIS-based SAML-IDP is built, which completely encapsulates the functionality for the nPA-registration and the nPA-authentication. The two components nevisProxy and nevisAuth are required on a NEVIS software appliance (nevisAppliance) on the NEVIS side. The nevisAppliance is delivered as a bootable Linux image and can easily be operated in virtualized environments (ESX or Hyper-V). The nevisAppliance includes all the necessary NEVIS components for implementing the solution.
The core of the NEVIS authentication solution is the nevisAuth authentication service. The core consists of a configurable "authentication engine", which makes it possible to flexibly combine so-called "authentication" plugins. This architecture allows support for a large number of authentication mechanisms and also ensures that the solution can be easily extended to include customer-specific plugins. For authentication by means of nPA, the nevisAuth already provides "out-of-the-box" a standard plugin.
Integration into the corporate customer portal
The NEVIS-based nPA infrastructure is loosely linked to the existing enterprise web infrastructure using SAML (Security Assertion Markup Languge). SAML (http://saml.xml.org/wiki/saml-introduction) is a standardized protocol for federating identities across system and organizational boundaries.
The procedure for registering using nPA is as follows:
The sequence of a sequence identification by means of nPA is, in principle, the same, with the exception that step 4 (Mapping in the partner directory) is skipped. The login process is only successful if the nevisAuth finds the deposited nPA pseudonym via the REST interface of the user directory. If this is not the case, an error page is displayed to the user, stating that he must first register himself for authentication by means of nPA. To start the registration process, the error page directly contains a link to the registration process.
In a joint workshop, the final coordination of the functionalities of the nPA authentication solution and the definition of the interfaces are carried out.
Necessary consulting services
The necessary consulting services include the implementation of the kickoff workshop, the installation and setting up of the authentication solution and the implementation of authentication plugins for connecting the company-specific REST APIs.
Optional consulting services
Are offered depending on the support requirement of the client during the installation of the authentication solution.
Necessary provision of services by the customer
Functional standard REST interface via JSON / XML for connecting the partner directory and the user directory, including documentation.
upport for installing and setting up the authentication solution.