NEVIS Security Suite

NEVIS Security Suite

nevisProxy
nevisAuth
nevisIDM
nevisReports
Architecture
Out of the Box

nevisProxy

Entry Gateway and Web Application Firewall

nevisProxy

nevisProxy is a secure entry gateway with an integrated web application firewall (WAF). nevisProxy controls user access and protects sensitive data, applications, services, and systems from internal and external threats.

 

nevisAuth

Authentication Services

nevisAuth

nevisAuth implements strong user and system authentication for identity and access management solutions. It offers secure execution of multi-step authentication and is able to dynamically adjust authentication strengths. nevisAuth is highly flexible, easily integrated and supports plug-ins to various authentication methods.

 

nevisIDM

Identity Management

nevisIDM

nevisIDM is a multi-client capable identity management solution that enables central management of users, applications, and permissions. To permit efficient management of users and credentials, nevisIDM supports delegated administration as well as self-administration.

 

nevisReports

Governance Dashboards and Reporting

nevisReports

nevisReports provides detailed reports on topics such as utilization, performance, security incidents and identity administration. The product is fully integrated in the NEVIS Security Suite. Access and indexing of relevant data as well as preparation and distribution of predefined reports is done automatically or requires minimum configuration. It is possible to extend the standard reports of nevisReports at any time and tailor them to the customer's needs.

 

Architecture

Architecture


Authentication with new personnel ID (nPA)

Future Blackbox nPA / eID

Customer logging and access via nPA / eID forward-looking for further processes, e.g. MTan, video-ident and biometric procedures 


Background:

Access data for the customer's logbook are often sent via a PIN letter. This identification method may e.g. In order to supplement a faster procedure based on the eID function of the new ID card. This gives customers the opportunity to get their customer logs within minutes.

The customer needs:    

  • New personnel ID (nPA) with activated eID function    
  • The Installed ID App2    
  • Reader for nPA / eID or NFC-compatible smartphone    
  • Internet connection

After an online contract conclusion, the customer can be informed of the minute-fast procedure via any channel. In addition, an information page is provided on the company's website, on which the procedure is explained. There, a possibly required consent for data storage can also be implemented. Consent is the prerequisite for the continuation of the identification process. A button can be displayed on the information page, with which the nPA identification dialog is started.

The customer launches the ID card app and places the ID card in the card reader. After entering the nPA-PIN, the identification-app transfers the relevant technical data and the necessary technical data:

  • Name, first name (read from nPA)   
  • Address (read out from nPA)    
  • Date of birth (read from nPA)    
  • Pseudonym (read from nPA)    
  • And additionally optional    
  • EMail address (entered by customer in dialog)    
  • Mobile no. (Entered by customer in dialog)

Subsequently, the ID data must be matched in the contract stock. If the customer is found, this data is displayed to the customer. After confirmation by checkbox, the customer is given access to the customer's log, including digital customer contacts (DKA). If the customer can not be found in the inventory, a clearing is to be made via the contract department (KSC / KS) (for example, a call back from the customer).

Optionally, the e-mail address and mobile phone number can be integrated into the clearing process via mTAN or Double-Opt-in.

The data collected by the customer as well as the metadata (date, time, ID type) and further technically necessary data (certificate ID, token, credentials, etc.) must be stored in the relevant company system.

For subsequent subsequent recurring access to the customer's log via nPA (authentication), the nPA can be an option next to user name / password. Clicking on an nPA symbol opens a dialog asking the user to start the ID card app and insert the nPA into the card reader. As a result, the customer enters his nPA PIN in the dialogue of the ID card app and starts the data exchange dialog for authentication. In case of agreement, access to the customer's logbook including DKA is released.

Both identification and authentication by the nPA should provide 24/7 availability.

FSP provides the nPA connection for the customer website and the access to the eID server of the federal government incl. Certificate hosting as well as the necessary technical and technical information via the blackbox solution described below.


Solution outline

Premises of the solution:

  • The offered solution achieves an optimal cost-benefit ratio.    
  • Compliance with the time frame is ensured.    
  • The solution ensures the necessary flexibility for future developments.

These requirements are achieved by using already available standard components in the solution.

Architectural Overview:

Architecture

For the realization of the nPA integration into the company web environment, a NEVIS-based SAML-IDP is built, which completely encapsulates the functionality for the nPA-registration and the nPA-authentication. The two components nevisProxy and nevisAuth are required on a NEVIS software appliance (nevisAppliance) on the NEVIS side. The nevisAppliance is delivered as a bootable Linux image and can easily be operated in virtualized environments (ESX or Hyper-V). The nevisAppliance includes all the necessary NEVIS components for implementing the solution.

The core of the NEVIS authentication solution is the nevisAuth authentication service. The core consists of a configurable "authentication engine", which makes it possible to flexibly combine so-called "authentication" plugins. This architecture allows support for a large number of authentication mechanisms and also ensures that the solution can be easily extended to include customer-specific plugins. For authentication by means of nPA, the nevisAuth already provides "out-of-the-box" a standard plugin.

Integration into the corporate customer portal

The NEVIS-based nPA infrastructure is loosely linked to the existing enterprise web infrastructure using SAML (Security Assertion Markup Languge). SAML (http://saml.xml.org/wiki/saml-introduction) is a standardized protocol for federating identities across system and organizational boundaries.

The procedure for registering using nPA is as follows:

  1. The user selects the "Register via nPA" function on the company login page and is thus redirected to the NEVIS-based SAML IDP. (HTTP Redirect)
  2. Step 2 in the graphic above corresponds to the mentioned HTTP Redirect.
  3. The nPA-plugin of the nevisAuth then triggers the nPA authentication process, the user is prompted for the nPA-PIN. After successful authentication by means of nPA, the requested user attributes such as, for example, First name, surname, date of birth, etc.
  4. In the next step, a nevisAuth REST plugin checks whether the nPA user is already a customer. For this purpose, the identifying attributes (for example, first name, surname, date of birth, place of birth) are forwarded to the company-specific REST API of the partner directory. If the API does not provide a unique hit, the user is forwarded to an error page. The error page contains the telephone number of the help desk as well as the request to report there.
  5. If the user is found in the company-specific partner directory, an API call to the company-specific user directory ensures that an identity is also created there and that the user can be found again with subsequent identifications using nPA. For this purpose, for example, the unique pseudonym identification can be stored in the user directory. If an account already exists, the pseudonym ID is stored as an additional user attribute. The user now has the option to log on as an alternative to the previous username / password using nPA. If no identity exists, a new one is created. The nPA attributes as well as all attributes from the partner directory are available as basic information. An identity created by means of nPA registration does not have a password and can therefore only be registered by means of nPA in the future.
  6. In the last step, the nevisAuth creates a SAML assertion and directs the user back to the application. The SAML Assertion is consumed and verified by the application, so the user is directly logged into the application. The mapping of the user within the user directory is based on the previously stored pseudonym identification.

The sequence of a sequence identification by means of nPA is, in principle, the same, with the exception that step 4 (Mapping in the partner directory) is skipped. The login process is only successful if the nevisAuth finds the deposited nPA pseudonym via the REST interface of the user directory. If this is not the case, an error page is displayed to the user, stating that he must first register himself for authentication by means of nPA. To start the registration process, the error page directly contains a link to the registration process.

Implementation

Kickoff Workshop

In a joint workshop, the final coordination of the functionalities of the nPA authentication solution and the definition of the interfaces are carried out.

Necessary consulting services

The necessary consulting services include the implementation of the kickoff workshop, the installation and setting up of the authentication solution and the implementation of authentication plugins for connecting the company-specific REST APIs.

Optional consulting services

Are offered depending on the support requirement of the client during the installation of the authentication solution.

Necessary provision of services by the customer

Functional standard REST interface via JSON / XML for connecting the partner directory and the user directory, including documentation.

upport for installing and setting up the authentication solution.

This website uses cookies. By using the website, you consent to the use of cookies. Privacy Information

Extract of customer list

abraxas-logo
dak-logo
 
 
 
deutsche börse logo
ergo direkt logo
 
 
 
fiducia logo
finanzinformatik logo
 
 
 
gad logo
generali informatik services logo
 
 
 
gothaer logo
hanse merkur logo
 
 
 
inter versicherungsgruppe logo
ivv logo
 
 
 
medicproof logo
talanx logo
 
 
 
signal iduna logo
zurich logo
 
Viessmann logo
Fondsdepot Bank logo