SSO FAQ
Angelica Medallo avatar
Written by Angelica Medallo
Updated over a week ago

General

Q. Can SSO be used in combination with a normal password login?

A. No. Our SSO system means that all users for a configured email domain will be required to use SSO to login.

Q. Can I test SSO login before enabling?

A. Ansarada can enable SSO on a test domain first (e.g. test.example.com). You will need to have a mailbox configured for this test domain, in order to be able accept the invitation email.

Q. What happens when our certificate is due to expire?

A. Ansarada will need to be notified ahead of time to arrange a manual rollover to the new certificate. We also monitor for upcoming certificate expiry and will notify you if a certificate is due to expire.

Q. Do you support automatic certificate rollover?

A. No, not currently. We are always considering improvements in this area, so please let us know of your requirements.

Q. Do you support SSO options other than SAML e.g. OIDC, WS Federation?

A. No, not currently. We are always considering improvements in this area, so please let us know of your requirements.

Federation

Q. Does the application currently implement or support Federated Authentication via SAML 2.0 or OIDC?

A. Yes, SAML 2.0 is supported by default. OIDC is not currently supported.

Q. Can the application support artifact binding per the SAML 2.0 binding specification?

A. We support HTTP redirect binding and HTTP post binding.

Q. Does the application expose a web-based metadata endpoint for IdP (Identity Provider) consumption?

A. Yes, we generate a web-based endpoint per customer URL per customer. The endpoint for our customers will be available once the SSO setting up process will start and the needed information will be provided by the customer.

Example format from our QA environment:

Q. Does the application support signed assertions using RSA keys of at least 2048 bits or ECC keys of at least 256 bits in length?

A. We support RSA keys of 2048 bits.

Q. Can the application generate digital signatures using SHA-2 hash functions that produce digests of at least 256 bits in length?

A. Yes

Q. Does the application support HTTP communications over TLS? Which Version of TLS?

A. Yes, TLS 1.2 and 1.3

Q.Are the certificates signed by a Certificate Authority using RSA signing keys at least 4096 bits or ECC signing keys at least 256 bits in length?

A. Yes, we support ECC 256 bit

Q. Are the certificates signed using a SHA-2 hash function that produces a digest of at least 256 bits in length?

A. Yes, we support SHA-2 256 bit

Q. Do the certificates contain a RSA public key at least 2048 bits or an ECC key at least 256 bits in length?

A.

  • Yes, we support ECC 256 bit

  • Yes, we support SHA-2 256 bit

  • Yes, we support ECC 256 bit

Q. Do TLS communications support perfect forward secrecy via ephemeral session key exchange? Do TLS handshakes involve a standard Diffie-Hellman key exchange?

A. Yes, we support both keyless SSL and Diffie-Hellman handshake.

Q. Do TLS communications support strong cipher suites (such as an IANA recommended cipher suite)?

A. For IANA we support:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

For more supported algorithms:

Q. Does the application support metadata endpoint monitoring with automated configuration updates?

A. No, nevertheless we have a status page the monitors Ansarada platform:

Q. Does the application support the use of multiple IdP certificates at any given time?

A. No

Access Management

Q. Does the application currently implement or support Dynamic Session Management (Claims Based Authorisation)?

  • AwesomeCompany user identity and entitlement records exist only within AwesomeCompany systems and are never persisted in any third party systems.

  • AwesomeCompany IDP issues a SAML token with user identity attributes and entitlements specific to the third party application.

  • Third-Party STS (Security Token Service) issues a SAML token with entitlement claims passed-through from the AwesomeCompany IDP SAML token as-is without any mapping or transformation.

  • The third-party application depends solely on the SAML token for determining user entitlements at runtime.

A. Ansarada captures user identity such as the first name, the last name and the user email however we do not support entitlement records.

  • Ansarada persists identity information (first name, last name and user email) within platform services.

  • Ansarada doesn’t map/transform received identity information.

  • SAML token is used as authentication proof to login to Ansarada platform. The authorisation which product and services within Ansarada platform a user can access are managed in Ansarada products such as Dealroom (not using the SAML).

Q. Does the application currently implement or support On-Demand Provisioning using SAML Assertion?

A. Ansarada supports on-demand provisioning using SAML assertion.

Q. Does the application currently implement or support Automated Access Removal after a period of inactivity?

A. No

Q. Does the application currently implement or support SCIM based automated provisioning and de-provisioning?

A. No

Q. If SCIM support is not available, is there an alternate provisioning/de-provisioning API available?

A. No

Q. Does the API support establishment of all roles, including privileged roles (such as access administration, etc.)

A. No

Q. Does the application provide a user interface for Direct Administration for AwesomeCompany workforce? Can this interface be SAML secured?

A. Yes, we provide the Ansarada management area which is SAML secured.

Q. Can this interface be enabled/ disabled based on AwesomeCompany’s requirements?

A.Yes, AwesomeCompany can decide who has access to the Ansarada management area.

Q. How does user access provisioning occur?

A. AwesomeCompany admin will be able to invite internal and external users to Ansarada platform

Q. Does the application provide alternate access mechanisms that do not require authentications with an IdP (for example, direct access break glass accounts for the restoration of service)?

A. Ansarada CS has access to Ansarada’s platform customer area.

Q. What is the maximum token validity period time that is accepted by the application?

A. 60 minutes

Q. Are any components of the application hosted on public cloud infrastructure, such as AWS, Azure?

A. Ansarada uses AWS public cloud infrastructure.

Q. Where is the application IdP (relying party STS) hosted (public cloud, on-prem, other)?

A. Ansarada uses Auth0 (https://auht0.com) which is hosted at AWS public cloud infrastructure.

Q. What devices can be used to access the application (PC, MAC, mobile, other)?

A. Any device with Internet access

Q. Does the application provide non-web based access points (DB, OS, other)?

A. No

Q. What channels can be used to access application (Internet, Internet with IP restriction, leased lines, VPN, other)?

A. All Internet-accessible application

Q. Can partner applications (Kira, Luminance, etc.) use SSO to login?

A. By default, only the products that are part of the Ansarada Platform can use configured SSO.

Q. What is the application login URL?

A. app.ansarada.com which will redirect the user to a page that hosts the platform login page (dynamic URL) https://auth.au.ansarada.com/login

Authentication

Q. What URL is used for the change password page (if available)?

A. Same as the login form

Q. Please list any browser restrictions if any. E.g. IE v11 or higher.

A.

  • A. Chrome (latest)

  • Firefox (latest)

  • Safari (latest)

  • IE EDGE (latest)

  • IE (V11 or higher)

  • Opera (latest)

  • IOS Safari (latest 2 versions)

  • Chrome for Android (latest)

Connectivity Restrictions

Q. Does the Third Party provide the capability to restrict connectivity to the application so that only traffic originating from the AwesomeCompany network is permitted?

A. Yes

Q. What capabilities are provided to restrict connectivity (e.g. IP restriction via whitelisting or use of Virtual Private Network (VPN))?

A. IP restriction via whitelisting

Q. Please describe the process for initiating and completing connectivity restrictions with AwesomeCompany and service level agreement (SLA) for establishing that restriction.

A. An authorised officer of AwesomeCompany to make a request to Ansarada support (support@ansarada.com) requesting connectivity restriction via IP whitelisting, and to which projects it should apply to. The request will be completed within 24 hours.

Access Administration

Q. Is AwesomeCompany permitted to log into the application and complete access administration?

A. Yes, if the AwesomeCompany personnel doing this has Administrator access to the deal room or management area that the user who needs to be access managed is in.

Q. Does the application have any geographical restrictions that govern where security administrator users must be located in order to use the application?

A. Not as standard. Geoblocking can be applied on a per deal room or per management area basis.

Q. What are the known limitations or exceptions for your application?

A. Invitations to deal rooms expire within 900 (nine hundred) days of the invitation being issued. Users must accept the invitation within that time otherwise will have to be issued another invitation.

Q. How can the AwesomeCompany Security Administrator contact your helpdesk for support related to access administration and related activities?

Password Policies

Q. What is the minimum password length?

A. At least 8 characters

Q. What is the maximum password age (in days)?

A. Password time expiration is not supported

Q. Does the password comprise of lowercase characters (a through z)?

A. Yes

Q. Does the password comprise of uppercase characters (A through Z)?

A. Yes

Q. Does the password comprise of base 10 digits (0 through 9)?

A. Yes

Q. Does the password comprise of special or non-alphanumeric characters (@, #, +, etc.)?

A. Yes

Q. What is the password cycle frequency?

A. The user can’t use the last 5 password

Please see more details:

Q. After how many consecutive logins, will the account be locked?

A. We support brute force protection, please see the details below:

Q. Does the password contain login ID?

A. Password cannot contain a part of the user’s email and cannot contain their first or last name.

Please see more details:

Q. Does the password contain any element of your full name?

A. Password cannot contain a part of an email or user name (first and last name)

Please see more details:

Q. Does password include any phrase from the firm maintained blacklist below?

A. Passwords from the common password lists are not allowed.

Please see more details:

Other

Q. Can SSO be enabled for AwesomeCompany both internal and external users?

A.

  • AwesomeCompany admin will be able to decide on a user level (represented by user email) to assign/revoke access to the entire Ansarada platform/

  • SSO can be enabled for all internal users (AwesomeCompany domain). External users access permissions can be managed by AwesomeCompany admin using the management area (please see the next paragraph ‘Management Area’).

  • SSO is managed on the platform level. That is, the user is authenticated into our Platform (following SSO authentication). That authentication determines which rooms they will see/have access to or type of access. User access to rooms (rooms they can access and type of access they have) can be managed using the management area.

Q. What Ansarada management areas are for?

A.

  • AwesomeCompany admin will have centralised control to be able to create rooms and assign/revoke access permissions to those rooms for both internal and external users thus having a full user management control (= the second level of user management).

  • AwesomeCompany admin will be able to decide who the admin will be (non-Ansarada). This can be centralised as one role or team as per your requirement.

  • AwesomeCompany can have multiple management areas managed by different AwesomeCompany admins (non-Ansarada) for further centralisation if required.

Q. How can I see who has access to which room?

A. An admin will be able to log in to any room in the Management Area, and:

  • View all room users in the browser UI.

  • Export users to Excel.

On a regular basis, Ansarada will be able to produce a report about users (both internal and external) in all rooms. The following information is available:

  1. Name

  2. Email

  3. List of all rooms the user has access to

  4. Role (per room)

  5. Phone

  6. City

  7. Country

  8. Job title

Q. Does Ansarada support MFA for both internal and external users?

A.

  • MFA for internal users can be supported through SSO.

  • MFA for external users is on Ansarada’s roadmap and will be available in October 2020.

Q. Please let me know the availability of Ansarada application in Azure Gallery.

A. Ansarada is not available as an application in Azure Gallery, nevertheless, we can configure Azure as an IdP for SSO

Q. Please confirm are you offering IdP initiated SSO or SP initiated SSO.

A. Ansarada supports SP initiated flows. IdP initiated flows are not currently supported.

Q. Can you supply configuration documentation that helps for Microsoft Azure?

A. We don’t have Azure specific documentation. Our documentation is generic for all IdPs. We recommend configuring a custom Enterprise Application.

Q. Can SSO be enabled for individual users to test the SSO setup?

A. Unfortunately, Ansarada doesn’t have the capability to enable SSO for individual users. SSO works for email domains, when a user tries to login with a particular email, our platform detects if SSO is configured for the domain. One option we can suggest is to use a test domain. After successful verification, Ansarada will remove a test domain from the list of available domains for SSO.

Did this answer your question?