Security Managers Overview

   Journey Manager (JM) The transaction engine for the platform. |   System Manager / DevOps |   21.11 This feature was updated in 21.11.

Journey Manager is designed with a robust security architecture in mind that ensures a safe and secure foundation for users to access forms and applications hosted on the server, as well as call a set of REST API. The security architecture is implemented using Security Managers, which are software components within Manager that handle users request access to different form spaces and modules. Users can be external or internal, and they can require access to form spaces or a combination of form spaces and modules in different environments.

Another important use of security managers is authentication of REST API calls. As Manager provides a set of REST API allowing integration with external systems, it is important to make communication secure. By default, REST API calls use basic authentication, but you can configure any required authentication mechanism, such as OAuth or SSO, for REST API endpoints.

You do it by configuring a security manager for a form space or a module that exposes REST API endpoint. When a request is sent to the REST endpoint, a user account, which identifies this call, needs to pass through Spring Security Session Management. The user must be authenticated with the form space's or module's security manager by using Single Sign-On (SSO), such as ADFS, oAuth2 or custom SSO.

Security Managers are responsible for:

• User authenticationUser authentication is the verification of an active human-to-machine transfer of credentials required for confirmation of a user's authenticity.
• User authorizationUser authorization is interested in who the user is, and is used to determine what functions, actions, data, or other parts of an application the user has access to.
• User self-registration
• Session managementSession management is the rule set that governs interactions between a web-based application and users. Browsers and websites use HTTP to communicate, and a web session is a series of HTTP requests and response transactions created by the same user. Since HTTP is a stateless protocol, where each request and response pair is independent of other web interactions, each command runs independently without knowing previous commands. In order to introduce the concept of a session, it is necessary to implement session management capabilities that link both the authentication and access control (or authorization) modules commonly available in web applications.

Security Manager use the latest technologies, such as TLS, SSL, SHA and AES, to allow them fulfill their responsibilities.

The security architecture enables developers and system administrators to implement best security practices, such as:

• Never log PIIPersonally Identifiable Information (PII) is information about an individual that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and any other information that is linked to an individual. In Europe, PII is known as personal data. information to the Groovy service log.
• Never turn on debug level of logging in production environments.
• Never store passwords in the clear formats.
• Never log passwords to the log files.
• Never pass internal security data to the client, for example, by adding them in the XML files.

A security manager contains one or more authentication providers that can be chained. That is, if one authentication provider can't authenticate a user due to some reason, the next authentication provider is called and so on until the user is authenticated or no authentication providers are left. Providers can be local or delegated, as shown below.

An authentication provider's main job is to authenticate a user that will result in allowing or denying user access to a resource, which is often a form. Security Managers can be exported and imported across different Manager instances to make it easier to implement security requirements.

Manager comes with the following ready-to-use security managers:

• Local Security Manager
• LDAP Security Manager
• Microsoft ADFS Security Manager
• Microsoft WS-Trust Security Manager
• SSO Security Manager
• OAuth2 SSO Security Manager
• Fluent Microsoft ADFS Security Manager  |  19.11 This feature was introduced in 19.11.
• Fluent SSO Security Manager  |  19.11 This feature was introduced in 19.11.
• Fluent OAuth2 SSO Security Manager  |  21.11 This feature was introduced in 21.11.

SSO security managers, such as Microsoft ADFS, have specific Groovy scripts, which you can configure to acquire a SSO token or call a chain of authentication providers. It allows you to create various SSO and login flows.

SSO Flow

1. SSO Get Auth Token. The result is passed into the authentication providers. If there's no result or a local authentication provider exists, it can go to the login flow
2. Authentication provider list
3. SSO authentication OK response
4. SSO re-validation

Login Flow

1. Login page
2. Authentication Providers, for example, WS-Trust and LDAP or Local DB

Manager controls access to the Manager Dashboard using permissions and organization based filters, whereas access to forms and content on the form space is controlled using groups, permissions, and user account based filtering.