Security Managers Overview

   Journey Manager (JM) The transaction engine for the platform. |   System Manager / DevOps |   21.11 This feature was updated in 21.11.

Note

The Security Managers online documentation has been replaced with a PDF version. If you have access to the Temenos instance of Microsoft Teams, you can download the Security Managers PDF from Teams; otherwise, contact your customer support manager (CSM) to request a copy of the PDF.

Journey Manager is designed with a robust security architecture in mind that ensures a safe and secure foundation for users to access forms and applications hosted on the server, as well as call a set of REST API. The security architecture is implemented using Security Managers, which are software components within Manager that handle users request access to different form spaces and modules. Users can be external or internal, and they can require access to form spaces or a combination of form spaces and modules in different environments.

Another important use of security managers is authentication of REST API calls. As Manager provides a set of REST API allowing integration with external systems, it is important to make communication secure. By default, REST API calls use basic authentication, but you can configure any required authentication mechanism, such as OAuth or SSO, for REST API endpoints.

You do it by configuring a security manager for a form space or a module that exposes REST API endpoint. When a request is sent to the REST endpoint, a user account, which identifies this call, needs to pass through Spring Security Session Management. The user must be authenticated with the form space's or module's security manager by using Single Sign-On (SSO), such as ADFS, oAuth2 or custom SSO.

Security Managers are responsible for:

Security Manager use the latest technologies, such as TLS, SSL, SHA and AES, to allow them fulfill their responsibilities.

The security architecture enables developers and system administrators to implement best security practices, such as:

A security manager contains one or more authentication providers that can be chained. That is, if one authentication provider can't authenticate a user due to some reason, the next authentication provider is called and so on until the user is authenticated or no authentication providers are left. Providers can be local or delegated, as shown below.

An authentication provider's main job is to authenticate a user that will result in allowing or denying user access to a resource, which is often a form. Security Managers can be exported and imported across different Manager instances to make it easier to implement security requirements.

Manager comes with the following ready-to-use security managers:

  • Local Security Manager
  • LDAP Security Manager
  • Microsoft ADFS Security Manager
  • Microsoft WS-Trust Security Manager
  • SSO Security Manager
  • OAuth2 SSO Security Manager
  • Fluent Microsoft ADFS Security Manager  |  19.11 This feature was introduced in 19.11.
  • Fluent SSO Security Manager  |  19.11 This feature was introduced in 19.11.
  • Fluent OAuth2 SSO Security Manager  |  21.11 This feature was introduced in 21.11.

SSO security managers, such as Microsoft ADFS, have specific Groovy scripts, which you can configure to acquire a SSO token or call a chain of authentication providers. It allows you to create various SSO and login flows.

SSO Flow

  1. SSO Get Auth Token. The result is passed into the authentication providers. If there's no result or a local authentication provider exists, it can go to the login flow
  2. Authentication provider list
  3. SSO authentication OK response
  4. SSO re-validation

Login Flow

  1. Login page
  2. Authentication Providers, for example, WS-Trust and LDAP or Local DB

Manager controls access to the Manager Dashboard using permissions and organization based filters, whereas access to forms and content on the form space is controlled using groups, permissions, and user account based filtering.

Download the Security Managers PDF

The Security Managers PDF is available to download from the Temenos instance of Microsoft Teams.

  1. Login to Microsoft Teams.
  2. Go to the Temenos Journey Manager (TJM) team, and select the Temenos Document Share channel.
  3. Select Files, and browse to the SecurityManager (INTERNAL USE ONLY) folder.
  4. Download the Security Managers PDF for your version of Manager (Security-Managers.pdf).

Next, learn about organizations.