Federated Authentication

SERAM uses a claims-based authentication system for associating data received from trusted logon providers to users.

This approach has many benefits:

  • Users can continue to use their existing login and transparently access SERAM.
  • SERAM does neither store nor process passwords. This is an important security factor: Even if the application was somehow compromised, an attacker could not obtain any login information.
  • Different authentication systems can be used concurrently to authenticate against SERAM, such as SAML2 IDP, OAuth2 and OpenID.
  • One user account may be associated to multiple claims of different providers. Changing the authentication provider does therefore not require creating a new user account.
  • Authentication providers may implement security best practices auch as two-factor authentication technologies without affecting the main software.
  • Disabling a user account in SERAM will prevent access, no matter which login provider was being used.

In the SaaS environment, for small companies or individuals who do not have a centralized authentication provider in place, an OpenID provider doing username-password authentiation is provided for convenience. This provider uses a database which is built with one-way hashes of e-mail addresses and passwords, so that no login information can be obtained from the database if it was compromised.

Feature Categories:

  • Security and Access Control