SERAM uses a claims-based authentication system for associating data received from trusted logon providers to users.
This approach has many benefits:
- Users can continue to use their existing login and transparently access SERAM.
- SERAM does neither store nor process passwords. This is an important security factor: Even if the application was somehow compromised, an attacker could not obtain any login information.
- Different authentication systems can be used concurrently to authenticate against SERAM, such as SAML2 IDP, OAuth2 and OpenID.
- One user account may be associated to multiple claims of different providers. Changing the authentication provider does therefore not require creating a new user account.
- Authentication providers may implement security best practices auch as two-factor authentication technologies without affecting the main software.
- Disabling a user account in SERAM will prevent access, no matter which login provider was being used.
In the SaaS environment, for small companies or individuals who do not have a centralized authentication provider in place, an OpenID provider doing username-password authentiation is provided for convenience. This provider uses a database which is built with one-way hashes of e-mail addresses and passwords, so that no login information can be obtained from the database if it was compromised.
- Security and Access Control