Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7...

16
CP-62: Tech Titans: SAML and Biometric Authentication with Costpoint 7 Dmitri Tyles, Deltek

Transcript of Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7...

Page 1: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

CP-62:Tech Titans: SAML and Biometric Authentication with Costpoint 7

Dmitri Tyles, Deltek

Page 2: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

Agenda

2

Review less known security features:

» Kerberos SSO support for iOS and Android Mobile devices

» A few SAML tips

» Combining AD/Kerberos/SAML with FIDO device/biometric authentication

- For LAN, WAN, desktop, mobile

- For 2FA and passwordless

Page 3: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

Review less known security features:

CONFIDENTIAL © Deltek, Inc. All Rights Reserved. 3

Page 4: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

Kerberos SSO support for iOS and Android devices

4

- Support for Kerberos SSO on iOS was previously documented and used by customers in

production (see Security Guide Addendum for details)

- Support for Kerberos SSO on Android is provided by 3rd party Kerberos Authenticator:

- https://hypergate.com/

- https://bayton.org/docs/enterprise-mobility/mobileiron/setup-kerberos-authentication-on-

mobileiron-core-for-android-enterprise/

Page 5: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

SAML Tips

5

SP Initiated :

- User goes to CP login page and after entering user ID is re-directed to ADFS, Azure, Ping,

Okta (IdP), F5

- After logging into Idp system a user is re-directed back to CP

- CP verifies SAML token and lets a user in

IdP Initiated

- User logs into IdP (e.g. Azure) first and then re-directed to CP

- CP verifies SAML token and lets a user in

Page 6: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

SAML Tips

6

Page 7: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

Combining AD/Kerberos/SAML with FIDO device/biometric authentication

CONFIDENTIAL © Deltek, Inc. All Rights Reserved. 7

Page 8: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

What is FIDO?

8

» Fast Identity Online (FIDO) - new security standard quickly gaining industry adoption

» FIDO alliance has 200+ members with diverse group of large industry leader on its board

» Microsoft, Google, RSA, Intel, Lenovo, MasterCard, VISA, American Express, etc

» More than 200 products from global technology leaders are now FIDO Certified

» New standard brings major improvements in security, usability, privacy – at the same time

» stealing database with user credentials from the server is no longer possible as user credentials are no longer stored on the server

» Biometric authentication becomes the “norm” which significantly improves both security and usability.

Page 9: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

What is Web Authentication standard?

9

» W3C released new Web Authentication standard in April 2018

» Standard defines an easy way to include device/biometric authentication in any Web browser based

application

» The goal of new standard is to eliminate passwords

» Chrome, Firefox and Edge already support new standard, Safari is in-progress

» Per Microsoft the legacy browser IE 11 will not support new standard

» The number of supported authentication devices, methods and scenarios grows almost every month

» Last version of Edge supports both fingerprint and face recognition

» Chrome supports fingerprint authentication on Android phones and Bluetooth for Windows 10

» Separate fingerprint USB devices are already available

Page 10: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

2019 Enhancements (through June system jar 54)

10

- Ability to add FIDO as an alternative authentication method for users

- Kerberos/SAML within the network and FIDO outside the network

- Kerberos/SAML from laptop and FIDO from a mobile device

- Ability to select FIDO as the primary and only authentication method for a user

- Ability for Administrator to send users one-time FIDO registration links

- Ability for Users to send FIDO self-registration links to register additional FIDO

devices

Page 11: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

FIDO vs DB Authentication

11

» Consider FIDO as your company’s first choice for contractors who you don’t want

to add to your Active Directory (instead of using DB authentication)

» If FIDO device is based on biometrics it can be primary/only authentication

option

» Windows Hello Fingerprint or Face recognition

» USB device with fingerprint

» Android phone with fingerprint

» FIDO device without biometrics can be used for 2FA along with DB

Authentication

Page 12: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

Demo - device and biometric authentication

CONFIDENTIAL © Deltek, Inc. All Rights Reserved. 12

Page 13: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

Conclusion

13

» Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share

the platform which offers:

» Many authentication options on a per user basis

» SAML support for desktop and mobile access

» Support for connected, disconnected and FIDO 2FA options

» Single sign-on with Costpoint Enterprise Reporting (Cognos)

» User authorization control through Active Directory groups

» Product-level control over Internet vs Intranet access

» Device/biometric Web Authentication support

Page 14: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

Questions and Answers

14

Page 15: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis

15

» See Deltek Costpoint in the Solutions Pavilion

» Attend Additional Sessions on Deltek Costpoint for More In-Depth Information

» CP-68: Blockchain & Digital signatures = Legally Enforceable Costpoint Transaction

» CP-69: Optimally Deploying and Configuring Costpoint

» CP-76: Tech Titans: Gaining Technical Insights of Costpoint 7.1.1

» CP-78: Tech Titans: Lesser known Extensibility Features

Call to Action

Page 16: Advanced security - Microsoft · » Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share the platform which offers: » Many authentication options on a per user basis