CP-62:Tech Titans: SAML and Biometric Authentication with Costpoint 7
Dmitri Tyles, Deltek
Agenda
2
Review less known security features:
» Kerberos SSO support for iOS and Android Mobile devices
» A few SAML tips
» Combining AD/Kerberos/SAML with FIDO device/biometric authentication
- For LAN, WAN, desktop, mobile
- For 2FA and passwordless
Review less known security features:
CONFIDENTIAL © Deltek, Inc. All Rights Reserved. 3
Kerberos SSO support for iOS and Android devices
4
- Support for Kerberos SSO on iOS was previously documented and used by customers in
production (see Security Guide Addendum for details)
- Support for Kerberos SSO on Android is provided by 3rd party Kerberos Authenticator:
- https://hypergate.com/
- https://bayton.org/docs/enterprise-mobility/mobileiron/setup-kerberos-authentication-on-
mobileiron-core-for-android-enterprise/
SAML Tips
5
SP Initiated :
- User goes to CP login page and after entering user ID is re-directed to ADFS, Azure, Ping,
Okta (IdP), F5
- After logging into Idp system a user is re-directed back to CP
- CP verifies SAML token and lets a user in
IdP Initiated
- User logs into IdP (e.g. Azure) first and then re-directed to CP
- CP verifies SAML token and lets a user in
SAML Tips
6
Combining AD/Kerberos/SAML with FIDO device/biometric authentication
CONFIDENTIAL © Deltek, Inc. All Rights Reserved. 7
What is FIDO?
8
» Fast Identity Online (FIDO) - new security standard quickly gaining industry adoption
» FIDO alliance has 200+ members with diverse group of large industry leader on its board
» Microsoft, Google, RSA, Intel, Lenovo, MasterCard, VISA, American Express, etc
» More than 200 products from global technology leaders are now FIDO Certified
» New standard brings major improvements in security, usability, privacy – at the same time
» stealing database with user credentials from the server is no longer possible as user credentials are no longer stored on the server
» Biometric authentication becomes the “norm” which significantly improves both security and usability.
What is Web Authentication standard?
9
» W3C released new Web Authentication standard in April 2018
» Standard defines an easy way to include device/biometric authentication in any Web browser based
application
» The goal of new standard is to eliminate passwords
» Chrome, Firefox and Edge already support new standard, Safari is in-progress
» Per Microsoft the legacy browser IE 11 will not support new standard
» The number of supported authentication devices, methods and scenarios grows almost every month
» Last version of Edge supports both fingerprint and face recognition
» Chrome supports fingerprint authentication on Android phones and Bluetooth for Windows 10
» Separate fingerprint USB devices are already available
2019 Enhancements (through June system jar 54)
10
- Ability to add FIDO as an alternative authentication method for users
- Kerberos/SAML within the network and FIDO outside the network
- Kerberos/SAML from laptop and FIDO from a mobile device
- Ability to select FIDO as the primary and only authentication method for a user
- Ability for Administrator to send users one-time FIDO registration links
- Ability for Users to send FIDO self-registration links to register additional FIDO
devices
FIDO vs DB Authentication
11
» Consider FIDO as your company’s first choice for contractors who you don’t want
to add to your Active Directory (instead of using DB authentication)
» If FIDO device is based on biometrics it can be primary/only authentication
option
» Windows Hello Fingerprint or Face recognition
» USB device with fingerprint
» Android phone with fingerprint
» FIDO device without biometrics can be used for 2FA along with DB
Authentication
Demo - device and biometric authentication
CONFIDENTIAL © Deltek, Inc. All Rights Reserved. 12
Conclusion
13
» Costpoint 7 , Time & Expense 10, and Budgeting and Planning 7 share
the platform which offers:
» Many authentication options on a per user basis
» SAML support for desktop and mobile access
» Support for connected, disconnected and FIDO 2FA options
» Single sign-on with Costpoint Enterprise Reporting (Cognos)
» User authorization control through Active Directory groups
» Product-level control over Internet vs Intranet access
» Device/biometric Web Authentication support
Questions and Answers
14
15
» See Deltek Costpoint in the Solutions Pavilion
» Attend Additional Sessions on Deltek Costpoint for More In-Depth Information
» CP-68: Blockchain & Digital signatures = Legally Enforceable Costpoint Transaction
» CP-69: Optimally Deploying and Configuring Costpoint
» CP-76: Tech Titans: Gaining Technical Insights of Costpoint 7.1.1
» CP-78: Tech Titans: Lesser known Extensibility Features
Call to Action
Top Related