LogicNets Access Security

Description

This article describes the user security features of the LogicNets platform.

User Authentication

Applications can be protected against unauthorized access by requiring users to authenticate themselves. Supported authentication methods are as follows:

• Local user login
• OAUTH2 - LogicNets supports OAUTH2 integration via authorization code-flow 
• Windows Authentication - LogicNets supports ActiveDirectory integration via ADFS and OAUTH2

At the highest level the application can define the supported user roles. You can refine access control by modeling logic based on role of the logged-in user.

Web API Authentication and Authorization

You can protect Web APIs against unauthorized access by requiring clients to authenticate themselves. LogicNets supports the following authentication methods:

• Basic authentication
• Bearer authentication (using a signed JWT token)

At the highest level the Web API application can define the supported user roles. You can model refinement of access control within the logicnet itself, using the information from the user profile of the web client.

Local Users Database

Standard LogicNets functionality provides a local user database with the following supported features:

• Groups and roles assignment
• Password
• Hashed: HMAC SHA1 (256-bit / 4096 integrations), salted, keys generated using cryptographic pseudo random generator (Open SSL)
• (LNv8 on) All passwords are hashed with PBKDF2-HMAC-SHA256 (32-bytes key-length, 4096 iterations, using 32 bytes cryptographically generated salt)
• Password expiry, max- retry count before account locking, password policy
• 2-pass authentication with Google Authenticator with time-based OTP (one-time passwords)

External Users Database

While LogicNets provides internal databases with which you can manage the users for your application, you can also connect your application to a user database that is external to the system. This use case requires that you work with a LogicNets development specialist. If you are interested in this configuration, contact the LogicNets Sales team.

Authorizing External Users

To authorize external users these users must be registered to local user groups in LogicNets by either:

1. (Explicit) Adding the name of the external user to the local user group
2. (Implicit) Making the local group name the same as the external group name
3. (Implicit) Matching against dynamic rules in the external Identity Provider profile

Client/Server Security

The LogicNets platform has implemented the following features to secure the communication between the client and server:

• Connection through HTTPS is (by default) enforced
• Protection against session mining. Each session has a unique session ID that the system generates using a cryptographic pseudo random generator (OpenSSL)
• Session pinning to prevent session stealing / hacking (e.g. by copying the URL with session-id to another computer).

Where a cookie with a cryptographic random ID is placed on the client’s computer the server checks each request to verify that the session-pin-cookie value belongs to the session ID. The system changes the session-pin-cookie value regularly to avoid the use of stolen cookies.