Versions Compared

Old Version 1

changes.mady.by.user Ben Derr

Saved on

compared with

New Version 2

changes.mady.by.user Ben Derr

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Many Tidepool supports enterprises or organizations that may wish to manage credentials and security settings (e.g. password complexity, expiration, ip address restrictions) within their own infrastructure to fulfill compliance needs and local requirements, leverage existing identity stores and policies within the organization, typically a Microsoft Active Directory.

Tidepool has implemented Keycloak, an Open Source identity broker supported by Red Hatand deployed and managed by Tidepool in Tidepool’s AWS cloud to integrate enterprise login services.

...

Once an identity has been verified with the IdP it provides a token to Tidepool’s Keycloak instance (the SP or Service Provider) that authenticates and authorizes the user to use Tidepool according to their role.

Example Authentication Flows

Tidepool Authentication

Federated Authentication and Authorization

...

Authentication flows

SAML Federated authentication flow

...

OpenID Connect authentication flow

...

Tidepool Keycloak setup flow

  1. Organization contacts clinic@tidepool.org to initiate discussion

    1. Schedule a call with organization IT/Security staff for initial discussion and requirements gatheringdiscovery

  2. Tidepool meets with Organization IT staff to discuss details of configuration:

    1. IdP integration

    2. domains and patterns required to authenticate users

    3. process for org integration

    4. timeline and support communications

  3. Organization and Tidepool Agree on timeline and ensure changes and notifications are coordinated with clinic and IT staff

  4. Tidepool configures Keycloak ↔︎ IdP integration via an exchange of secure tokens and information on how to authenticate organization users. This usually consists of metadata information in a structured file or a URL pointing to an .xml file and exchanging needed service URLs and endpoint information

Differences

  • Organization will manage all users and passwords internally and are responsible for onboarding and off boarding users.

  • Organization will define manage security settings such as:

    • 2-Factor or Multi-factor authentication (2FA/MFA)

    • Organization Audit level audit logging

    • Password complexity, expiration, aging

    • Login restrictions (ip address, time based, location based)

  • If Organization’s user store (AD or IdP broker service) is not accessible, federated users will not be able to login to Tidepool

  • Organization domain and login patterns or metadata will be verified programmatically in Keycloak and applied based on policy

Example Identify Providers supporting SAML and/or OpenID

  • Microsoft ADFS and Azure ADFS running SAML or OpenID Connect

  • Ping Federate running SAML or OpenID Connect

  • Auth0 running SAML or OpenID Connect

  • Shibboleth

  • Google Workspace

More Information on Keycloak, SAML and OpenID

...