Authentication

Two entities authenticate to CipherTrust Data Security Platform Service web console UI, ksctl CLI and REST API: clients and users. Clients are applications that access CipherTrust Data Security Platform Service keys as needed to perform cryptographic or key management operations. Users are people who access CipherTrust Data Security Platform Service to perform configuration and key management tasks manually.

Any cryptographic or key management operation occurs over a client, and CipherTrust Data Security Platform Service always attempts to identify the client for these operations, and adds the client identity to the DPoD audit query records if identified. Client authentication occurs when a client identity is found.

CipherTrust Data Security Platform Service authenticates users when a user identity is presented with the request. This authentication provides a mechanism to enforce permissions on a user, and an audit trail of a user's activities.

It is possible to only provide a client identity and not a user identity, in which case the client is the authenticated entity and its identity appears in the audit record. This authentication is appropriate for an automated client or a service account that requires no human interaction.

When a user identity is presented, with or without a client identity, only the user is authenticated. The client's actions are assumed to be performed on behalf of a user.

CipherTrust Data Security Platform Service authenticates a user or client, CipherTrust Data Security Platform Service checks the user or client's group membership, and applies the permissions associated with those groups.

Client and User Identities

There are three types of clients:

• unregistered clients - are not registered with the CipherTrust Data Security Platform Service.

• public clients - are ksctl, Web-UI, and API playground. These clients are pre-registered with the CipherTrust Data Security Platform Service.

• confidential clients - are registered and able to securely authenticate with the CipherTrust Data Security Platform Service. For example, CTE clients. We recommend this client setting wherever possible.

Public clients and confidential clients have a client identity. The client identity is in the JSON Web Token (JWT) included in every request, so that CipherTrust Data Security Platform Service recognizes the client as a registered identity. Unregistered clients are allowed to make requests without an associated client identity.

Client identities are recorded in the DPoD audit query records.

Only confidential clients can be authenticated. This is because public clients cannot store secrets, and CipherTrust Data Security Platform Service cannot validate secrets for an unregistered client.

User identities are tied to a user name, and can be authenticated through passwords. User identities are recorded in the DPoD audit query records.

Single Sign On Users

CipherTrust Data Security Platform Service supports single sign on for some DPoD user, so that they can log in with their DPoD usernames and passwords to the CipherTrust Data Security Platform Service UI. The initial DPoD user who created the CDSPaaS service instance is automatically granted Application Administrator privileges and can log in immediately. An administrator in the User Admins group must assign other DPoD users to at least one CipherTrust Data Security Platform Service group to associate permissions levels before the users can log in.

Compatible DPoD users are tenant administrators or application owners within the DPoD subscriber tenant which hosts the CDSPaaS tenant.

Client Registration

When a client is successfully registered, the client is automatically added to the CipherTrust Data Security Platform Service, a client identity is assigned, and activity performed using that client identity can be monitored through records. The client becomes a confidential client.

Client registration is supported with:

• CTE Agents

• Custom REST API clients

Suggested Authentication for Users and Clients

• Require login with a user identity to any action performed manually by a person. This is already required and enforced for accessing ksctl CLI tool and CipherTrust Data Security Platform Service GUI.

• Register all clients that are possible to register, to assign a client identity.

• Register custom REST clients which are automated or represent a service account that does not require human interaction. Use the client identity to issue API tokens for such clients.