Sector(s)
Team Members
A pan-European bourse that offers various trading services and post-trade services such as clearing, custody and settlement. The largest centre for debt and funds listings in the world, and provides technology and managed services to third parties.
This behemoth of an Organization needed some major security upgrades, and we at miniOrange blazed the trail for them to draw out the shield to safeguard their websites and other resources from unauthorized access.
miniOrange Drupal IDP module and 2FA module were customized and successfully installed on the primary site while tackling a few intricate challenges on the way.
Key Requirements:
- Securing the primary Drupal application with Two-Factor Authentication (2FA).
- Adaptive 2FA - 2FA invocation for a specific set of Service Providers, and 2FA bypass for the rest.
- Single Sign On to be established between multiple service providers connected to the primary site.
Overview:
Analysing the why's and wherefores of implementation requires a deeper understanding of the structural arrangement of these sites and services.
-
The primary Drupal site in-picture had a requisite to establish Single Sign-On with multiple service providers, like AWS Cognito. They needed us to configure Two-Factor Authentication (2FA) on the primary site in such a way that a few service providers require it, but not all.
-
The primary Drupal site also needed to be configured as an Identity Provider for the rest of the Service Providers.
Key Challenges:
-
In order to establish Two-Factor Authentication (2FA) and invoke it for only a select set of Service Providers, a customized methodology had to be strategized.
-
The Two-Factor authentication had to be invoked only when the service provider requires it - Adaptive 2FA.
-
If 2FA has been invoked once and the session is established, the rest of the services do not require re-authentication.
-
If the session is created after a request from a Service Provider that doesn’t require 2FA, there would be two subsequent cases:
-
If a request is made by another service provider that doesn’t require 2FA, the session would remain intact.
-
However, If the next request is made by a service provider which mandates 2FA, the existing session would be destroyed and a new session be established where 2FA would be invoked.
-
Implementation:
A carefully orchestrated approach to build a resilient and unwavering solution that caters to the requirements while offering incontestable security was devised by dexterous Drupal Developers at miniOrange.
The modules installed over the primary Drupal site were:
The primary Drupal site was configured as the Identity Provider using miniOrange Drupal SAML IdP module. Single Sign On (SSO) functionality was established between the primary Drupal Site and multiple service providers.
Since not all service providers require 2FA, we would have to only invoke Two-Factor Authentication for some select services providers.
To determine, dynamically, whether the request has originated from a Service Provider which mandates 2FA or not - the crux of Adaptive 2FA - is a big challenge since we cannot statically pre-configure 2FA invocation.
To understand how this situation was tackled, we need to understand the structure and processing of the SAML Request sent by the SP to Drupal IDP.
Inside the SAML Request, there is a parameter, RelayState, which defines the URL that the user needs to access, upon successful sign in process.
This RelayState - in string format - is then decoded twice, to get the desired data. This brings out the Scope.
The Scope has the necessary parameter - which defines whether the 2FA is to be invoked or not.
This 2FA parameter, comes into the picture when the SSO flow - the SSO request from the SP - arrives at the Drupal, i.e. IDP.
In this case, as there were multiple Service Providers - not all demand 2FA - this becomes a defining parameter, using which we can decide, at runtime, whether to invoke 2FA during the login process or not.
Based on the value in this parameter, the SSO flow moves through the login process and the configuration of the session is set accordingly at the Drupal Backend.
And as stated above, this session configuration is dynamic and will be changed if the subsequent request for the same user, is originating from a Service Provider, which demand 2FA. If that is the case, then the existing session will be destroyed, and the user will be prompted to go through the entire login process again, this time, with 2FA.
Outcome:
The proposed solution, the combination of the Drupal IDP module, with our 2FA module, worked wonders for the giant organization, by designing and implementing a system that was not done before. We successfully added an Adaptive 2FA layer on top of their Drupal website - configured to act as an IDP for their multiple Service Providers.
To know more about our Adaptive 2FA and MFA solutions, you can check out these links.
Adaptive 2FA - https://www.miniorange.com/products/adaptive-multi-factor-authenticatio…
Multi Factor Authentication - https://www.miniorange.com/products/multi-factor-authentication-mfa
Why Drupal was chosen
-
Their primary site is built on Drupal. Drupal was chosen for its ability to scale.
-
Drupal is open-source with no licensing costs.
-
miniOrange offers a wide range of modules to ameliorate the security of a Drupal website, click here to view our other solutions.
-
Drupal is highly reliable and well-grounded for a bourse of that size and a security solutions organization like miniOrange.
Technical Specifications
Drupal version:
Key modules/theme/distribution used:
There were 2 primary requirements -
- Perform SSO between a Single Identity Provider (Drupal as IDP) and multiple Service Providers
- 2FA invocation for a specific set of Service Providers, and 2FA bypass for the rest.
These 2 modules, working in tandem, can easily handle the afore stated requirements.
