Federation Services and SSO
Single sign-on (SSO) allows users to log into one application and then switch to other applications without the need to re-authenticate. There are various use cases for SSO, both for customer-facing applications and enterprise (employee-facing) applications. For example, switching between multiple mobile applications or multiple web applications or switching between multiple cloud services. The Transmit platform is designed to either act as an identity provider (IdP) or work with any standards-based IdP by easily accepting SAML or OpenID Connect tokens for SSO into SaaS and internal applications.
SSO Between Mobile Applications
Transmit keeps track of users, their mobile devices, and the enterprise applications running on each device. When a user logs into an enterprise mobile application on a specific mobile device, the login event is recorded in Transmit. When the user opens another enterprise application on the same device, Transmit can check if the user is already logged into another application, how the user was authenticated, and when. Based on that information, Transmit can decide to either let the user in without further authentication or re-authenticate the user. Transmit can then step up authentication when time expires or when the user tries to perform more-sensitive operations in each of the applications.
SSO Between Web Applications
Transmit keeps the identity of each web browser on each device. When a user logs into one of your web applications from a specific browser, the login event is recorded in Transmit. When the user opens one of your other web applications, Transmit can check if the user is already logged in, how the user was authenticated, and when. Based on that information, Transmit can decide to either let the user in without further authentication or re-authenticate the user. Transmit can then step up authentication when time expires or when the user tries to perform more-sensitive operations in each of the applications.
Transmit as an IdP Server
Applications that support federation protocols such as SAML or OpenID Connect can be configured to use Transmit as their IdP server. When the user needs to authenticate, Transmit is invoked. Transmit then executes a highly flexible journey that may include authentication, authorization, and fraud detection logic and provide back a token to the calling application.
Transmit as an IdP Client
Transmit can call an external IdP server using SAML or OpenID Connect as part of a user journey. An example would be a journey where the user can choose between various authentication options, including some external authentication options such as Google Accounts or some other service. Based on the user’s selection, Transmit will then activate the external IdP and accept a token back.
Bring your own directory from any vendor and connect it to the Transmit Identity Services Hub or just enable the built-in LDAP-based directory that is already included in the Transmit platform. You can also connect multiple directory services and easily orchestrate them using Transmit’s orchestration engine, which completely isolates your applications from any directory service you chose to work with. Using Transmit platform, you can switch between directories, consolidate directories, route between directories based on any attribute, and combine on-premise and cloud directory services with no impact on your applications. Transmit also includes modern APIs which can be used to access directory information as an alternative to LDAP.
The platform offers role-based access control (RBAC) and attribute-based access control (ABAC) services across all applications. The platform automatically collects device and environmental attributes—for example, location, device type, and connection type—and exposes them to the orchestration engine. The platform is capable of reading entitlements and risk indicators from multiple directories, databases, and engines at the same time, including a built-in entitlement store. This information can be orchestrated at run-time to reach access decisions and to call for actions such as authenticating, blocking an activity, approving an activity, notifying of an activity, requesting authorization from multiple users across multiple devices, and signing transactions and user requests.
Over-the-Air Journeys is the technology that sets Transmit apart from all other vendors. Using Over-the-Air Journeys, application owners can use graphical tools and an orchestration language to design simple and complex user journeys that involve authorization, authentication, KYC, fraud prevention, regulatory requirements, and more. Once done, these journeys can be pushed "over the air" and played in any application that is connected to Transmit, without making any code changes to the application and without the need to re-publish the application. Over-the-Air Journeys consist of two main technologies - a Journey Player and an Orchestration Engine. The Journey Player is incorporated into your applications as an SDK and is responsible for playing the entire journey inside the application. The Journey Player works with the Transmit Orchestration Engine which orchestrates the journey and defines the next steps on either the client or server side.
Transmit provides a full set of authentication services to manage primary login, multi-factor, and step-up authentication across various applications and channels. The platform includes a large set of built-in authenticators such as OTPs, soft tokens, biometric authenticators, and knowledge-based authenticators. In addition, the platform can be used to manage any third-party authenticator or authentication service connected to the Identity Services Hub. Transmit’s authentication services manage the enrollment process for each authenticator and also tasks such as de-enrollment, re-enrollment, and expiry periods. The platform provides flexible ways of defining authentication levels and attaching them to different authenticators and journeys. The platform allows building rules for authentication failures across different authenticators and devices and taking various actions when thresholds are reached. Transmit is FIDO certified and can be used to manage any FIDO authenticator alongside non-FIDO authenticators.