Today we release version 10.3 of TrustBuilder IDHub, with new features and integration with the overall TrustBuilder.io Suite.
TrustBuilder.io Suite consists of 3 products:
- TrustBuilder.io, the Service Catalog of the TrustBuilder.io Suite that allows easy connections toward standardized applications and Identity Providers (IdPs). TrustBuilder.io is cloud-based.
- TrustBuilder IDHub, the orchestration engine of the TrustBuilder.io Suite processing all the flexible security policies. This instance can run on the customers’ premise (local, private cloud, or public cloud) as well as in a SaaS offering.
- TrustBuilder Mobile Authenticator, the strong authentication solution for mobile devices combining the world’s safest authentication method with the best user login experience.
All 3 products work seamlessly together in a full cloud or hybrid setup.
TrustBuilder.io: Service Catalog of applications and Identity Providers.
Improved service catalog
We’ve improved the service catalog, making it easier to manage the applications and identity providers offered through the catalog.
Applications and IdPs are now easier to configure and can be added to the different workflows you need.
Updates of the application or IdP no longer require you to reconfigure the different connectors. They will now be updated automatically with the release of the updated connector.
To provide its community a convenient way to sign up to cloud services, Apple created AppleID, offering social identification services for their iCloud users.
Especially for users in the Apple ecosystem this is a secure way to subscribe to all kinds of services without having to worry about privacy or password policies.
AppleID uses a combination of OAuth and OIDC, which allows users to create an anonymized e-mail address. This conceals the real user’s e-mail address to the service being signed up to, avoiding that the actual e-mail address is shared and making it easier to unsubscribe from mailing lists.
Organizations that want to offer social login and want to publish their app in the iOS App Store are required to integrate AppleID as one of the social login options.
As of version 10.3, TrustBuilder now supports AppleID in the Service Catalog.
Adding AppleID as a social login provider on top of Facebook ID and Google ID increases the reach of social login users to 5 billion.
European eIDAS on CSAM
For governmental organizations, TrustBuilder supports the Belgian eID and Itsme© through the CSAM portal.
For non-Belgian citizens, the Belgian FAS (Federal Authentication Service) added support for all other European eIDAS initiatives, which are now also included in the Service Catalog.
TrustBuilder Mobile Authenticator
TrustBuilder Mobile Authenticator has been tested and approved for use with Apple iOS 15. Both the integrated SDKs and the stand-alone version are now supported.
TrustBuilder is paving the road to a cloud-first strategy and offer all its solutions in a SaaS model. The Service Catalog and the Mobile authenticator were the first products that ran in the cloud, and as of version 10.3, we also offer TrustBuilder IDHub in a complete cloud environment.
While TrustBuilder itself was already capable of running in a private cloud environment, as most of our customers do, TrustBuilder has thoroughly tested the different possibilities to offer these critical CIAM services to its customers in its own data center. We also received our ISO27001 certification, a prerequisite to ensure the highest level of security and availability of our services.
We’ve selected a GDPR compliant, European data center to address our core market. This data center allows us to offer the best performance and high availability to guarantee a minimum SLA of 99.99. Depending on the support contract, dedicated SLAs, events, monitoring, reporting, and support options are available.
We offer 4 separated environments in our cloud service to allow development, testing, acceptance, and production.
With the introduction of the TrustBuilder cloud offering in version 10, our license model changed toward user-based licensing. To automate reporting on the licenses, we’ve implemented an event bus on which we announce authentication events. This anonymized data will be used to perform reporting on the usage of TrustBuilder, as well as to give additional insights on how users authenticate on your environment.
Automatic user provisioning
TrustBuilder has the great advantage that it can work together with multiple different identity providers (IdPs), without the need for syncing databases. However, with the introduction of user-based reporting and licensing, it is required that unique user IDs (UUIDs) are available in the TrustBuilder Identity Database. To maintain the unique advantage of using the external IdP’s, we introduced a new technology that automatically provisions all principals that authenticate into our user repository. This eliminates the need to configure provisioning and dynamic or static lookups. On top, customers are no longer restricted to use unique user attribute subjects for every IdP for the auto-provisioning to work.
We’ve made some improvements to the certificate management module. It is now possible to edit certificate aliases. Certificate Signing Request (CSR) can now be formatted in PEM (Privacy-enhanced Electronic Mail) or DER (Canonical Encoding Rules) format. It is now also possible to import a Java Keystore file.
Certification management is crucial for securing your services, but changing and updating certificates is an administrative burden, with dire consequences if they are not rotated in time. Having a schedule with alerts is a minimum requirement. But even then, things can go sideways and constantly monitoring all your partners’ certificates is not always feasible and comes at a high cost.
TrustBuilder 10.3 now has the possibility to specify the URL to the metadata endpoint of your SAML Service Providers and Identity Providers. This eliminates the need to manually import their certificates in the Truststore. Instead, TrustBuilder will dynamically fetch the certificates from the metadata endpoint on the fly during the authentication.