Visual Guard

Visual Guard Architecture – Identity Federation

How to combine Identity Federation and Permission Based Access Control

The Visual Guard Identity Federation functions allow independent organizations to access the same system, while using Windows accounts to authenticate users:

  • Each organization manages their own Windows accounts, stored in Active Directory
  • In each organization, an administrator selects the Windows accounts that will have access to the system secured by Visual Guard
  • The users provide their Windows credentials to access the system

Visual Guard identity federation overview

 More Information

Normally, the concept of identity federation is limited to user authentication. However, with Visual Guard, identity federation also includes management of user roles and permissions, and audit of actions performed by users and administrators:
  • When a distant user is authenticated, Visual Guard applies their permissions, controlling access to the application’s functionalities.
  • All operations performed by the users are logged in the Visual Guard repository.
  • In addition, all operations performed by administrators, such as the declaration of user accounts or assignment of roles and permissions, are logged in the Visual Guard repository.
  • Auditors can then review all these operations.

Web Front-end

Authenticate users with Windows Accounts defined in an independent Active Directory

 

Identity federation in web applications with Visual Guard
  1. Administrators use the VG Federation Client to browse their local Active Directory and select the Windows Accounts that will access the application.
  2. The VG Federation Client calls the VG Server to declare these accounts in the VG Repository.
  3. The administrator grants roles to users with the VG Administration Web Console.
  4. When the user logs into the application, VG will authenticate them against the distant ID Store.
  5. After the user logon, VG retrieves the user permissions for the Front-end and applies them.
  6. When the front-end calls an application Web Service, VG checks that the user has access to this webservice, retrieves the user permissions for this web service and applies them.

Win Front-end

Authenticate users with Windows Accounts defined in an independant Active Directory

 

Identity Federation in Windows Applications with Visual Guard
  1. Administrators use the VG Federation Client to browse their local Active Directory and select the Windows Accounts that will have access to the application.
  2. The VG Federation Client calls the VG Server to declare these accounts in the VG Repository.
  3. The administrator grants roles to users with the VG Administration Web Console.
  4. When the user logs into the application, VG will authenticate them against the distant ID Store.
  5. After the user logon, VG retrieves the user permissions for the Windows front-end and applies them.
  6. If the front-end calls an application Web Service, VG checks that the user has access to this webservice, retrieves the user permissions for this web service and applies them.