TrustedX PKI eAuthentication Platform

• Centralized service, easy to manage
  Digital-certificate based authentication requires implementing PKI algorithms and managing the recognition of and interaction with multiple CAs. TrustedX simplifies the integration by providing validation functions as specialized security functions that are centrally managed, isolating all complexity from the applications.

• Uniform semantic interpretation
  TrustedX semantically and uniformly interprets identity attributes. It also assigns a trust level to the identity using discrete values and configurable labels (e.g., Corporative, Government) and supports complementing this information with other types of attributes from corporate repositories (e.g., with roles stored in LDAP).

• Authentication trust management
  TrustedX classifying different authentication mechanisms according to their trust level (e.g., medium for passwords and very high for certificates), which means they can be applied depending on the value of the electronic assets and the business channels. Authentication mechanisms can be added using protocols such as RADIUS and LDAP, by incorporating specific agents or via federation. The system also supports integrating identities from different corporate repositories.

• Scalability and auditing
  The flexible architecture supports incorporating new authentication infrastructures and implementing electronic signature and data encryption strategies. The trust services are managed using policies in a single console, which provides auditing and reporting aimed at monitoring and obtaining reports for providing proof of regulatory compliance.

The authentication platform's functions are grouped into the following services:

• Certificate validation. Provides PKI functions for validating certification chains and querying certificate status. Supports OCSP/CRL and customized mechanisms (e.g., databases and @firma platform).
• Authentication and authorization. Supports native authentication mechanisms based on passwords and digital certificates. New mechanisms can be incorporated using agents or the validation can be delegated to third-parties via RADIUS or LDAP/AD. It also supports identity federation via SAML.
• Object and entity management. Manages platform entities and objects. External repositories, e.g., user LDAP/AD, databases and files, can be added.
• Auditing and accounting. Securely and uniformly centralizes log data on access control and certificate validation. The log system supports incorporating specific entries, which facilitates management with third-party tools.

The applications can use the authentication and authorization operations (using OASIS SAML) or the certificate validation operations (using OASIS DSS). The system interacts with the identity services and the repositories to return the trust level information on the authentication mechanism and the identity attributes.

Integration with TrustedX can be done in several ways to facilitate adopting different strategies:

• SOAP/WS: Using the OASIS DSS standard for validating certificates or SAML for validating other mechanisms.
• SOAP/WS, REST/WS: Using TrustedX's integration gateway, which supports defining interfaces and configuring pre- and post-data processing using an XML pipeline language.
• Via a Java API: A set of Java classes are included that transparently access the platform's services.

• Connector for Spring Security: Supports the declarative integration of protection mechanisms (authentication and authorization) in any Spring-based application.
• Authentication Java applet: For using certificates to integrate authentication in Web environments. Checks that the user's private key is held and obtains its certificate.

TrustedX's functionality is scalable: the additional electronic signature and encryption services can form part of the same platform.

The following figure illustrates TrustedX's role and how it interacts with the applications that require authentication (represented as a Web application) and the identity services, which can be PKI, LDAP/AD, SAML (not shown in the figure), a RADIUS server or the platform's internal databases.