Chat now with support
Chat with Support

On Demand Global Settings Current - Security Guide

Network Communications

Authentication of Users

All users must sign up and be approved by their internal On Demand administrator user before they can use On Demand. Sign in is via the Quest Identity Broker (QIB) which provides a tamper proof token for all user operations in the user interface. This token has a limited lifetime (5 minutes), after which it must be refreshed with the QIB. Failure to refresh causes all interactions with On Demand to fail. If a user’s access is revoked by the QIB, they continue to have access until their valid token expires, which is a maximum of 5 minutes. If a user’s access is revoked within On Demand by an On Demand administrator, their access and actions fail once the token expires.

The QIB provides authentication services linking identities and applications. Identities are sourced from several services:

On Demand is among many Quest applications that rely on the QIB for authentication services. The QIB uses industry-standard Open ID Connect and SAML protocols, as well as secure direct connections to the Quest account database. All traffic in transit is encrypted using HTTPS and all data stored in the QIB database is encrypted at rest. No credentials are stored in the QIB database.

The QIB does not provide Multi-Factor Authentication (MFA) at this time. End users wishing to use Microsoft Entra ID for authentication can take advantage of MFA as provided by AAD, which is honored by the QIB.

The QIB is based on the open source Keycloak project sponsored by Red Hat. Quest regularly updates our customizations to match the most recent released version of Keycloak.

A valid Microsoft Entra ID JWT token is required to make notification requests and a valid On Demand JWT token is required to make additions or modifications to the Notification Service settings.

Role Based Access Control

For more details, see Adding users to an organization in the On Demand Global Settings User Guide.

FIPS 140-2 Compliance

On Demand Core cryptographic usage is based on Azure and AWS FIPS 140-2 compliant cryptographic functions.

More information on approved crypto functions is available at NIST FIPS 140-2
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating