Chat now with support
Chat with Support

On Demand Global Settings Current - Security Guide

User Authentication

All users must sign up and be approved by their internal On Demand administrator user before they can use On Demand. Sign in is via the Quest Identity Broker (QIB) which provides a tamper proof token for all user operations in the user interface. This token has a limited lifetime (5 minutes), after which it must be refreshed with the QIB. Failure to refresh causes all interactions with On Demand to fail. If a user’s access is revoked by the QIB, they continue to have access until their valid token expires, which is a maximum of 5 minutes. If a user’s access is revoked within On Demand by an On Demand administrator, their access and actions fail once the token expires.

The QIB provides authentication services linking identities and applications. Identities are sourced from several services:

On Demand is among many Quest applications that rely on the QIB for authentication services. The QIB uses industry-standard Open ID Connect and SAML protocols, as well as secure direct connections to the Quest account database. All traffic in transit is encrypted using HTTPS and all data stored in the QIB database is encrypted at rest. No credentials are stored in the QIB database.

The QIB does not provide Multi-Factor Authentication (MFA) at this time. End users wishing to use Azure Active Directory for authentication can take advantage of MFA as provided by AAD, which is honored by the QIB.

The QIB is based on the open source Keycloak project sponsored by Red Hat. Quest regularly updates our customizations to match the most recent released version of Keycloak.

A valid Azure Active Directory JWT token is required to make notification requests and a valid On Demand JWT token is required to make additions or modifications to the Notification Service settings.

FIPS 140-2 compliance

On Demand Core cryptographic usage is based on Azure and AWS FIPS 140-2 compliant cryptographic functions.

More information on approved crypto functions is available at NIST FIPS 140-2 https://csrc.nist.gov/publications/detail/fips/140/2/final

Auditing

On Demand Core provides an activity trail log for the following actions:

Audit data is stored in Azure SQL database and is available via JWT authenticated access to On Demand administrators only.

The Quest Identity Broker provides an audit trail log for all interactions, including login, logout, and account creation. Access is limited to the QIB administrators only.

SDLC and SDL

The On Demand team follows a strict Quality Assurance cycle.

In addition, the On Demand Development team follows a managed Security Development Lifecycle (SDL) which includes:

On Demand developers go through the same set of hiring processes and background checks as other Quest employees.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating