Token generation and flow
Before the first authentication, the client will have a URL to one of the Controllers, and the Certificate Authority ("CA") certificate, either because these were automatically installed with the client, or because the user entered the Controller URL manually and the client downloaded the CA certificate. The client will use the CA certificate in all communications to verify the authenticity of the Controller or Gateway.
When logging in to the system, the user enters credentials such as username and password, and the Controller verifies the credentials against a user directory. The client will generate a random ID for itself if it does not already have one. This random ID will be sent along with the credentials.
On a successful authentication, the Controller replies with a claims token. The claims token is issued to a Distinguished Name ("DN") which includes both the user's ordinary DN and the client ID. This new DN will identify the session throughout the system.
The client uses the claims token to request entitlement tokens.
The Controller queries its internal database to find all services that the user is entitled to, and replies to the client with entitlement tokens, one per Site.
The client generates an RSA keypair for itself.
The client sends a certificate signing request to the Controller, based on the claims token and public key.
The Controller replies with a certificate for the client. This is issued by the CA, to the same DN as in the claims token, which includes both the user's ordinary DN and the client ID.
Connecting to the right Gateway
The client establishes a TLS (or DTLS) tunnel to one Gateway in each Site, using the client certificate for client-side TLS authentication.
The client sends the claims token, a number of (untrusted) device claims, and a Site-specific entitlement token to each Gateway it is connected to.
Per-user firewalling
Each Gateway translates the claims token, client claims, and entitlement token into a list of firewall rules, which apply to that user on that client computer at that specific time.
The client can now send IP packets to endpoint servers through the TLS tunnel, provided that this is allowed by the firewall rules.
Step-up authentication using a condition - user interaction
A "user interaction" can be defined within a condition to enforce additional security requirements (such as re-entering the user's password before allowing access to a protected resource).
The client may send an IP packet which is not currently allowed by the firewall rules, but which may become allowed depending on run-time conditions. The Gateway will detect this and see if a user interaction is associated with the currently forbidden destination.
The Gateway sends a user interaction to the client over a websocket connection which the client keeps open for the session. This user interaction can contain instructions for the user, or trigger specific actions in the client, such as initiating a new user authentication. In this example, the user is prompted for two-factor authentication, which the Controller verifies using an authentication server.
The Controller replies with a new claims token, which proves that the user has entered a valid authentication. The client sends the new claims token to the Gateway, which uses it to re-evaluate the conditions in the entitlement token, and produces new firewall rules.
With the new firewall rules in place, the Gateway will now allow packets to the destination which was previously blocked.
Depending on the type of user interaction, the user will be:
prompted to provide an OTP, which the Controller verifies using the OTP provider specified in the condition. The Controller provides a new claims token with an updated OTP claim. The client sends the new claims token to the Gateway.
prompted to provide a reason for access: the text entered is sent to the Gateway as an untrusted Claim;
prompted to enter their password: the password is validated by the Controller using the identity provider specified in the user interaction, which can be the same one used for authentication or a different one identity provider;
shown a message explaining how to gain access (such as updating antivirus on the machine). If the user fixes the situation, the client will eventually send a changed value for the client-side claim (such as antivirus status) to the Gateway.
shown a message for information purposes such as indicating why access cannot be granted at this time.
Updating entitlements by revoking tokens
Immediate token updates
The administrator can force a user's claims and entitlement tokens to be renewed in real-time. By invoking an immediate token renewal, the token revocation list is updated and pushed out to all Gateways. The Gateway notifies the client that tokens will expire shortly and will try to get new tokens to replace the expiring ones. The user will be unaware of this renewal process.
Refer to Disable, change or remove access for more information about performing token renewals.
