- Toucan Toco can authenticate users in two manners:
- using it’s own list of accounts
- leveraging the SSO (Single Sign On) of your organization
The second one needs your SSO to respect the SAML2 standard.
Toucan Toco has its own database of users. Basic administrative and viewer accounts are provided when the server is installed.
For each of our clients, Toucan Toco uses a dedicated database, which ensures that no user account is shared across our different customers.
Local Password Storage¶
Local Password Policy¶
We force users to respect the following rules when creating or modifying their passwords:
- a password’s length must be more than 8 characters
- a password mustn’t contain a user’s login
- a password mustn’t be in a list of basic keywords (based on the list
of the worst passwords, e.g.
And we applied exactly the same policy as fail2ban to protect all of our SaaS applications.
We have further mechanisms in our infrastructure to prevent denial of service attacks.
If you choose an on-premises installation, we can forward you the fail2ban configurations.
We provide an administrative account that has access to a panel allowing:
- review of the authorized accounts and their privileges
- deletion of accounts
- modification of accounts
We enforce reinforced password security for these accounts with the following rules on top of the basic policy:
- 12 characters minimum
- a mix of lowercase or uppercase letters, special characters and digits
Single Sign On (SSO)¶
Toucan Toco can act as a Service Provider, allowing users to connect using your Identity Provider.
We support the standard SAML2. Specific connectors to other authentication systems could be developed and therefore purchased separately.
We need the following configuration fields to be able to use your IdP:
We’ll then provide a metadata XML file or a URL with the information to be whitelisted in your IdP.
We provide an endpoint to generate these tokens when a user logs in.
Tokens are JSON Web Tokens. They replace the session information usually stored in cookies.
The token is signed server-side using the HMAC-SHA256 algorithm with a highly secured secret of 40 characters. This secret is specific for each of our clients. This ensures that if the secret of one of our clients is compromised, the rest of our clients remain safe.
This token is valid for 30 days by default, at the end of which users must enter their credentials again. This is particularly adapted to mobile and tablet use. This duration can be modified if requested to match other security policies.
Permissions are defined by user group, per small-app. These permissions act like masks on the data rows available in the small-app: it’s a query that will be executed along with each query that users execute:
Example: If user group ‘A’ has the permission:
permissions: data: entity: 'A'
and a user belonging to that group tries to execute the following query:
query: domain: 'my_data'
the resulting query will be:
query: $and: [ domain: 'my_data' , entity: 'A' ]
If a user belongs to multiple user groups, the masks are joined by an
$or operator, meaning that they can query the union of data
available to these groups.
Example: if the previous user also belongs to a user group ‘B’, the resulting query will be:
query: $and: [ domain: 'my_data' , $or: [ entity: 'A' , entity: 'B' ] ]
Every user’s actions on the Toucan Toco application are logged such as:
- loading of new data
- processing of data
- releasing new versions of data to users
- successful and failed login attempts
Logs are available in JSON format and stamped with the date and time.
Persistent Storage Segmentation¶
Toucan’s server stores its objects in MongoDB. It uses:
- a database for users and small-apps list
- a database or each small-app to store its configuration, styles, etc.
The server needs to be authenticated by MongoDB with the
Each of our clients have a dedicated MongoDB instance for the storage of their small-apps. See the DB infrastructure description for further information.