- Toucan Toco can authenticate users in two manners:
- using it’s own list of accounts
- leveraging the SSO (Single Sign On) of your organization
The second one needs your SSO to respect the SAML2 standard.
Toucan Toco has its own database of users. Basic administrative and viewers accounts are provisioned when the server is installed.
For each of our clients, Toucan Toco uses a dedicated database, which ensures that no user account is shared across our different customers.
Local passwords storage¶
Local passwords policy¶
We force users to respect the following rules when creating or modifying their passwords:
- password’s length must be superior than 8 characters
- password mustn’t contain user’s login
- password mustn’t be in a list of basic keywords (based on the list of
the worst passwords, e.g.
And we applied exactly the same policy with fail2ban to protect all our SaaS applications.
We have further mechanisms in our infrastructure to prevent denial of service attacks.
If you choose an on-premises installation, we can forward you the fail2ban configurations.
We provide an administrative account that have access to a panel allowing:
- review of the authorized accounts and their privileges
- deletion of accounts
- modification of accounts
We enforce a better password security for these accounts with theses rules on top of the basic policy:
- 12 characters minimum
- a mix lower, upper, special characters and digits
Single Sign On (SSO)¶
Toucan Toco can act as Service Provider, using your Identity Provider to allow users to connect.
We support the standard SAML2. Specific connectors to other authentication systems could be developed and therefore purchased separately.
We need the following configuration fields to be able to use your IdP:
We’ll then provide a metadata XML file or URL with the information to be whitelisted in your IdP.
We provide an endpoint to generate these tokens when a user logs in.
Tokens are JSON Web Tokens. They replace the session information usually stored in cookies.
The token is signed server-side using the HMAC-SHA256 algorithm with a highly secured secret of 40 characters. This secret is specific for each of our clients. This ensures that if the secret of one of our client is compromised, the rest of our clients remains safe.
This token is valid for 30 days by default, at the end of which users must enter their credentials again. This is particularly adapted to a mobile and tablet use. This duration can be modified if requested to match other security policies.
Permissions are defined by user group, per small app. These permissions act like masks on the data rows available in the small app: it’s a query that will be executed along each query that users tries to execute:
Example: If a user group ‘A’ has the permission:
permissions: data: entity: 'A'
and try to execute the following query:
query: domain: 'my_data'
the resulting query will be:
query: $and: [ domain: 'my_data' , entity: 'A' ]
If a user belongs to multiple user groups, the masks are joined by a
$or operator, meaning that they can query the union of data
available to these groups.
Example: if the previous user also belongs to a user group ‘B’, the resulting query will be:
query: $and: [ domain: 'my_data' , $or: [ entity: 'A' , entity: 'B' ] ]
Every user actions on the Toucan Toco applications are logged such as:
- loading of new data
- processing of data
- release new versions of data to users
- successful and failed login attempts
Log are available in a JSON format and stamped with the date and time.
Persistent storage segmentation¶
Toucan’s server stores its objects in MongoDB. It uses:
- a database for users and small apps list
- a database or each small app to store its configuration, styles, etc.
The server needs to be authenticated to mongo with the
Each of our clients have a dedicated MongoDB instance for the storage of their small apps. See the DB infrastructure description for further information.