Application security

Authentication

Important

Toucan Toco can authenticate users in two manners:
  • using it’s own list of accounts
  • leveraging the SSO (Single Sign On) of your organization

The second one needs your SSO to respect the SAML2 standard.

Local accounts

Toucan Toco has its own database of users. Basic administrative and viewers accounts are provisioned when the server is installed.

For each of our clients, Toucan Toco uses a dedicated database, which ensures that no user account is shared across our different customers.

Local passwords storage

Toucan Toco server never stores the password in plain text! We use the PBDFK2 algorithm to hash them, which consists of a thousand iterations of a salted SHA2.

Local passwords policy

We force users to respect the following rules when creating or modifying their passwords:

  • password’s length must be superior than 8 characters
  • password mustn’t contain user’s login
  • password mustn’t be in a list of basic keywords (based on the list of the worst passwords, e.g. 1233456789 or quertyuiop)

Anti-bruteforce mechanism

We basically use fail2ban to protect SSH or HTTP brute-force attacks on all our servers.

And we applied exactly the same policy with fail2ban to protect all our SaaS applications.

We have further mechanisms in our infrastructure to prevent denial of service attacks.

If you choose an On-Premise installation, we can forward you the fail2ban configurations.

Administrative account

We provide an administrative account that have access to a panel allowing:

  • review of the authorized accounts and their privileges
  • deletion of accounts
  • modification of accounts

We enforce a better password security for these accounts with theses rules on top of the basic policy:

  • 12 characters minimum
  • a mix lower, upper, special characters and digits

Single Sign On (SSO)

Toucan Toco can act as Service Provider, using your Identity Provider to allow users to connect.

We support the standard SAML2. Specific connectors to other authentication systems could be developed and therefore purchased separately.

SAML 2.0 Web Browser SSO

SAML 2.0 Web Browser SSO

We need the following configuration fields to be able to use your IdP:

  • entityId
  • singleSignOnService url
  • singleSignOutService url (optional)
  • x509cert

We’ll then provide a metadata XML file or URL with the information to be whitelisted in your IdP.

Session management

The back-end exposes its endpoints following the REST conventions, meaning it’s stateless. The front-end (consuming the API) therefore sends its authentication token at each request for validation.

Authentication tokens

We provide an endpoint to generate these tokens when a user logs in.

Tokens are JSON Web Tokens. They replace the session information usually stored in cookies.

The token is signed server-side using the HMAC-SHA256 algorithm with a highly secured secret of 40 characters. This secret is specific for each of our clients. This ensures that if the secret of one of our client is compromised, the rest of our clients remains safe.

This token is valid for 30 days by default, at the end of which users must enter their credentials again. This is particularly adapted to a mobile and tablet use. This duration can be modified if requested to match other security policies.

Access control

Permissions are defined by user group, per small app. These permissions act like masks on the data rows available in the small app: it’s a query that will be executed along each query that users tries to execute:

Example: If a user group ‘A’ has the permission:

permissions:
  data:
    entity: 'A'

and try to execute the following query:

query:
  domain: 'my_data'

the resulting query will be:

query:
  $and: [
    domain: 'my_data'
  ,
    entity: 'A'
  ]

If a user belongs to multiple user groups, the masks are joined by a $or operator, meaning that they can query the union of data available to these groups.

Example: if the previous user also belongs to a user group ‘B’, the resulting query will be:

query:
  $and: [
    domain: 'my_data'
  ,
    $or: [
      entity: 'A'
    ,
      entity: 'B'
    ]
  ]

Log Events

Every user actions on the Toucan Toco applications are logged such as:

  • loading of new data
  • processing of data
  • release new versions of data to users
  • successful and failed login attempts

Log are available in a JSON format and stamped with the date and time.

Persistent storage segmentation

Toucan’s server stores its objects in MongoDB. It uses:

  • a database for users and small apps list
  • a database or each small app to store its configuration, styles, etc.

The server needs to be authenticated to mongo with the readWriteAnyDatabase role.

Each of our clients have a dedicated MongoDB instance for the storage of their small apps. See the DB infrastructure description for further information.