TideCloak 0.6.11

This is a fairly significant upgrade to TideCloak as it introduces a very large set of capabilities of governance protection (protecting against a rogue owner / super-admin)- or in TideCloak's instance, it adds an IGA layer to protect malicious changes.

TRIAL RUN: IGA (Identity Governance Administration)

Identity Governance and Administration (IGA) is a framework of processes, policies, and tools that organizations use to manage and control access to their systems, data, and resources securely and efficiently. It ensures that the right people have the appropriate level of access to the right resources at the right time while preventing unauthorized or excessive access.

In TideCloak context, the IGA layer is a critical aspect of security as it guarantees that no single administrator has "the keys to the kingdom". With TideCloak IGA, changes affecting users access rights require review and approval of several administrators before those changes are applied. TideCloak is the only administration system that guarantees against bypassing its IGA via cryptographic proofs.

IGA processes

The Tide IGA framework forces administrators to follow a specific, controlled workflow in which they:

Make changes, as normally. However, unlike existing flows, these changes do not apply automatically.
These changes are automatically incorporated into groups called change-sets.
The change-sets are placed in an admin queue, named "Change Requests", in a draft state, pending review, approval and execution (commit).
Admins can now check the queue for pending change-sets, and review those change sets.
Once reviewed, an Admin can approve or deny the change sets with their personal Tide account (authority). If the admin approves it, it changes it state (for that admin) to "Approved".
Once the assigned cohort of admins (a minimum 70% of assigned admins) approved the change-set, it can be committed by any of the admins (most likely, the last one approving it).
If enough admins denied the change-set, it changes to a "Denied" state, and can be cancelled.
Once a change-set has been committed, it gets automatically certified by Tide and becomes active in the system. The change-set item is then clears from the queue.

The following administration flows have been secured against malicious / accidental admin behaviour:

Assigning roles to users (client or realm roles)
Changing roles that are already assigned to users
Change in client's setting (that affects user's access)
Changing / setting composite roles for users
Client Full Scope settings (to allow realm roles)

`tide-realm-admin` role added

A new embedded role has been added to TideCloak, named tide-realm-admin. That role should only be assigned to admins, with this role enabling the IGA flows for those admins.

Drafting Realm-Roles

In addition to Client-Roles, the IGA now also protects Realm-Roles that are assigned to users. However, for a realm-role to appear in a user's access token, the client's dedicated scope must be toggled ON to allow Full Scope.

Default roles drafting

Default user roles, that are defined in the Realm settings (under User registration), are assigned automatically to every new user - whether created by an admin, or automatically registered if the realm is set to allow User registration. On the creation of a new client, a change request for the default user context will be automatically generated and remain pending until approved and committed by the admins in the IGA flow.

Multi admin support

Tide IGA framework now supports more than 1 admin to approve changes. All admins that are granted the tide-realm-admin role, become part of the realm's IGA cohort. Any change the affects the access privileges user (i.e. roles) must be approved by the "majority" of the cohort - where majority is 70% or more. This threshold is hardcoded, and the only exceptions are a cohort of 1 (where the threshold is 1) or 2 (where the threshold is 1) admins. Until at least 1 admin is granted the tide-realm-admin role, any user with a realm-management role can approve and commit changes in an unverified manner.

Admin secure web enclave

The IGA-secure process of approving or denying a change-set is now handled by Tide's secure web enclave. Once a privileged admin has selected and clicked on Review Draft, the admin will be required to log-in again, using their Tide credentials, where the Tide Secure Enclave will be presented. In this enclave, the admin can verify the exact details of the draft, as it would be cryptographically signed with their authority key. A cautious admin should review that the details of the request match the ones presented in the TideCloak interface to avoid a compromised system scenario. This way, the admin can guarantee exactly what is being approved by them. The secure web enclave can also be used to deny the change. Please note that at this point, only chromium-based browsers support the ability to re-home the enclave, if requested. Re-homing is an important verifiable feature that allows an admin to switch the process to another Tide node of their choosing (in case there are any doubts about the default one used).

Cancel change requests

The ability for an admin to cancel a change-set draft has been added.

Enhanced error prompts

Additional error messages have been added for when failing to approve change sets.

Improved draft authorization performance

Significant performance improvement introduced to the drafting flow.

License management improvement

TideCloak unique activation process has gone through an overhaul to fix and improve on initial phase.

Fix licensing failure

A fix has been introduced to prevent the most significant bug of prior releases: license activation would sometime fail without the ability to try again on that same realm. A new self-healing mechanism has been introduced to prevent scenarios with slower/problematic internet connectivity that caused this issue - and all reproducible occurrences of that flaw have now been tested to be fixed.

Automatic license renewal

Tide licenses, once activated, are valid for a single calendar month and require a repeated renewal. Until this release, that renewal could only happen manually. Now, a cluster-aware, highly-available scheduler task is tracking and handling the license renewal process automatically across all stored licenses.

Added license history

The Tide IdP page now shows the entire history of current and previous licenses, for auditing and record keeping.

General improvements

Invite link without email

Previously, to add a Tide-enabled user to a realm, you either had to set the whole realm to accept user registration, or had to set up SMTP server settings and send the user an email so they can associate their Tide account. Now, a quicker, much more flexible option has been added, to create a user, and by "resetting their credentials" the admin can copy the link to that user's activation process, and send it via any out-of-band communications channels outside TideCloak (e.g. SMS, Instant Messaging, email, fax, courier pigeon, etc). Note: for this to work, the newly created user MUST have an email address. Since this address will not be used, it doesn't have to be a real one.

Better error messages for Tide IdP

Clearer and more elaborate error messages have now been added in case of failure in Tide IdP.

Tide refresh token

A new capability to match the Tide login session duration with TideCloak session duration has been introduced. This mechanism now utilizes something similar to OAuth2 refresh token and utilizes the same parameters as TideCloaks OAuth's ones.

Non Tide user support

While the IGA framework offers the best security guarantee for managing Tide-enabled users, it is now possible to co-manage also non-Tide-enabled users in the same realm. Admins can now provision both Tide users and standard TideCloak users (internal, other IdP's, federated, etc) while still benefit from the infallible Tide IGA framework.

Dev experience improvements

Tide Adapter Config download

Platform developers can now find all the settings they require by simply using the Download adapter config button in the client details. That file now holds all the server settings their application required, including the realm's public key. This feature is only available if the Tide IdP has been set up and a license has been activated.

User experience improvements

Enclave submits form on 'Enter'

Tiny but extremely useful fix has been finally introduced: in Tide's user log-in page (in the secure web enclave), you can now click on the keyboard's Enter key to log in. No more the frivolous effort of finding the mouse again, driving it all the to the bottom of the page, and clicking on "log in"!

ORK node improvements

Improved performance

This release introduces a 90% performance improvement in both latency and memory usage. Few security enhancement were also introduced as part of this improvement effort.

JWT model threshold signature added

A new tEdDSA flow has been introduced to sign the standard JWT tokens (ID, Access and Refresh tokens).

Improved logging

ORK logs are now far more helpful, presenting performance measures (per action) and memory usage.

TRIAL RUN: IGA (Identity Governance Administration)​

IGA processes​

tide-realm-admin role added​

Drafting Realm-Roles​

Default roles drafting​

Multi admin support​

Admin secure web enclave​

Cancel change requests​

Enhanced error prompts​

Improved draft authorization performance​

License management improvement​

Fix licensing failure​

Automatic license renewal​

Added license history​

General improvements​

Invite link without email​

Better error messages for Tide IdP​

Tide refresh token​

Non Tide user support​

Dev experience improvements​

Tide Adapter Config download​

User experience improvements​

Enclave submits form on 'Enter'​

ORK node improvements​

Improved performance​

JWT model threshold signature added​

Improved logging​