Glossary

This glossary provides definitions for terms frequently encountered across ALMEFY products, offering insights into the various components and configurations within the ALMEFY ecosystem.

Products

Almefy

ALMEFY stand for All Logins Made Easy For You!

ALMEFY App

The ALMEFY App is our replacement for passwords and additional authenticator apps.
Our app takes care of securely authentication you when you want to acces one of your platforms.

ALMEFY Hub

The ALMEFY Hub is an administration dashboard for your company where you manage and provision your users.
You can find more info on the Getting started with the Almefy HUB page.

Onboarding

Onboardings concerns the entire process of enroling and provisioning users to ALMEFY and your platforms.

Enrolment

Enrolment primarily refers to the initial process of adding a new user to a system. This process involves collecting and verifying the user's identity and credentials.

Enrolment is the first step in establishing a user's identity and includes steps like submitting personal information, setting up identifiers, usernames and the ALMEFY App, and possibly going through security checks (In person, mail, gov. id card ...). The focus of enrolment is on establishing the user's identity and ensuring that they are who they claim to be.

Provisioning

Provisioning describes granting and managing access to platforms available to user. Provisioning involves setting up groups and associated endpoints to create and assign access levels.

Connect

Connecting refers to the step of the enrolment process where a user scans a QR code, to connect their accounts to the ALMEFY App. After connecting a device to an user created in the ALMEFY Hub, the user will be able to access all platforms made available to them through assinged groups.

Enrolment Email

The enrolment email is a verification email with the purpose to connect a device to an ALMEFY user.
This process involves scanning an ALMEFY Connect QR Code using the ALMEFY App on a device.
After connecting a device, the user will be able to use it to authenticate to enabled platforms either directly on the platforms existing login pages or through the your ALMEFY SSO page at https://<\subdomain>.sso.almefy.com page.

Account

Accounts are accessible platforms listed in the ALMEFY App.

QR Codes

ALMEFY uses several types of QR Codes which serve different purposes depending on the context they are shown in.

Login QR Code
Shown on login pages. If a user successfully connected their device, they will be immediately authenticated and granted access to all assigned platforms.

Connect QR Code
The Connect QR Code, also sometimes referred to as Enrolment QR Code, connects a device to an account previously created in the ALMEFY Hub, by an administrator.
They are usable only once and their lifetime is configurable.
Connect Codes may be sent via email or created manually, both directly in the ALMEFY Hub.

Accounts Transfer Code
Transfer Codes are special codes that are generated inside the ALMEFY App. They allow moving accounts from one device to another. This is useful for when you are changing to a new device or for creating a backup device.

Endpoint

Endpoints are created in the ALMEFY Hub. They describe the connection between the ALMEFY SSO Service and platforms like Salesforce or Office 365. Endpoints are represented by URIs like https://<customer>.sso.almefy.com/<type>/sso/<endpoint_id>

ALMEFY supports three types of endpoints:

  • OIDC Endpoint
  • SAML Endpoint
  • JWT Endpoint (Manual integration)

Platform

Platforms refer to external applications like WordPress, Salesforce, and Office 365. These platforms implement either the OIDC or SAML standard protocols, which allow ALMEFY to manage identities and handle the authentication flow.

Sometimes platfroms are also referred to as application or client depending on the context.

2(or Multi) Factor Authentication

2FA and MFA desribe a security process that requires more than one method of authentication from independent categories of credentials.

TODO: differentiate for ALMEFY ( IBE )

The factors involved are typically categorized into

  • "something you know" (like a password, PIN or key),
  • "something you have" (such as a security token or smartphone), and
  • "something you are" (biometrics like fingerprints, facial recognition or location data)

2(or Multi) STEP Authentication

MSA describes the process of performing multiple, seqentials actions in order to complese an authentication procedure.
These actions could be different or repeating categories from the MFA factors.

An example woudl be:

  1. Enter username
  2. Enter password
  3. Enter One Time Password generated by an authenticator app
  4. Additional setps like confirming an email

These tedious steps become obsolete with ALMEFY, as we combine Multi Factor Authentication into a single step: Scan to log in!

Login

Login: The user-facing process where credentials are submitted (scanning an ALMEFY Login QR Code) to gain access to a platform.

Authentication

This process is about verifying a user's identity to ensure they are who they claim to be. ALMEFY uses Identity Based Encryption technology to verify that the user device is authorised to access platforms defined by the administrator of those platforms.

Authorisation

This is the step that directly follows an users authentication. In this step ALMEFY ensures that users only gain access to platforms they are intended to.

To achieve this, the ALMEFY Hub allows the creation of groups. A group consists of a list of endpoints, which in turn connect to platforms.
Groups are then assigned to users, authorising them to log in.

User

Users are created in the ALMEFY Hub. Users may be assigned to groups which manage access to endpoints.
An unique identifer is used to identity a user across different platforms, including ALMEFY.

Identifier

ALMEFY allows arbitraty, unqiue strings as user identifiers. These allow authenticating users in to platforms under that same id.
We typically recommend using an email address as identifier.
This is supported by most platforms and allows ALMEFY to handle the enrollment process by sending enrollment emails for you, with just a press of a button.

Locking

The ALMEFY Hub allows locking access on user, group and endpoint levels.
This enables fine controle over who can access which parts of your infrastructure at any given point in time.

Identity Provider (IdP)

ALMEFY acts as an Identity Provider.
We provide methods to create, maintain, and manage identity information, while providing authentication services to supported platforms.
We take care of issuing identity credentials and authenticating users when they log in to enabled platforms.

Identity (Access) Management IAM

IAM is a broader framework designed to manage user identities, their authentication, authorization, roles, and privileges within or across system and enterprise boundaries with the goal of increasing security and productivity while decreasing cost, downtime, and repetitive tasks. IAM systems provide a structured way of controlling who has access to what resources within an organization and under what conditions.

SSO

SSO (Single Sign-On): SSO is a user authentication process that allows a user to access multiple platforms with a single authentication method. This means that once the user logs in to one platform, they are automatically logged into others within the same SSO framework. SSO is designed to simplify the user experience by reducing the number of times a user has to log in when navigating between different systems or applications. It's especially beneficial in environments where users are required to access multiple services or applications, enhancing usability while maintaining security.

SLO

SLO (Single Log-Out): SLO is a complementary process to SSO that enables a user to log out from all applications or systems within the ALMEFY SSO framework. This ensures that the user's session is securely terminated across all systems, preventing unauthorized access that might occur if a session remains active on a shared or public device.

OIDC

A JSON-based, user-friendly protocol built on OAuth 2.0, ideal for modern web and mobile applications, emphasizing simplicity and ease of integration.

SAML 2.0

An XML-based framework for enterprise-level SSO, offering robust security and extensive customization for complex system integrations.

ALMEFY SSO Platform

The ALMEFY SSO Platform page is located at https://<your-subdomain>.sso.almefy.com.
Users that scan the Login QR Code will be authenticated into the ALMEFY SSO System and shown a list of endpoints available to them.
Selecting an endpoint will redirect them to the configured platform.

Session

When authenticating through the ALMEFY SSO Portal a session is created which lifetime can be configured in the ALMEFY Hub settings page. While the session is active, users may access platforms available to them without having to re-login again. The session life time as well as required re-authentication regardless of an active session can be configured in the endpoint settings.

Latter is especially useful for increasing security for critical system access, like admin accounts to platforms.

When logging in through the ALMEFY SSO Portal, a session is created. The lifetime of this session can be adjusted in the ALMEFY Hub settings page. While the session is active, users can access available platforms without the need for repeated logins. The session duration, along with forced re-authentication despite an active session, can also be configured in the endpoint settings.

This functionality is particularly beneficial for enhancing security measures, especially for critical system access like administrative accounts on platforms accessible through ALMEFY.

IBE

Identity-Based Encryption (IBE) is a type of public-key cryptography that simplifies the management of public keys. In traditional public-key systems, users must obtain and verify the public keys of their counterparts through a trusted authority or infrastructure, such as a Public Key Infrastructure (PKI). IBE, on the other hand, allows any piece of unique information, such as an email address or a user ID, to serve as a public key.