In August 2015, PortalGuard version 5.2 was made available to the public. With the ever-changing landscape of secure authentication, PortalGuard is constantly being updated to address the challenges inherent in such an active realm.
The new updates and features included in the 5.x versions are:
PortalGuard Version 5.0
Updated Dashboard reporting
New web-based reporting includes the following reports “out of the box”:
- Successful Web Logins
- Failed Web Logins
- Strikes & Strikeouts
- Password Changes Activity
- Self Service Usage (Account Unlock, Password Resets)
- Self Service Enrollment – User Status
- Successful SSO Activity
- Failed SSO Activity
- All RADIUS/VPN Activity
These reports replace the older Admin Dashboard reporting and now encompass all activity for all PortalGuard servers in your environment.
The updated framework also allows you to easily customize the existing reports and make your own using direct SQL queries of PortalGuard event data.
Improved cookie-based SSO
- Offered as a complement to protocol-based SSO standards like SAML, WS-Federation, CAS and Shibboleth; cookie-based SSO is a great option for older style websites under your control.
- Logging into the PortalGuard website creates a secure, domain-wide cookie that can offer a SSO experience for web applications using HTML forms-based authentication.
Windows Event Logging
For tighter integration with 3rd party SIEMs, PortalGuard can write formatted audit data to its own Application Windows event log.
SIEMs can now import this event log data to allow alerting, custom reporting and archiving as your organization sees fit.
Twilio & Regroup SMS support
These two well-established 3rd party messaging providers have been added to the existing ones already supported within PortalGuard.
Better support SQL-based User Repositories
With more customers using PortalGuard to authenticate external users against SQL-based directories, there is now full support for parameterized queries and stored procedures for updating the SQL back-end.
Coupled with PortalGuard’s own input sanitation, both of these methods are recognized as “best practices” to help protect you against SQL injection attacks. Parameterization also provides the flexibility to integrate with any custom SQL table and data structure.
Banner Oracle SQL Directory Support
As a direct result of increased support for SQL-based user repositories, PortalGuard now fully supports utilizing Banner GOBTPAC and GORPAUD user tables for educational institutions that would like to Self-service Password Reset to this popular application.
Extended Password Expiration Email Reminders
PortalGuard has extended its automated email reminder feature for users whose passwords are nearing expiration. In addition to sending emails a set number of days prior to expiration, reminders can optionally be sent to users for any number of days after their password has expired.
Citrix Storefront SSO Support
PortalGuard’s Identity Provider can now include the user’s encoded password as an identity claim in the SAML response that it generates. Citrix Storefront does not currently support SAML-based SSO, but NetScaler can parse out the username and password attributes from SAML and proxy them to Storefront to achieve SSO.
Flexible Mixed-Mode Authentication
A single PortalGuard website can now be configured to provide both Forms-Based Authentication (FBA) to internet-based users and attempt Kerberos SSO for users on your LAN. This allows internal users to receive “true” SSO to the entire suite of web applications federated with PortalGuard by leveraging their login to a domain-joined Windows workstation.
A prior version of this feature required maintenance of two separate IIS websites: One for FBA and the other for Windows authentication. This required multiple IP addresses and a more complex DNS structure. The new version has numerous checks before initiating Kerberos including:
- ServicePrincipalName (SPN)/server name filtering
- IP white lists
- IP black lists
- URL black lists with regular expression support
- Browser white lists
Voice OTP support for Regroup
As a follow-up to SMS support for Regroup, PortalGuard now also leverages Regroup’s newly updated voice calling to provide OTPs to any phone number without it having to be in Regroup’s address book.
Federated Office365 support for Outlook and ActiveSync clients
PortalGuard has long supported direct web browser access when federated with Office 365. Now, PortalGuard also fully supports access from Outlook and ActiveSync clients such as the native mobile device email app available in both iOS and Android.
This support required implementation of a larger subset of the WS-Trust standard and rounds out PortalGuard’s Office 365 support. Please keep in mind that Microsoft’s own “OWA for iPhone” and “OWA for Android” apps do not support login for any federated Office 365 domain regardless of which STS/IdP it is federated with (ADFS, PortalGuard, etc).
SQL Role Support
PortalGuard is now able to retrieve roles or groups from a SQL user repository and use these roles to determine which PortalGuard Security Policy to apply to a user. Additionally, PortalGuard can use these roles within the IdP’s Access Control Lists to gate access to the defined relying parties/service providers.
PortalGuard has long supported LDAP groups for these purposes, but we saw fit to add this support based on the increasing use of PortalGuard with SQL directories.
Ready for an Upgrade?
Do any of these features apply to your environment? Is there something else you would you would like to see supported in a future version of PortalGuard? Please reach out to us and let us know.
Authentication should be simple and PortalGuard can help. If you are interested in updating your current instance of PortalGuard please contact us to schedule your upgrade!