Careers
Instagram Linkedin

Transport

Dual authentication: strengthening access security without compromising usage

15

days / year

1

expert in identity and access security / DevOps

Protecting critical applications is no longer a simple precaution, but a strategic imperative. In the transport sector, a Swiss company needs to tighten up security around access to a sensitive business application accessible via a Citrix portal. Used by both internal staff and external service providers, this solution raises major issues in terms of identity control and ease of use. Qim info’s response is a customised dual authentication system that combines Citrix, Red Hat SSO and Keycloak.

Securing access to a critical business application

For this company in the transport sector, a sensitive business application that is accessible via a Citrix portal is a key tool in the day-to-day running of the teams. Used by both internal staff and external service providers, it has critical data concentrated within it, and requires strict access control.

Up until now, all users accessed the application via a single authentication process, with no distinction drawn as to path or security level. Although this system was simple to administer, it had a number of limitations:

  • Significant vulnerability if identifiers are compromised,
  • Lack of differentiation between internal and external users,
  • Limited traceability of connections.

To meet these challenges, the company called on Qim info to design a dual authentication system capable of reinforcing access security without making day-to-day use trickier.

Defining the objectives of the security system

The organisation thus aims to strengthen the security of its business application while guaranteeing a seamless experience for all users. The system it expects to have must meet several requirements:

  • Adapting the level of authentication to suit internal and external users,
  • Enhancing the traceability of logins,
  • Centralising identity management via interoperable tools,
  • Integrating seamlessly into the existing technical environment.

Qim info’s mission is to design a robust solution tailored to the wide range of professionals involved, while guaranteeing secure, seamless access.

Technos

Implementing a bespoke solution with Citrix, Red Hat SSO and Keycloak

To complete this project successfully, Qim info hired a DevOps expert specialising in identity management and secure access, who will spend 15 days a year managing, maintaining and developing the system.

Deploying a security system tailored to meet business challenges

The intervention is based on five key areas that are perfectly matched to the needs expressed by the company:

  1. Access filtering: implementation of granular access control to the target application via Citrix Gateway, using Red Hat SSO configured in SAML as the identity provider (IdP).
  2. Access rights propagation: defining of access rules based on Active Directory groups, with synchronisation via Red Hat SSO to ensure that authorisations are automatically assigned.
  3. Multi-factor authentication (MFA): mandatory activation of MFA for external service providers to secure the most sensitive kinds of access, while maintaining a smooth, hassle-free experience for internal staff.
  4. Deployment of the solution: production rollout on target environments, with custom connectors developed using Keycloak, an open-source solution dedicated to identity management and the use of federated identities for access.
  5. Skills transfer and support: support for internal teams through targeted training sessions, supplemented by level 3 support, with a focus on handling complex incidents and advanced maintenance of SSO components.

Understanding the authentication process with Citrix, Red Hat SSO and Keycloak

The system is based on a fluid and well-structured authentication chain, designed to adapt the level of security to suit the profile of each user. Here are the key stages in the process:

1. Citrix portal

The user, whether they are an internal employee or an external service provider, begins by accessing a secure Citrix portal. This portal constitutes the first checkpoint on the route towards the target application.

2. Users are redirected towards Red Hat SSO

Citrix automatically redirects the user to Red Hat SSO, configured as an Identity Provider (IdP) in SAML mode. This service provides centralised authentication that complies with security standards.

3. Active Directory

Red Hat SSO queries the Active Directory (AD) to validate the user’s identity and retrieve attributes such as whether they belong to a particular group, their role, and whether their status is internal or external.

4. The level of authentication is adjusted

One of two routes is then triggered, depending on which profile is detected:

  • Internal employees access the application using standard authentication.
  • External service providers must authenticate themselves using a second factor, such as a one-time code or a mobile application.

5. Managing rights with Keycloak

Access authorisations are cross-checked against rules defined in Keycloak. These are automatically synchronised with Active Directory groups to ensure that rights are allocated consistently.

6. Final access to the application

If all the checks are successfully completed, the user accesses the business application in a secure environment, without any interruptions or friction, in compliance with internal security policies.

Measuring the benefits of dual authentication

In the solution implemented by Qim info, multi-factor authentication (MFA) is specifically applied to external service providers, in order to strengthen access security for these users. This mechanism is based on a combination of several identification factors, such as a password combined with a temporary code or a mobile application. As for internal employees, they benefit from a fluid access path that complies with the company’s security policies.

This approach, whereby a distinction is drawn between internal and external users, enhances safety without compromising on user-friendliness or creating unnecessary obstacles. In this way, the system rises to the challenge of being safe, compliant and efficient.

According to a study published by Microsoft Research in 2023, implementing MFA reduces the risk of accounts being compromised by up to 99.22%, and by up to 98.56% even when a password has been leaked. These figures show just how effective this type of system is in an environment where security is of the utmost importance.

The operational benefits are manifold:

  • Enhanced protection of sensitive access,
  • Improved traceability of connections,
  • Centralisation of access rules,
  • Harmonisation of security practices across all profiles.

The entire system can be integrated naturally into the tools already in place, without any overhaul of the application environment being required.

To reinforce the overall effectiveness of the security strategy, it is essential that these technical measures are complemented with a people-focused approach. Read our article: Raising your teams’ awareness about cyber security to find out how you can train your teams effectively, to reduce the risks associated with human error and establish a shared culture of security.

Rely on Qim info’s Cloud & DevOps expertise

Within its Cloud & DevOps department, Qim info designs robust cybersecurity systems that are aligned with the real constraints organisations face. From securing access to fine-tuning identity management, its experts work on critical projects using proven technologies.

This approach combines high technical standards, regulatory compliance and ease of use, for secure, high-performance application environments. With offices in Geneva, Lausanne, Zurich, Basel, Annecy and Lyon, Qim info deploys scalable, customised cybersecurity solutions that comply with market standards.

Do you want to strengthen your sensitive access? Our Cloud & DevOps specialists can help you build a tailor-made response. To find out more about the skills involved, read our article: Everything you need to know about the job of cybersecurity engineer.

Discover our Cloud & DevOps Solutions department

Upgrade your infrastructure with secure, agile cloud solutions, tailored to meet the challenges faced by your business.

Talk to a Cloud & DevOps expert

GENEVA Carouge

Rue du Tunnel, 15-17
1227 Carouge – CH
+41 (0) 22 304 15 00

GENEVA Petit-Lancy

Route de Chancy, 59
1213 Petit-Lancy – CH
+41 (0) 22 304 15 00

LAUSANNE

Place Bel-Air 1
1003 Lausanne – CH
+41 (0) 21 341 15 00

ZURICH

Dreikönigstrasse 55
8002 Zürich – CH
+41 (0) 44 201 01 34

BASEL

Schützengraben 7,
4051 Basel – CH
+41 (0) 61 723 01 88

ANNECY

7 Av. du Pré Félin
74940 Annecy – FR
+33 (0) 4 56 67 49 91

© Qim info – Design : WeAreBandits – Growth : Nexoka
Instagram Linkedin
Instagram Linkedin