M-Pin SSO Overview

M-Pin SSO enables strong two-factor authentication at mobile internet scale. It is for enterprises looking for a truly secure solution to give their users single login access to all company apps and resources.

One login = access to all configured apps and websites.

With M-Pin SSO, companies can give their users the convenience of one login to multiple apps, a la Google (gmail, drive, youtube, 'Login with Google'), with the unique and superior security of:

  • MIRACL's Zero Knowledge Proof Authentication Protocol based on eliptic curve cryptography
  • MIRACL's Distributed Trust Authority (D-TA) system, which eliminates single points of compromise

M-Pin SSO can be used to configure access to both your own apps and sites, as well as approved lists of third-party resources such as Dropbox, Office365, Github etc. It primarily uses the SAML (Security Assertion Markup Language) protocol in two basic steps:

  1. Configure your M-Pin SSO server and third-party service to talk to each other
  2. Use the M-Pin SSO portal to provide the third party service with a SAML certificate

It can also, via the Radius protocol, be used to provide One Time Password (OTP) access to applications such as VPN clients, Remote Desktop and Virtual Desktop applications.

LDAP / Active Directory can also be set up to manage permitted user lists at two basic levels:

  1. At a global level, i.e. any users (typically identified by email) not present in your Global LDAP / AD list will not be able to log in to any of your configured services.

  2. At a per service level, i.e. users not present in a particular LDAP / AD group will not be able to access a specific service within your list of configured services (e.g. only certain users will be able to access your company AWS account).

The first step is to follow the instructions found in the Installation menu section, which will enable you to get the MPIN SSO server and admin interface set up and and available on your network.

First Time Access will then take you through logging in to the admin interface for the first time, and creating your first user with administrative rights.

Global LDAP setup gives instructions on setting up global user access.

The SAML Service Integration section gives instructions on how to make use of the M-Pin SSO SAML certificate to configure the list of services available when your users login. LDAP Access to Services then tells you how to control which of these services are available to whom, upon login.

OTP / Radius setup gives instructions on setting up a basic RADIUS server to communicate with the MPin SSO OTP generator, concluding with a simple test ssh login.

End User login guides then illustrate how the front-end process works for those actually logging in.

Shared Database setup is a guide to setting up a shared database which can be used for running two M-Pin SSO instances which share server secrets and make use of a load balancer.

Management Console gives an overview of the separate management console which allows you to manage your subscriptions and access MIRACL support.

Those seeking an in-depth theoretical grounding in the technology behind M-Pin SSO can delve into M-Pin SSO explained to fulfil their needs in this regard.