miaa PolicyGate is a rich API to implement strong, centrally governed, token-based access control. It implements a powerful combination of an OIDC Provider, an OAuth Authorisation Server and a XACML Policy Decision Point.


Versatile access enforcement

miaa PolicyGate enables harmonised and externalised secure access control enforcement. As an OIDC Identity Provider, it produces identity tokens for coarse-grained access control and for setting up sessions.

As an OAuth 2.0 Authorisation Server, it produces access tokens for fine-grained access control and for conditional progressive profiling. This enables you, for example, to distinguish between visitors, consumers, registered customers, professional customers and employees.

miaa PolicyGate has a policy decision engine configured with a suite of common rules. It also integrates with products offering a versatile XACML rule engine. Some common access rules are:

  • user profile must have a confirmed e-mail address
  • user must have accepted the most recent terms & conditions and privacy policy, for example to implement GDPR compliance (actively refreshing consent)
  • user must be older than a given age, for example to implement an ‘age-gate’
  • user must live in a whitelisted country, for example to limit participation to a contest to French residents only

miaa PolicyGate also facilitates secure progressive profiling to require the user to enter additional details before proceeding. Some typical obligations based on the rules above are:

  • user must indicate the birth year before proceeding
  • user must indicate the postal address before proceeding.

Externalising the control of access allows you to implement enforcement logic in a secure and scalable way. This ensures all your platforms are protected by the same logic without using the traditional bottleneck of a reverse proxy.

Please refer to Role-based accessAttribute-based accessScalable B2B access and On the use of passwords for some use cases.


Lightweight sessions

miaa PolicyGate integrates with an Identity Management platform to exchange an Access Token for an ID-Token or for a custom Access Token. miaa PolicyGate can also be configured to conditionally issue an ID-Token for coarse-grained access control. In that case, the user only receives a fresh ID-Token to access your digital services when certain rules are complied with.

miaa PolicyGate enables session management that is independent from http-accelerator layers and from caching user sessions and use data. It produces ID-tokens adopting the OpenID Connect standard. Using ID-Tokens avoids the need to maintain and store sessions server-side, neither on disk nor in memory. As such, miaa PolicyGate enables lightweight ‘stateless’ sessions.

Please refer to Access to streaming video and Offline sessions for some use cases.


Password lifecycle

miaa PolicyGate allows you to enforce password lifecycle policies. It offers rules including:

  • require the user to renew the password under certain conditions (and disallowing the reuse of passwords). Typical conditions are:
    • expiration, i.e. after a fixed period of time
    • aging, i.e. after a number of logins
    • entropy, i.e. when the password is too weak
    • lock-out, i.e. after suspect behaviour
  • convert legacy password hashing into a more robust hashing algorithm
  • enforce different password policies for different segments of users
  • challenge a user with a second factor authentication when a password is deemed to be insufficiently trustworthy or compromised.

miaa PolicyGate can also be configured to alert users in cases of suspect activity, such as too many failed login attempts, and in cases of known phishing attacks.

Please refer to On the use of passwords for some use cases.


Your benefits

Central governance

miaa PolicyGate enables you to centralise the governance of the access policy. This ensures that the logic of evaluating the rules is consistent and harmonised across all your digital properties. Whether the person is asking access through a browser or a mobile app, miaa PolicyGate produces its access decision the same way. And whether the person is asking access to a regular website or a third party platform, such as a gamification engine or a video streaming service, miaa PolicyGate that you configure is in control. As such, the decision process can be harmonised across all end user devices and across all your content delivery servers. Yet, the rules can be assigned on a property by property basis, when appropriate: which rules apply at a certain website, mobile app or other content server, and with which parameters.

Cost efficiency

miaa PolicyGate greatly simplifies coding to be done by front-end developers for access control. In fact, it reduces coding effort to a single check ‘do I have an “OK” token or not’ that can be simply be replicated on every web server and in every mobile app.

miaa PolicyGate not only saves on programming effort: it can also greatly reduce the user administration efforts of the back office when combined with the miaa ProfileValidator: see more  Role-based access.

Compliance

miaa PolicyGate performs its logic securely: it cannot be tampered with by the end user, nor by a third party platform provider or agency. Moreover, miaa PolicyGate securely accesses the user profile and does not count on data stored in the browser, in the mobile app or on the web server.

miaa PolicyGate offers mechanisms to enable compliance with GDPR and security policies:

  • True forget-me by instructing connected platforms to delete all PII-sensitive elements
  • Version controlled user acceptance to stimulate or require users to accept a new version of the terms & conditions and the privacy policy
  • Version controlled password policy to stimulate or require users to choose a new password when it no longer complies with the password policy

Available as managed service

miaa PolicyGate is miaa Cloudware. All Personally identifiable information (PII) is persistently stored in the Identity Management platform only and miaa PolicyGate does not persistently store any PII. Even though PII can temporarily occur in volatile memory, it is not kept in any database or log of the miaa PrivateGroups.

miaa PolicyGate can be further customised using our Build services:

  • to integrate with other access control platforms and policy engines
  • to tailor the security policy and its translation into rules
  • to tailor the custom claims in the ID-token
  • to tailor the reasons and obligations in policy decisions
  • to implement just-in-time registration through API calls to a legacy Identity Platform
  • to include tailor-made password life-cycle rules

Some of the components are also separately available:

  • miaa TokenIssuer enables lightweight stateless sessions. It hands out an ID-token to a front-end browser, web server and mobile app in a controlled way.
  • miaa PolicyChecker enables harmonised and externalised secure access control enforcement. It provides ‘access decisions’ for coarse-grained access control, fine-grained access control, and conditional progressive profiling.
  • miaa LoginEnhancer provides conditional two-factor authentication and can encourage or demand users to improve their password.