Beowulf STS is a Security Token Service based on SAML 2.0, a standard of the OASIS committee. As such, it follows standard best practices for such systems, including:
- OASIS compliant SAML 2.0 security token generation and validation protocols are followed at all stages.
- X.509 certificates used for data transmission, token signature, and token encryption can be obtained from any compliant certificate authority, including your own Windows Enterprise Root CA or global certificate authority such as Verisign or Thawte.
- SSL connections using standard PKCS certificates are handled purely by Microsoft IIS; no OpenSSL implementation is needed or used.
- 2048 bit keys are used for all token signing and encryption certificates. Larger key lengths are possible.
- The portions of the Beowulf STS that allow for authentication via external sources are based on peer reviewed open source and well-known security standards. These include OAuth 2.0 and Open ID Connect standards. Beowulf implementation of these standards leverages the DotNetOpenAuth project.
- All code requiring .NET framework has recently been upgraded to .NET 4.5.2 to remove any dependencies on WIF and .NET framework 3.5 except where they are absolutely needed (such as in SharePoint 2010 and legacy applications based on ASP.net).
- All random number generation utilize the BCryptGenRandom() function of the Windows Crypto API and/or RNGCryptoServiceProvider.GetBytes() function within the .NET framework. These methods use FIPS certified cryptography for the generation of random values.
- Time and hardware based one-time passwords used for multi-factor authentication leverage HOTP/TOTP inprelementation based on standards RFC 4226 and RFC 6238. These standards are used by and compatible with mobile applications such as Microsoft Authenticator and Google Authenticator.
- Beowulf is developed, tested, and maintained exclusively by United States citizens who are full-time employees of Liquid Mercury Solutions. While, we do leverage partnerships with offshore development resources for some projects, we maintain strict security compartmentalization with respect to Bewwulf. As such, no foreign nationals have access to our source code respository.