Access & Authentication Models

Ubiq offers two primary models for managing access to its encryption and decryption services: API Key-based access and Identity Provider (IDP)-based integrations via SCIM and SAML. These models cater to different operational needs and can be used independently or in combination, depending on your organization's requirements.

ℹ️
SCIM-based integrations are only available on our Enterprise tier.

1. API Key-Based Access

API keys are the default mechanism for authenticating applications and services with Ubiq. Each API key consists of three components:

ACCESS_KEY_ID: A globally unique public identifier used to distinguish different API keys.
SECRET_SIGNING_KEY: A shared secret used for signing and verifying requests from client libraries to the Ubiq REST API.
SECRET_CRYPTO_ACCESS_KEY: A secret used when encrypting data encryption keys passed between Ubiq's cryptographic service and the client libraries.
Ubiq

Upon creation, an API key is tied to a specific dataset, and multiple API keys can correspond to the same dataset. Post creation, an API key can be assist to multiple datasets so long as they belong within the same dataset group. API keys can be created and managed via the Ubiq Dashboard, providing flexibility in assigning permissions and managing access.

Use Cases

Service accounts.
Environments without centralized identity management systems.

Security Considerations
Treat API keys as sensitive credentials; avoid exposing them in public repositories or client-side code.

Implement regular rotation and revocation policies to maintain security hygiene.

Utilize environment variables or secure credential storage mechanisms to manage API keys within applications.

2. IDP-Based Integration

Ubiq supports integration with SCIM and SAML-compatible IDPs, such as Okta and Microsoft Entra ID, enabling centralized user and group management. This integration streamlines access control by aligning with your organization's existing identity infrastructure.

Key Features

Automated User Provisioning: When a user is added in the IDP, Ubiq automatically generates and assigns encryption credentials. When the user is removed or deactivated, Ubiq automatically revokes access.
Group-Based Access Control: IDP groups map to Ubiq Dataset Groups. Users inherit access permissions based on their group membership, streamlining policy management.
Dataset Management: Assigning datasets to Dataset Groups in Ubiq automatically grants access to all users in the corresponding IDP group.
Reduced Operational Overhead: No need to manually create, distribute, or rotate API keys for end users. Access is managed entirely through your IDP.

Use Cases

Organizations with established identity management systems seeking centralized access control.
Scenarios requiring dynamic access management based on user roles and group memberships.
Environments aiming to reduce administrative overhead associated with credential management.
Ubiq

Security Considerations

Ensure proper configuration of SCIM and SAML integrations to prevent unauthorized access.
Regularly audit group memberships and access permissions within your IDP.
Implement multi-factor authentication (MFA) and other security best practices within your identity management system.

Summary

Ubiq's flexible access models cater to a variety of operational needs:

API Key-Based Access: Offers granular control and is well-suited for service accounts and environments without centralized identity systems.
IDP-Based Integration: Provides centralized, automated access management aligned with existing identity infrastructures.

Both models are fully supported and can be employed independently or in tandem, allowing organizations to tailor access management to their specific requirements.

For detailed implementation guidance, refer to the respective sections in our documentation:

If you have further questions or need assistance with integration, please contact us at [email protected].