Helping compagnies secure their BTCPayServer through SSO

[Zaxounette]

Intro

Definitions

This discussion will require unfortunately a lot of industry buzzwords, so here are the definitions for those of you who might not be familiar with them.

Definitions

SSO

Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.

Identify Governance and Administration (IGA)

Identity governance and administration is the policy-based centralized orchestration of user identity management and access control. Identity governance helps support enterprise IT security and regulatory compliance. Typically shortened to Identity governance.

Identity Providers (IDP's)

An identity provider is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network. Identity providers offer user authentication as a service.

Service Providers (SP)

A Service Provider (SP) is the entity providing the service, typically in the form of an application.

SAML

SAML is widely used in enterprise and government settings. The current SAML 2.0 standard was developed in 2005. It uses XML language as its identity data format and simple HTTP and SOAP for its data transport mechanisms. SAML provides communication between identity providers and service providers using encrypted, digitally signed XML-based certificates.

OIDC

OIDC is a simple identity layer on top of 0Auth 2.0, an authorization framework managed by the OpenID Foundation. The protocol uses RESTful API communication to transmit JSON web tokens between the identity provider and service provider, which contain common claims such as the user’s name, email address, birth date, picture, and other personal data. The tokens are digitally signed and can be encrypted as needed.

2FA/MFA

Two-Factor Authentication (2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two pieces of evidence to an authentication mechanism: knowledge, possession, or inherence. When more than two pieces of evidence are required to be presented, we talk about Multi-Factor Authentication (MFA).

TOTP

A time-based one-time password (TOTP) is a temporary passcode generated by an algorithm that uses the current time of day as one of its authentication factors. Time-based one-time passwords are commonly used for two-factor authentication (2FA).

Intro to SSO

Identity governance is a big subject in the corporate and enterprise world, and identity tools from Azure Active Directory, to cloud identity providers (IDP's) like Okta, OneLogin, Veriff, Oracle, IBM and open-source identity servers like KeyCloak and OpenIAM are commonly used in the corporate world to help secure and manage access to day-to-day tools that said company uses, typically called Service Providers (SP's).

IDP's can only help secure tools that support one or the other Single-Sign-On standard.
Typically two major standards are supported: SAML 2.0 and OIDC.

SSO also replaces the use of 2FA/MFA/TOTP tokens on logins, although MFA tokens can still be used in parallel to access specific URL's or advanced or security sensitive dashboards in the SP tool, if necessary.

Intro to Identities

Typically, when we think of identities, we think of government approved identities like the ones seen on government ID's.
IDP's do not support specifically government approved identities, and you can create your own identity through their products. Personally, I use my handle as an identity and email, and it works perfectly fine.

The entry point to identity usually requires an email, but open-source IDP's like Keycloak or OpenIAM can be forked to add LNurl Auth as an identity mechanism as well, for the more technically enabled end-users that wish to switch out of the government approved identity mechanism.
In such a case, LNurl Auth would be used as an identity mechanism in the IDP itself, and would not be used in BTCPayServer for example.

Proposal

Add OIDC or SAML 2.0 support into BTCPayServer. That's the MVP.

Additionally could include:

• SCIM - Automatically create a user-account in BTCPayServer when that user is assigned the app through the IDP
  • Alternatively, account creation can be JIT, but JIT is not ideal

Optional pre-requisits to SSO, to make it easier to manage for end-users are:

• Add group user-management support
  • With custom group capabilities, and permission configuration per-group

Benefits to the end-users of BTCPayServer

Enterprise or Corporate setting

Compagnies are typically locked in a regulatory framework that imposes security methods on them, of which SSO is part of. Implementing SSO support on BTCPayServer will remove a typical rebuttal from Compliance or Security personnel that approve tool purchases in corporate settings.

Technically enabled end-users

Technically enabled end-users can enable Bitcoin industry identity mechanisms such as LNurl Auth and any future invention into their self-hosted IDP's without needing to fork and maintain their fork of BTCPayServer.

Benefits to the BTCPayServer project

Feature parity

Integrating SSO can help users identify an open-source project that has feature parity with typical cloud provided alternatives that they already use, or are looking to use.

Easy integration (PM wise)

OIDC and SAML 2.0 being open standards, there is no need to make "partnerships" or agreements with the huge cloud IDP's, and support can be integrated without their knowledge. The end-user wishing to enable SSO would just have to create a simple 3 item custom configuration in their IDP.

Easy documentation

Documenting SSO integrations are typically a one-pager with a few strings to copy, and a few items to configure. Typically from start to finish, SSO enablement takes itself around 5 minutes.

Bragging and shaming rights

That an open-source project like BTCPayServer implements SSO before multi million or billion compagnies in this space like Coinbase, Kraken, Binance (although not in the same niche, but still) and so many others can give us some bragging and shaming rights on social media.

[celi28]

OIDC or SAML would bring BTCpay to another level.
Without such a feature, it's almost impossible to use this payment gateway as a company. Identity needs to be centralized.

[Kukks]

You can manage users through the API. Simply build a bridge from your central user system to BTCPay's.

[counterweightoperator]

Well, it's a pity to see such an answer. Auth protocols allow organizations not have to reinvent the wheel every time they need to integrate some application with their central identity providers, as well as applications not have to roll their own schemes.

BTCPayserver would be much more adopted if it provided supported for stuff like OIDC or SAML. I hope this position is reconsidered.