Introduction

These guidelines provide recommendations for the secure integration of Customers' identity management systems with the Altamira HRM platform, acting as a Service Provider (SP), in the context of federated authentication solutions (e.g. SAML 2.0).
The guidelines apply to all Altamira HRM Customers, whether Public Administrations or private organisations.

The objective of this document is to support a configuration consistent with security best practices, reducing the attack surface and ensuring an adequate level of protection for authentication and authorisation processes.
These guidelines are technical and operational in nature and do not replace any regulatory, compliance or security obligations applicable to the Customer.

1. Protection of the communication channel between Identity Provider and Service Provider

General guidance

Communication between the Customer's identity management system (Identity Provider – IdP) and the Altamira HRM platform (Service Provider – SP) must ensure the confidentiality and integrity of information exchanged during the federated authentication process.

Requirements

• Communication between IdP and SP must take place exclusively over encrypted channels using TLS version 1.2 or higher.
• The Altamira HRM platform does not permit connections that do not meet minimum cryptographic security requirements.
• The Customer's Identity Provider must be configured accordingly, disabling deprecated or insecure protocols, algorithms and cipher suites.
• Endpoints exposed for federation must use valid, correctly configured digital certificates.

2. Signing of the authentication request (AuthnRequest)

General guidance

Signing the authentication request allows the Identity Provider to verify the authenticity of the Service Provider and prevent spoofing or tampering with access requests.

Requirements

• The Altamira HRM platform requires the AuthnRequest to be signed.
• The AuthnRequest is signed using certificates dedicated to the federation service.
• The Customer's Identity Provider must be configured to verify the AuthnRequest signature and reject unsigned or invalidly signed requests.

3. Cryptographic algorithms for message and token signing

General guidance

The use of up-to-date cryptographic algorithms is essential to ensure the integrity and reliability of messages exchanged within the identity federation.

Requirements

• The Altamira HRM platform uses state-of-the-art signing algorithms (e.g. SHA-256 or higher).
• The use of deprecated or insecure algorithms is not permitted.
• The Customer's Identity Provider must be configured accordingly, using compatible, non-deprecated algorithms for assertion signing.

4. Validation of token and assertion time validity

General guidance

Validating the time validity of tokens and assertions prevents the reuse or replay of authentication messages.

Requirements

• The Altamira HRM platform verifies the temporal parameters of received assertions, including issuance and expiry.
• Expired, not-yet-valid, or contextually inconsistent assertions are rejected.
• The Customer's Identity Provider must ensure adequate time synchronisation of its systems.

5. Limiting service exposure to necessary endpoints only

General guidance

Reducing the exposed surface helps decrease the risk of attacks against authentication services.

Requirements

• Only the endpoints strictly necessary for federation to function must be exposed.
• Endpoints not used or not required for the federated authentication process must be disabled or not publicly accessible.
• Any internal endpoints must be separated from externally exposed endpoints.

6. Verification of request origin (IP restriction / VPN)

General guidance

Controlling the origin of requests to authentication systems helps reduce unauthorised access.

Requirements

• The Customer's Identity Provider should evaluate the configuration of IP address restrictions or authorised IP ranges.
• Where applicable, dedicated channels (e.g. VPN) may be adopted to reduce exposure of IdP services.
• Requests originating from unexpected sources must be monitored.

7. Access logging and monitoring

General guidance

Access monitoring is essential for the timely detection of anomalies or abuse of authentication mechanisms.
The Altamira HRM platform enables by default the logging of authentication events, including those performed via Single Sign-On.

Requirements

• The Altamira HRM platform logs authentication events by default, including successful and failed access attempts.
• The Customer's Identity Provider must be configured to log authentication events and any anomalies detected on the IdP side.
• Logs must include the essential information required for access analysis and detection of anomalous behaviour.
• Logs must be available for audit activities, post-incident analysis and security operations support.

8. Limiting the attributes (claims) exchanged for the specific service

General guidance

The data minimisation principle requires that only the attributes necessary for service delivery are exchanged.

Requirements

• The SAML attributes exchanged between IdP and SP must be explicitly defined.
• The Altamira HRM platform accepts and processes only the attributes provided for in the integration configuration.
• The Customer's Identity Provider must avoid sending superfluous or irrelevant attributes for the specific service.

9. Management of signing certificates and protection of private keys

General guidance

The security of the federation depends on the correct management of certificates and cryptographic keys.

Requirements

• Certificates used for signing must be dedicated to the federation service.
• Private keys must be protected from unauthorised access.
• The certificate lifecycle must be managed, including rotation and revocation.

10. Vulnerability management and security updates

General guidance

Maintaining an adequate level of security over time requires periodic update and review activities.

Requirements

• Components involved in the federation must be kept up to date.
• Relevant security patches must be applied promptly.
• The IdP's security configurations must be reviewed periodically.

11. Absence or deliberate limitation of additional delegations and trust relationships

General guidance

A limited trust perimeter reduces the risk of propagating trust to unnecessary systems.

Requirements

• The trust relationship must be limited to the Identity Provider and Service Provider.
• Application delegations or trust relationships towards additional internal services not required for federation must be avoided.
• Any exceptions must be deliberate, documented and limited to what is strictly necessary.

Conclusion

These guidelines serve as a reference for the secure configuration of federated authentication integrations with the Altamira HRM platform.
The guidelines form an integral part of the service security process, are made available upon Customer request and are updated in line with the evolution of security standards and industry best practices.