1. Docs
  2. SaaS Shield
  3. Configuration Broker
  4. Overview

SaaS Shield Configuration Broker

The IronCore Configuration Broker is an IronCore-hosted web app which is the connection point between SaaS providers (vendors) and their customers (tenants). Vendors and tenants both login into the Configuration Broker to create the configurations necessary to manage the SaaS Shield products. You can watch a short demo of the Configuration Broker in action from the vendor’s and the tenant’s perspectives.

Service Account Configurations

Vendors use the Configuration Broker to generate environment variables for use by the Tenant Security Proxy (TSP). These configurations contain a cryptographic key that has the authority to decrypt a tenant’s KMS configurations as well as a number of other vendor-specific environment variables necessary for successful startup of the TSP.

Multiple environment configurations can be created to support a distributed network of TSP Docker containers. The recommendation is that every distinct cluster with a running pool of TSP containers has its own environment configuration. With this approach, vendor administrators can revoke the keys used by an individual cluster from the Configuration Broker if that cluster’s configuration is compromised, without affecting other cluster.

The Configuration Broker can also generate environment variables for use by the Vendor Bridge. These configurations contain a cryptographic key that has the authority to manage tenants and their KMS configurations on behalf of the vendor.

The environment variables produced by the Configuration Broker are all generated within the user’s browser and encrypted there so that neither IronCore nor other admins will ever see any of the configurations generated within this app.

Creating a TSP Config

➡️ Step One: The Service Account page

TSP Config Screen

Log into the Config Broker and click on “Service Accounts” in the left nav.

➡️ Step Two: Add a Config

Click on the :fas-plus-circle: in the bottom right of the screen to add a new config. Ensure that “Tenant Security Proxy” is selected for the Account Type. You’ll see a screen like this:

Add Config Screen

➡️ Step Three: Download the Config

You’ll be presented with a configuration and a set of keys that were generated in the browser. These values are encrypted before being sent to IronCore and IronCore can’t decrypt them. These keys can decrypt configurations made by vendors or tenants. Download these keys as they will be needed to start TSPs.

Download Configs Window

Creating a Vendor Bridge Config

In order to programmatically manage tenants and KMS configurations, you will need to create a Vendor Bridge config. The steps to create a Vendor Bridge config are the same as creating a TSP config, but the Account Type in Step Two must be set to “Vendor API”. This will create a set of environment variables that must be provided when starting up the Vendor Bridge.

Tenant Provisioning

Administrators for the vendor are responsible for onboarding their tenants using the Configuration Broker. When adding a tenant, the vendor admin must provide the unique ID that identifies the tenant within the vendor’s application. This ID will be associated with all of the tenant’s KMS configurations and will often be the tenant’s primary ID in the customers table of the vendor’s database. This ID will be required by all SDK methods in the Tenant Security Client.

Another step in tenant provisioning is inviting an administrator of the tenant to sign up. From the UI, the vendor admin can enter some basic tenant information, and the Configuration Broker will generate and send the tenant administrator an invitation via email. Alternatively, tenants can be created using the Vendor API.

Add Tenants

When the tenant admin receives this email, they can simply click on the included link to be directed to the Configuration Broker, where they enter additional information about the tenant and complete their sign-up. Once they are logged into the Configuration Broker, they can enter their configuration information.

KMS Configuration

Both vendors and tenants can add KMS configurations for the tenants to use. These configurations vary based on which cloud provider hosts the KMS. The information that is gathered is everything necessary for the TSP to contact the KMS and use it to wrap and unwrap encryption keys.

After the configuration information is entered, it is encrypted immediately within the browser before being saved. Neither IronCore nor the vendor’s admins will ever see any unencrypted configurations entered by tenant admins. As mentioned above, only the TSP has the ability to decrypt these KMS configurations.

KMS Configuration Assignment

Once a KMS configuration has been saved, it can be assigned to vendors or tenants. An assignment allows the associated vendor’s TSPs to decrypt the associated config and use it to make calls to the KMS.

Vendors may create assignments of a single config to multiple tenants, but currently tenants may only assign a config to a single vendor at a time. If you’d like to programmatically create many assignments and tenants, check out our Vendor API. Assignments can always only be created for configurations your organization created.

Add Assignment

Tenant Logging Configurations

Tenant admins are also able to enter configuration that allows the TSP to send security events to the tenant’s logging and Security Information and Event Management (SIEM) system. The tenant may already be directing logs from their KMS into their SIEM, but enhanced event details and other events are provided when direct logging is configured. In addition to richer audit trails, configuring a logging destination allows the tenant to enable key leasing. The information that is gathered includes everything necessary for the TSP’s logging service (LogDriver) to write logs to the tenant’s SIEM. Like the KMS configuration, the logging configuration is encrypted in the browser before it is saved, protecting it from access by IronCore or the vendor.

Config Broker Audit Notifications

Each admin is able to request audit notifications by setting a toggle on their account management page. When this is set, they will receive plaintext email notifications for actions taken in the Config Broker that affect their organization.

Access

In order to gain access to the Configuration Broker, please request a demo.