Avari Solutions

Auth0 (Internal Regular)

Auth0 Identity Platform is a cloud-based identity management service that helps organizations leveraging applications by providing a secure cloud-based identity platform to better understand, efficiently manage and intelligently engage their users. Auth0 provides an easy way to implement the most complex identity solutions across any technology stack or platform

Features

• Adaptive contect-aware security
• User Analytics & Progressive Profiling
• API authorization for user, machine authentication and third-party authorization
• Centralized management dashboard for easy access & better control
• Delegated Administration for granular and role-based control
• Extensibility - For customizing, extending existing capabilities of the platform
• Single Sign On integrations for popular and custom applications
• Identity Providers integration to different data sources
• Lock widget - easily embeddable login box for all apps
• Delegation - Enables organizations to streamline their user identity flow

Benefits

• Ease of deployment, integration across any technology stack, environment
• Variety of flexible deployment (cloud, on-prem, virtual) options
• Speeds development, reduces risk by moving identity complexity to cloud
• Configuration is as easy as flipping switches
• Multiplatform Application Support for seamless experience across platforms
• Improved user efficiency, collaboration, better conversion and revenue
• Integrates seamlessly with existing investments and workflows
• On-demand enterprise scalability for unpredictable/predictable user traffic
• High availability, resiliency for services
• Adherence to popular identity, security compliance standards and certifications

£33.90 a user a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ross.garman@avari.solutions. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

338383937507411

Contact

Ross Garman
08450360040
ross.garman@avari.solutions

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Auth0 Identity can be integrated into any application (custom-built or third-party) that requires user identity management
• Cloud deployment model: Hybrid cloud
• Service constraints: None
• System requirements:
  • Following system requirements are for appliance/on-premise only
  • Minimum 3 virtual machine (AWS, Azure, or VMWare) for HA
  • 8 GB RAM minimum
  • 2 vCPU minimum
  • 250 GB (3 separate disks of 50/100/100)
  • SSL Certificates, Email provider / SMTP server

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: 24 Hour Response Time
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AAA
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: Support levels:; 1. Free Plan- No charge, part of Free plan. No dedicated account manager/engineer ; 2. Standard Support- part of Developer and Developer pro plan. No dedicated account manager/engineer; 3. Enterprise Support- part of Enterprise plan. Includes dedicated customer success engineer; 4. Preferred Support- Add-on to Enterprise plan. Includes dedicated success manager
• Support available to third parties: No

Onboarding and offboarding

• Getting started: 1. User documentation; 2. On boarding tutorials; 3. Blog posts; 4. Educational video content - Auth0 University
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: User data can be exported by users if they use Auth0 database for storing their information instead of using their own database; ; More details: https://auth0.com/docs/tutorials/removing-auth0-exporting-data
• End-of-contract process: At the end-of-contract the plan automatically gets converted into Free plan with limited features and support.; ; More details about plans: https://auth0.com/pricing

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Auth0 Identity service is provided in the form of SDKs and APIs allowing uniform usability on mobile, web and native applications.
• Service interface: No
• API: Yes
• What users can and can't do using the API: Auth0 exposes two APIs for developers to consume in their applications:; 1. Authentication: Handles identity-related tasks;; ; 2. Management: Handles management of your Auth0 account, including functions related to (but not limited to):; - Clients; - Connections; - Emails; - Users
• API documentation: Yes
• API documentation formats:
  • HTML
  • Other
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Identity management administrators can customize Auth0 identity platform to:; 1. Manage user identity management into their existing application framework; 2. Manage configurations to better control, security, extend the platform to meet specific requirements with extensibility features; 3. Manage how user identity data can be sourced from different data sources; 4. The user login widget (Auth0 Lock) can be customized to look unified with customer brand, allows various login options (social) to be integrated within the login

Scaling

• Independence of resources: Auth0 provides enterprise-level on-demand scalability for predictable as well as unpredictable user traffic. Auth0’s advanced infrastructure ensures high availability and resiliency for its services (24x7 with 99.95% uptime with SLA) with independent, geographically distributed data centers and full disaster recovery systems located in various continents

Analytics

• Service usage metrics: Yes
• Metrics types: Management dashboard provides following usage metrics on the home page:; 1. User login activity; 2. number of users; 3. number of logins; 4.New signups; 5. Latest logins
• Reporting types: Real-time dashboards

Resellers

• Supplier type: Reseller providing extra features and support
• Organisation whose services are being resold: Auth0, Idaptive, Okta, Varonis, Imprivata, Centrify, Onelogin, Ping, Zscaler

Staff security

• Staff security clearance: Conforms to BS7858:2012
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: EU-US Privacy Shield agreement locations
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least every 6 months
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: All data in user's Auth0 account is always under their control and is available through the management API at any time. The only information which is not available through the API are the password hashes of your Auth0-hosted database users and private keys, for security reasons.; https://auth0.com/docs/tutorials/removing-auth0-exporting-data; ; Auth0 also provides pre-configured module (extensions) for importing/exporting users from/to any database: https://auth0.com/docs/extensions/user-import-export
• Data export formats:
  • CSV
  • Other
• Other data export formats: HTML
• Data import formats:
  • CSV
  • Other
• Other data import formats: JSON

Data-in-transit protection

• Data protection between buyer and supplier networks:
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

• Guaranteed availability: Auth0’s advanced infrastructure ensures high availability and resiliency for its services (24x7 with 99.95% uptime with SLA) with independent, geographically distributed data centers and full disaster recovery systems located in various continents.
• Approach to resilience: At a high level, Auth0's availability strategy is rather simple, and yet very effective: we ensure that critical dependencies are redundant, we rapidly detect failures, and our failover is very quick. The Auth0 architecture implements redundant components at all levels such as:; ; - DNS; - Datacenter; - Application layer; - Storage; ; Auth0 has taken multiple steps to ensure extra availability. One important aspect is how the application is architected, including how user sessions are managed, how functionality is partitioned, how the availability of modules is prioritized , and how transient conditions are handled.; ; Auth0 is designed and built as a scalable, highly available, multi-tenant cloud service.; ; This highly reliable architecture is combined with solid operational processes and a culture of continuous improvement that constantly refines and improves Auth0 operations
• Outage reporting: Public dashboard - https://status.auth0.com/

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Role-based access with delegated administration allows administrators to restrict access to management interface and support channels
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: Between 1 month and 6 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: Between 1 month and 6 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: No
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Other security certifications: Yes
• Any other security certifications:
  • SOC Type 2
  • HIPAA BAA
  • EU-US Privacy Shield Framework
  • OpenIDConnect Certified

Security governance

• Named board-level person responsible for service security: No
• Security governance certified: Yes
• Security governance standards: Other
• Other security governance standards: SOC 2 Type II certified; EU-US Privacy Shield Framework Conformance; HIPAA BAA
• Information security policies and processes: Auth0 has a dedicated information security team, led by a Director of Security, with nearly two decades of experience at organizations such as AT&T, Amazon.com, and the US Department of Defense. The team includes specialists in application security, infrastructure security, and cloud security - they are the “tip of the spear” whose sole responsibility is 24x7 vigilance and security process improvement to keep Auth0’s subscribers safe.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Auth0 has a process to ensure that all changes to production services and infrastructure are reviewed by at least two engineers. Unit and integration testing helps reduce the risk of vulnerabilities and software defects.; Software is stored and tracked via versioned source control (GitHub). Automated scanning tools look for vulnerabilities in third-party components.
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: Auth0 has a comprehensive set of security policies, standards, and guidelines to ensure compliance and to guide our employees in making sound security decisions. Examples include:; ; Password Protection Policy ; Encryption Policy; Monitoring Policy ; Server Security Policy ; ; Auth0 has a Responsible Disclosure Program that encourages researchers to investigate the company’s services and products. We encourage responsible vulnerability research and testing on the Auth0 services to which they have authorized access.; ; When a security vulnerability is discovered, the company works with the researcher to solve the issue before publicly announcing it.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Auth0 has a Responsible Disclosure Program that encourages researchers to investigate the company’s services and products. We encourage responsible vulnerability research and testing on the Auth0 services to which they have authorized access.; ; When a security vulnerability is discovered, the company works with the researcher to solve the issue before publicly announcing it. This practice helps guarantee that the entire community around Auth0 – customers, partners, employees, and so on – are not put at risk before we are able to address all security issues.; ; Auth0 has a rapid response approach to security incidents ensuring any incident is immediately fixed
• Incident management type: Supplier-defined controls
• Incident management approach: Auth0 security team and the customer team collaborate in case of any incidents to immediately fix it and control any damage resulting thereof.; ; Users can report incidents by contacting Auth0 customer success team. ; ; Auth0 works closely with the customer's security/development team to provide details and guidance about incidents using an incident report containing following details:; 1.Incident analysis; 2. Recommendations; 3. FAQs

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Pricing

• Price: £33.90 a user a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: Auth0 provides 'Free Plan' which includes:; - 7,000 free active users & unlimited logins; - Passwordless & TouchID Login; - Lock for Web, iOS & Android; - Up to 2 social identity providers; - Rules & Webtask.io subscription; ; Auth0 provides a 22 day trial period for all the features; https://auth0.com/pricing
• Link to free trial: https://auth0.com/signup

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at ross.garman@avari.solutions. Tell them what format you need. It will help if you say what assistive technology you use.