Avari Solutions

Auth0 (Internal Regular)

Auth0 Identity Platform is a cloud-based identity management service that helps organizations leveraging applications by providing a secure cloud-based identity platform to better understand, efficiently manage and intelligently engage their users. Auth0 provides an easy way to implement the most complex identity solutions across any technology stack or platform

Features

  • Adaptive contect-aware security
  • User Analytics & Progressive Profiling
  • API authorization for user, machine authentication and third-party authorization
  • Centralized management dashboard for easy access & better control
  • Delegated Administration for granular and role-based control
  • Extensibility - For customizing, extending existing capabilities of the platform
  • Single Sign On integrations for popular and custom applications
  • Identity Providers integration to different data sources
  • Lock widget - easily embeddable login box for all apps
  • Delegation - Enables organizations to streamline their user identity flow

Benefits

  • Ease of deployment, integration across any technology stack, environment
  • Variety of flexible deployment (cloud, on-prem, virtual) options
  • Speeds development, reduces risk by moving identity complexity to cloud
  • Configuration is as easy as flipping switches
  • Multiplatform Application Support for seamless experience across platforms
  • Improved user efficiency, collaboration, better conversion and revenue
  • Integrates seamlessly with existing investments and workflows
  • On-demand enterprise scalability for unpredictable/predictable user traffic
  • High availability, resiliency for services
  • Adherence to popular identity, security compliance standards and certifications

Pricing

£33.90 per user per year

Service documents

Framework

G-Cloud 11

Service ID

4 3 3 3 8 3 2 3 5 9 1 6 4 6 4

Contact

Avari Solutions

Ross Garman

08450360040

ross.garman@avari.solutions

Service scope

Software add-on or extension
Yes
What software services is the service an extension to
Auth0 Identity can be integrated into any application (custom-built or third-party) that requires user identity management
Cloud deployment model
Hybrid cloud
Service constraints
None
System requirements
  • Following system requirements are for appliance/on-premise only
  • Minimum 3 virtual machine (AWS, Azure, or VMWare) for HA
  • 8 GB RAM minimum
  • 2 vCPU minimum
  • 250 GB (3 separate disks of 50/100/100)
  • SSL Certificates, Email provider / SMTP server

User support

Email or online ticketing support
Email or online ticketing
Support response times
24 Hour Response Time
User can manage status and priority of support tickets
Yes
Online ticketing support accessibility
WCAG 2.1 AAA
Phone support
Yes
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Support levels:
1. Free Plan- No charge, part of Free plan. No dedicated account manager/engineer
2. Standard Support- part of Developer and Developer pro plan. No dedicated account manager/engineer
3. Enterprise Support- part of Enterprise plan. Includes dedicated customer success engineer
4. Preferred Support- Add-on to Enterprise plan. Includes dedicated success manager
Support available to third parties
No

Onboarding and offboarding

Getting started
1. User documentation
2. On boarding tutorials
3. Blog posts
4. Educational video content - Auth0 University
Service documentation
Yes
Documentation formats
HTML
End-of-contract data extraction
User data can be exported by users if they use Auth0 database for storing their information instead of using their own database

More details: https://auth0.com/docs/tutorials/removing-auth0-exporting-data
End-of-contract process
At the end-of-contract the plan automatically gets converted into Free plan with limited features and support.

More details about plans: https://auth0.com/pricing

Using the service

Web browser interface
Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
Application to install
No
Designed for use on mobile devices
Yes
Differences between the mobile and desktop service
Auth0 Identity service is provided in the form of SDKs and APIs allowing uniform usability on mobile, web and native applications.
Service interface
No
API
Yes
What users can and can't do using the API
Auth0 exposes two APIs for developers to consume in their applications:
1. Authentication: Handles identity-related tasks;

2. Management: Handles management of your Auth0 account, including functions related to (but not limited to):
- Clients
- Connections
- Emails
- Users
API documentation
Yes
API documentation formats
  • HTML
  • Other
API sandbox or test environment
Yes
Customisation available
Yes
Description of customisation
Identity management administrators can customize Auth0 identity platform to:
1. Manage user identity management into their existing application framework
2. Manage configurations to better control, security, extend the platform to meet specific requirements with extensibility features
3. Manage how user identity data can be sourced from different data sources
4. The user login widget (Auth0 Lock) can be customized to look unified with customer brand, allows various login options (social) to be integrated within the login

Scaling

Independence of resources
Auth0 provides enterprise-level on-demand scalability for predictable as well as unpredictable user traffic. Auth0’s advanced infrastructure ensures high availability and resiliency for its services (24x7 with 99.95% uptime with SLA) with independent, geographically distributed data centers and full disaster recovery systems located in various continents

Analytics

Service usage metrics
Yes
Metrics types
Management dashboard provides following usage metrics on the home page:
1. User login activity
2. number of users
3. number of logins
4.New signups
5. Latest logins
Reporting types
Real-time dashboards

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Auth0, Idaptive, Okta, Varonis, Imprivata, Centrify, Onelogin, Ping, Zscaler

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
EU-US Privacy Shield agreement locations
User control over data storage and processing locations
Yes
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least every 6 months
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Yes
Data sanitisation type
Deleted data can’t be directly accessed
Equipment disposal approach
In-house destruction process

Data importing and exporting

Data export approach
All data in user's Auth0 account is always under their control and is available through the management API at any time. The only information which is not available through the API are the password hashes of your Auth0-hosted database users and private keys, for security reasons.
https://auth0.com/docs/tutorials/removing-auth0-exporting-data

Auth0 also provides pre-configured module (extensions) for importing/exporting users from/to any database: https://auth0.com/docs/extensions/user-import-export
Data export formats
  • CSV
  • Other
Other data export formats
HTML
Data import formats
  • CSV
  • Other
Other data import formats
JSON

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)

Availability and resilience

Guaranteed availability
Auth0’s advanced infrastructure ensures high availability and resiliency for its services (24x7 with 99.95% uptime with SLA) with independent, geographically distributed data centers and full disaster recovery systems located in various continents.
Approach to resilience
At a high level, Auth0's availability strategy is rather simple, and yet very effective: we ensure that critical dependencies are redundant, we rapidly detect failures, and our failover is very quick. The Auth0 architecture implements redundant components at all levels such as:

- DNS
- Datacenter
- Application layer
- Storage

Auth0 has taken multiple steps to ensure extra availability. One important aspect is how the application is architected, including how user sessions are managed, how functionality is partitioned, how the availability of modules is prioritized , and how transient conditions are handled.

Auth0 is designed and built as a scalable, highly available, multi-tenant cloud service.

This highly reliable architecture is combined with solid operational processes and a culture of continuous improvement that constantly refines and improves Auth0 operations
Outage reporting
Public dashboard - https://status.auth0.com/

Identity and authentication

User authentication needed
Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
Access restrictions in management interfaces and support channels
Role-based access with delegated administration allows administrators to restrict access to management interface and support channels
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Access to user activity audit information
Users have access to real-time audit information
How long user audit data is stored for
Between 1 month and 6 months
Access to supplier activity audit information
Users have access to real-time audit information
How long supplier audit data is stored for
Between 1 month and 6 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
No
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
  • SOC Type 2
  • HIPAA BAA
  • EU-US Privacy Shield Framework
  • OpenIDConnect Certified

Security governance

Named board-level person responsible for service security
No
Security governance certified
Yes
Security governance standards
Other
Other security governance standards
SOC 2 Type II certified
EU-US Privacy Shield Framework Conformance
HIPAA BAA
Information security policies and processes
Auth0 has a dedicated information security team, led by a Director of Security, with nearly two decades of experience at organizations such as AT&T, Amazon.com, and the US Department of Defense. The team includes specialists in application security, infrastructure security, and cloud security - they are the “tip of the spear” whose sole responsibility is 24x7 vigilance and security process improvement to keep Auth0’s subscribers safe.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Auth0 has a process to ensure that all changes to production services and infrastructure are reviewed by at least two engineers. Unit and integration testing helps reduce the risk of vulnerabilities and software defects.
Software is stored and tracked via versioned source control (GitHub). Automated scanning tools look for vulnerabilities in third-party components.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
Auth0 has a comprehensive set of security policies, standards, and guidelines to ensure compliance and to guide our employees in making sound security decisions. Examples include:

Password Protection Policy
Encryption Policy
Monitoring Policy
Server Security Policy

Auth0 has a Responsible Disclosure Program that encourages researchers to investigate the company’s services and products. We encourage responsible vulnerability research and testing on the Auth0 services to which they have authorized access.

When a security vulnerability is discovered, the company works with the researcher to solve the issue before publicly announcing it.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
Auth0 has a Responsible Disclosure Program that encourages researchers to investigate the company’s services and products. We encourage responsible vulnerability research and testing on the Auth0 services to which they have authorized access.

When a security vulnerability is discovered, the company works with the researcher to solve the issue before publicly announcing it. This practice helps guarantee that the entire community around Auth0 – customers, partners, employees, and so on – are not put at risk before we are able to address all security issues.

Auth0 has a rapid response approach to security incidents ensuring any incident is immediately fixed
Incident management type
Supplier-defined controls
Incident management approach
Auth0 security team and the customer team collaborate in case of any incidents to immediately fix it and control any damage resulting thereof.

Users can report incidents by contacting Auth0 customer success team.

Auth0 works closely with the customer's security/development team to provide details and guidance about incidents using an incident report containing following details:
1.Incident analysis
2. Recommendations
3. FAQs

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks
No

Pricing

Price
£33.90 per user per year
Discount for educational organisations
Yes
Free trial available
Yes
Description of free trial
Auth0 provides 'Free Plan' which includes:
- 7,000 free active users & unlimited logins
- Passwordless & TouchID Login
- Lock for Web, iOS & Android
- Up to 2 social identity providers
- Rules & Webtask.io subscription

Auth0 provides a 22 day trial period for all the features
https://auth0.com/pricing
Link to free trial
https://auth0.com/signup

Service documents

Return to top ↑