Frontegg Backend
ADR-0077 · Author: Sybil Melton · Date: 2025-02-07 · Products: platform
Originally
Originally
ADR-0017-FrontEgg-Backend (v8) · Source on Confluence ↗FrontEgg Backend and SSO Configuration
Context and Problem Statement
FrontEgg has a number of decisions that needed to be made as it pertains to the backend configuration. The following items are being discussed in this ADR and the reasoning behind their decisions.
- Account Configuration for Portal
- Backoffice Accounts and User Management (per environment)
- Authentication Settings (per environment)
- Security Settings (per environment)
- Emails
- Domains (per environment)
Portal
Security
- Session Management
| Session Managment | Setting | NIST Control |
|---|---|---|
| Idle Session Timeout | Idle Time 60s | AC-12 |
| Forced Re-Login | N/A | |
| Maximum Concurrent Sessions | 3 | AC-10, AC-12 |
- MFA
- The MFA settings aren’t required as the authentication will be done through Okta.
- Domain Restrictions
- Portal access has been restricted down to only droneup.com email accounts.
- SSO
- SSO for the portal is connected to the DroneUp Okta environment.
Backoffice
Accounts - Accounts are the tenant level configuration of FrontEgg. Users are assigned to Accounts and SSO / Admin is per Account.
| NIST Control(s) | Setting |
|---|---|
| AU-3 | Monitoring |
Development, Staging, & QA
- The Tenants here should be DroneUp and EndUser-Test (name TBD)
- DroneUp - Users will be SSO to Okta using groups based on the entitlements assigned to the applications.
- EndUser-Test - Users managed locally to emulate the public end user; can be used for automated testing.
Production
- The Tenants (Accounts) here are actual clients of DroneUp and end users
- Clients are end user customers of DroneUp (i.e. Walmart) who may or may not have users that interact with various applications. The users and m2m authentication falls under this term.
- DroneUp - Users will be SSO to Okta using groups based on the entitlements assigned to the applications.
- Access to admin portal; can manage their own users; allows for enterprise SSO; MFA required if not enterprise SSO - Public - Users who sign up with our applications that aren’t part of a client. i.e. DroneUp Deliveries App; MFA required
Authentication
- Password - Dev / Staging / QA
| Attribute | Setting | NIST Control |
|---|---|---|
| Complexity | Hard | TBD |
| Repeat Protection | 3 | TBD |
| Email Verification | Off | N/A |
- Password - Prod
| Attribute | Setting | NIST Control |
|---|---|---|
| Complexity | Medium | N/A |
| Repeat Protection | 3 | N/A |
| Email Verification | On | N/A |
- Social Logins - Dev / Staging / QA
- Google - Enabled
- Facebook - Enabled
- Apple - Enabled
- Social Logins - Prod
- Google - Enabled
- Facebook - Enabled
- Apple - Enabled
Security
- MFA - Dev / Staging / QA
- Not forced to allow for automated testing
- MFA - Prod
| Attribute | Setting | NIST Control |
|---|---|---|
| Force MFA | Forced Except for Enterprise SSO | IA-9, IA-10 |
| Factors | Authenticator Apps, Security Keys | IA-10 |
| Remember MFA | 7 Days | IA-11, IA-12 |
| Custom Authenticator App Name | “DroneUp” | N/A |
- Session Management All Environments
| Session Managment | Setting | NIST Control |
|---|---|---|
| Idle Session Timeout | Idle Time 1hr | AC-12 |
| Forced Re-Login | 1 day | AC-12 |
| Maximum Concurrent Sessions | 3 | AC-10, AC-12 |
- Security Rules Dev / Staging / QA / Prod
- Challenge Action : The end user will be prompted for action in the login portal.
| Policy | Action | NIST Control |
|---|---|---|
| Bot Detection | Challenge | N/A |
| New Device | Challenge | N/A |
| Brute Force | Lock after 5 | AC-7, |
| Breached Password | Challenge | N/A |
| Impossible Travel | Challenge | N/A |
| Suspicious IPs | Block | N/A |
| Stale Users | Challenge after 90 days | N/A |
Emails
Dev / Staging / QA
- The emails do not need to be activated
- Emails can come from FrontEgg
Production
- All emails need to be enabled.
- Emails need to be sent from the DroneUp domain (support from FrontEgg required)
Domains
- Due to restrictions placed on DroneUp by the vendor the lower environments will not have customized logon domains.
- The customized domains provides the end user with a uniform experience with DroneUp. It also prevents 3rd party cookie issues from arising with modern browsers.
Dev / Staging / QA
- logon domain will be: dev.auth.droneup.com
Production
- logon domain will be: auth.droneup.com
Cited by queries
Last updated on