-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathauthentication.html
More file actions
169 lines (147 loc) · 6.51 KB
/
authentication.html
File metadata and controls
169 lines (147 loc) · 6.51 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Authentication & Security - QueryForge</title>
<link rel="stylesheet" href="style.css">
</head>
<body>
<header>
<h1>🔐 Authentication & Security</h1>
<p>SAML 2.0, Session Management, and Security Features</p>
</header>
<nav class="breadcrumb">
<a href="index.html">Home</a> > Authentication & Security
</nav>
<div class="container">
<section class="doc-section">
<h2>SAML 2.0 Authentication</h2>
<p>The application uses SAML 2.0 for enterprise single sign-on.</p>
<h3>Configuration</h3>
<div class="code-block">
{
"entryPoint": "https://your-idp.example.com/sso/saml",
"issuer": "database-client",
"callbackUrl": "https://your-app-domain.com/auth/saml/callback",
"cert": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}
</div>
<h3>Authentication Flow</h3>
<ol>
<li>User accesses the application</li>
<li>Redirected to SAML Identity Provider</li>
<li>User authenticates with corporate credentials</li>
<li>SAML assertion returned to callback URL</li>
<li>Session created with user attributes</li>
<li>User redirected to application</li>
</ol>
</section>
<section class="doc-section">
<h2>Session Management</h2>
<h3>Session Lifecycle</h3>
<ul>
<li><strong>Inactivity Timeout:</strong> 5 minutes</li>
<li><strong>Maximum Duration:</strong> 60 minutes</li>
<li><strong>Single Session:</strong> One active session per user</li>
<li><strong>Query Protection:</strong> Sessions extended during query execution</li>
</ul>
<h3>Session Storage</h3>
<p>Sessions are stored server-side with the following attributes:</p>
<ul>
<li>User email (from SAML assertion)</li>
<li>Database connection details</li>
<li>Last activity timestamp</li>
<li>Session creation time</li>
<li>Active transaction state</li>
</ul>
</section>
<section class="doc-section">
<h2>Database Credentials</h2>
<h3>User Credentials Approach</h3>
<p>Each user provides their own database credentials - no shared accounts.</p>
<div class="info-box">
<strong>Security Benefits:</strong>
<ul>
<li>Individual accountability for all database operations</li>
<li>Audit trails tied to specific users</li>
<li>No credential sharing or rotation issues</li>
<li>Database-level access control enforcement</li>
</ul>
</div>
<h3>Credential Storage</h3>
<ul>
<li>Credentials stored in server-side session only</li>
<li>Never persisted to disk or database</li>
<li>Cleared on session expiration</li>
<li>Not logged or transmitted to client</li>
</ul>
</section>
<section class="doc-section">
<h2>Security Features</h2>
<h3>Query Safety</h3>
<ul>
<li><strong>Destructive Query Confirmation:</strong> Prompts for DELETE, DROP, TRUNCATE</li>
<li><strong>Transaction Management:</strong> Explicit BEGIN/COMMIT/ROLLBACK</li>
<li><strong>Auto-Rollback:</strong> Errors automatically rollback transactions</li>
<li><strong>Read-Only Mode:</strong> Optional mode to prevent mutations</li>
</ul>
<h3>Environment Protection</h3>
<ul>
<li><strong>Environment Banner:</strong> Visual indicator (DEV/UAT/PROD)</li>
<li><strong>Color Coding:</strong> Green (DEV), Yellow (UAT), Red (PROD)</li>
<li><strong>Risk Analysis:</strong> Automatic detection of risky queries</li>
</ul>
<h3>Logging & Audit</h3>
<ul>
<li>All queries logged with user, timestamp, and result</li>
<li>Security events (login, logout, session kill) logged</li>
<li>Export operations tracked</li>
<li>Failed authentication attempts logged</li>
</ul>
</section>
<section class="doc-section">
<h2>Access Control</h2>
<h3>Application Level</h3>
<ul>
<li>SAML authentication required for all access</li>
<li>No anonymous or guest access</li>
<li>Session validation on every request</li>
</ul>
<h3>Database Level</h3>
<ul>
<li>User's own database credentials used</li>
<li>Database-native access control enforced</li>
<li>No privilege escalation possible</li>
<li>Users limited to their granted permissions</li>
</ul>
<h3>DBA Tools</h3>
<ul>
<li>Session monitoring and termination</li>
<li>Lock monitoring</li>
<li>User/role management viewing</li>
<li>All DBA actions logged</li>
</ul>
</section>
<section class="doc-section">
<h2>Best Practices</h2>
<div class="warning-box">
<h3>⚠️ Security Recommendations</h3>
<ul>
<li>Use strong database passwords (12+ characters)</li>
<li>Enable MFA on SAML identity provider</li>
<li>Regularly review activity logs</li>
<li>Use read-only mode for production queries</li>
<li>Always test destructive queries in DEV first</li>
<li>Use transactions for multi-statement operations</li>
<li>Log out when finished</li>
<li>Never share database credentials</li>
</ul>
</div>
</section>
</div>
<footer>
<p>© 2026 QueryForge Contributors | <a href="index.html">Back to Documentation Home</a></p>
</footer>
</body>
</html>