The General Entertainment Authority (GEA), established by royal decree in 2016, is Saudi Arabia's sole entertainment regulatory authority. Having been tasked by the government to develop and regulate the entertainment sector of the kingdom, it aims to fulfill the Saudi Vision 2030 by creating thousands of jobs in the tourism sector, while also helping boost the Saudi economy.
As a new government agency in charge of a massive untapped market, security against data breaches and hacking is critical for the organization's smooth operation, as is protecting the data of its employees and contractors. As a result, relying on a single factor of authentication to access company data and resources exposes the organization to risk. Owing to this threat, GEA decided to look for a solution to add a Second Factor of Authentication for its resources, so that any external user attempting to access these resources would have to validate themselves twice before being granted access.
Along with the added security step for their external users, GEA was also looking to simplify the login experience for its internal users; for them to be able to Single Sign-on into the company dashboard seamlessly and securely, without being challenged for any passwords, thus removing the need to store and remember user credentials and improve access to resources.
miniOrange offers a seamless single sign-on experience via the Integrated Windows Authentication (IWA) module. This allows users to log in directly to their configured apps from their domain-joined workstations. miniOrange also allows users to sign-in using their Active Directory credentials via form-based login.
However, both these solutions are standalone - there was no existing way to route users dynamically to either solution based on which network they were connecting from.
The key was the SAML standard, which supports Identity Provider Discovery. miniOrange, based on the information provided by GEA, created a new Identity Provider Discovery flow, which would route users directly to the IdP configured for their IP subnet.
miniOrange provided GEA with a solution built for their needs, to improve access and protect their data.
IP subnet based discovery flow:
GEA was looking for a solution to allow their internal users to conveniently access these resources because they have a number of internal employees who access the company dashboard on a daily basis.
Because all internal employees used Windows domain-joined machines, they were routed to Single Sign-on, allowing them to access resources and applications using the Integrated Windows Authentication (IWA) module with ease.
External users who were not connected to the GEA network were simultaneously directed to the miniOrange Identity Broker (IdP) login page, where they were prompted for their domain username and password.
This is a unique feature of the miniOrange IdP, which was added to meet the requirements of GEA.
Adaptive Multi-Factor Authentication:
Having directed the external users to their domain username & passwords, they were also challenged for Multi-Factor authentication (MFA) to boost security.
minOrange supports 15+ Second Factor authentication methods such as OTP over SMS/Email, hardware tokens, Google/Microsoft Authenticator and more.
GEA adopted the OTP over SMS method for authentication using their own SMS gateway, in which users are sent a 6 digit authentication code on their registered mobile numbers. Users must enter this code at the MFA challenge screen after entering their AD credentials.
Using the miniOrange on-premise solution, users are synced frequently from the GEA Active Directory (AD), using the LDAP gateway.
This ensures that the entire setup can be up to date.
Thus, using miniOrange SSO along with Adaptive Multi-Factor Authentication based on IP restriction, GEA has eased access to its resources and applications, along with securing user and organization data by adding an extra layer of security.