Soffid ESSO, as any other enterprise single sign on, needs to store the password in a way that can be used by applications, and this requirement implies that password should be stored in either clear text or reversible encryption algorithms, making them vulnerable to insider attacks.
To prevent any risk regarding any unlikely insider attack, Soffid has a highly sophisticated mechanism to protect your system passwords, as well as allowing enteprise single sign on module to know the password value when it is required. . To get this done, Soffid creates a RSA private key for each synchronization server. The key is stored locally on the server, and the public key is stored on the database.
Once the keys are stored, every process that needs to encrypt a password must do it once for each synchronization server public key. Then, if we have two synchronization servers, as on the image next to this lines, when Soffid sets a password for any user, the password will be stored twice. The first one will be encrypted using the first RSA public key and the second one will be encrypted using the second RSA key.
This mechanism guarantees that only a synchronization server will be able to decrypt the password, using the password version that was encrypted using its own public key.
By default, private keys are stored on file system, and protected by a secret word. The backup of this private keys and the configuration file that contains the secret word should be placed on different devices than the Soffid database backup.
To achieve the top security level, a HSM module can be used. Provided that the HSM module has a PKCS#11 interface, synchronization server will use it to use the private key that is stored on it. In such a way, you can get the best trust level on your passwords confidentiality.