Introduction
Welcome to the Topicus KeyHub manual.
Topicus KeyHub ensures the authentication and authorisations of users. This manual describes how it works.
Topicus KeyHub principles
Topicus KeyHub works according to the principle central authentication, decentral authorisation. This means that every user authenticates against a single identity provider. After authentication that user will be granted authorisation and permissions according to the various groups of which he/she is a member. These groups are managed by various group managers, who are responsible for their group.
| At Topicus KeyHub safety is key. This means that two-factor-authentication is required. Every user has to have at least one compatible two-factor-authentication method available. Topicus KeyHub supports both TOTP and WebAuthn protocols. For WebAuthn, any FIDO2 compatible device can be used. Examples are the USB security keys as sold by Yubico, Feitian and Google, among others. For TOTP there are also multiple solutions available, such as the Topicus KeyHub mobile app or the Google Authenticator-app. |
Layout of this manual
This manual is devided into several parts. After the Getting Started section where many tips and tricks are described, the next part is all about the functionality for regular users. This contains chapters about registration of new accounts and the daily use of Topicus KeyHub. The section that follows is especially for KeyHub-administrators and group managers who can performed advanced tasks like setting up new single sign-on connections. Finally the last section contains information about the Open Virtual Appliance (OVA).
Getting Started
Registration
Topicus KeyHub supports just-in-time account registration. Just follow the URL for your specific Topicus KeyHub instance (something like https://keyhub.<your_organisation>.com), enter your username and just follow the steps on the screen. The username is probably the same as the one you need for your corporate email.
Browser extension
Topicus KeyHub comes with a browser extension for Google Chrome and Mozilla Firefox. With this extension applying passwords and 2FA-codes becomes even easier. Go to www.topicus-keyhub.com/browser-extensions and click on the extension for your browser.
After installing the extension, go to Topicus KeyHub and in 'Profile > Settings' you can enable the browser extension by connecting Topicus KeyHub with it.
You can test the browser extension by clicking on the icon in the top-right corner of your screen. If successfully connected, all your password vaults should become visible.
Mobile app
If your organisation uses the 2-factor authentication solution of Topicus KeyHub, you can download the Topicus KeyHub-app to your phone. You can find the app in the respective app-stores of Apple and Android. With this app installed, you will receive a push-notification when Topicus KeyHub requires it. Just click 'Login' in the notification and you are logged in.
If you do not want to install the Topicus KeyHub-app, you can also use a similar TOTP-based app like the Google Authenticator or Microsoft Authenticator as a two-factor authentication solution. Although these apps work fine themselves, you will not receive a push-notification and you are required to manually enter the 6-digit code.
Security keys
In addition to TOTP-based solutions, you can also use a FIDO2 compatible security key for 2-factor authentication. Topicus KeyHub fully supports the WebAuthn protocol, which means that you can use any compatible hardware security key (sometimes also called a "dongle").
On some devices your operating system can even function as a software security key, which means you can use, for example, the built-in fingerprint scanner as your second factor.
Manual
Topicus KeyHub comes with this context-sensitive manual. This means that whenever you press the questionmark-symbol at the bottom-left in Topicus KeyHub, this manual opens in a new browser tab at the corresponding section.
Personal vault
Topicus KeyHub comes with a personal vault which is like your password manager. You can find this vault in the Vault-section and this safe is meant for all your personal, professional credentials. For example your username/password for your time management, sick-leave application or all other applications you use with your personal credentials.
| You can store the recovery codes for your hard drive encryption in the personal safe as well! |
Groups in Topicus KeyHub
In Topicus KeyHub all authorisations are assigned through groups. Every group could provide access to one or more single sign-on applications, servers and/or a password safe for that group. The responsibility for the access a group provides and for its members are in the hands of the group manager(s). You can request access to the groups you require. Navigate to My Groups and click on 'Request'. Now a list of all groups is shown, grouped by group name. Click on a specific group, enter an optional reason and click on the 'request access' button to request access to that group.
| A group access request has to be approved by one of the respective group managers. |
Passwords and group vaults
Besides your personal vault Topicus KeyHub contains group vaults as well. Every group has its own vault to store and share passwords, 2FA-codes and files with other group members. Whenever you want to store a new secret like a password in Topicus KeyHub, you decide which group this secret belongs to and create a new vault record. Topicus KeyHub offers a password generator to generate strong secrets for new or updated credentials. After saving a new vault record in a group vault, every member of that vault immediately has access to that secret.
| Vault records support storing files as well. Consider storing SSL-certificates and other sensitive data in a specific vault. |
Profile and settings
In Topicus KeyHub every user has its own profile settings under Settings at the bottom left of the Topicus KeyHub interface. Here you can change your language-settings, upload your SSH-key and consult your active sessions and user ids.
Changing your phone
Whenever you have to change phones, you will need to register your new device to generate 2FA-code again. If you still have your old phone in possession, you can easily reconfigure your 2FA from your Profile-page. If you lost your old phone, you can request a 2FA-reset from the Topicus KeyHub login-screen. Such requests always require another user from your organisation to approve them.
SSH-keys
Topicus KeyHub offers the possibility of uploading your SSH-key. This key is provisioned when a group is activated that grants access to a UNIX-based system. After activating the group, you can logon using your SSH-key.
Group managers
Every group should have at least one group manager, and preferably two or more. A group manager is responsible for all members of that specific group and for all the access that group provides. Group managers can approve or decline group-access-requests and assign new group managers.
Usage
1. Registration and authentication
In order to use Topicus KeyHub an account is necessary. There are two ways of obtaining an account: by manual registration or with an activation code.
Both options are available on the login screen.
1.1. Registration
In most cases an account for Topicus KeyHub can be registered manually. Following the Register option on the screen a three-step workflow is presented to setup an account.
1.1.1. Step 1: Create account
Every Topicus KeyHub account is validated against an existing 'user directory', most likely an LDAP or Active Directory. To create a new Topicus KeyHub account, the corresponding directory should be chosen first. In most cases only one option is available and the default selection will be the right one.
When registering an account at an LDAP-directory, the username and password of the corresponding user should be entered. If these credentials are unknown: it is probably the same username and password that are used for e-mail or logging on to the network of the company.
If the account is located in an external directory, the screen displayed above will be shown. The user is required to follow the link to logon to the external directory. After authenticating against the external directory, the user will be guided back to Topicus KeyHub and the corresponding username is shown.
| It is possible to enable editable usernames. In that case the user is free to change ths username to a value of his/her liking. Be cautious though, because this username will be user throughout Topicus KeyHub and this username is also to be used when logging on to linked systems. It is not possible to change the chosen username. |
After the credentials are validated, the method of password usage can be chosen.
When using Topicus KeyHub against a LDAP-directory, the option exists of choosing a different password for Topicus KeyHub. This password can be different from the password with witch the authentication took place. In most cases it is not advised to choose a different password and the default settings will suffice.
For external directories it is mandatory to choose a password for Topicus KeyHub This password will be used to encrypt the password safes and to create accounts on linked systems.
See chapter chapter 5 for more details and possibilities on password usage.
Choosing the password concludes step 1.
1.1.2. Step 2: Setup Two-factor authentication
The second step in the registration process is to setup two-factor authentication (2FA). For this step either a security key, or a smartphone with a 2FA-app compatible with the TOTP-protocol can be used Any FIDO2-compatible security key should work. For TOTP, the Topicus KeyHub-app is recommended as this app supports push-notifications. With this app the user only needs to enter Yes or No in order to verify a logon request instead of typing a 6-digit code. Alternative apps that are supported are Google Authenticator, Duo Mobile and the Microsoft Authenticator.
| If Topicus KeyHub authenticates against an external directory, it might be possible to skip step 2. This is most likely due to the fact that the external directory already enforces 2FA. |
The following screen is displayed:
A choice can be made for either the Use a 2FA app or the Use a security key option.
Security key
If the security key option is chosen, Topicus KeyHub will automatically try to connect to a compatible security key. The browser will likely show a notification to this effect. Simply activate the security key using the normal procedure for the specific security key to confirm the link with Topicus KeyHub.
With physical security keys usually there is an action needed like touching a spot on the key or scanning a fingerprint. If the operating system functions as the security key, it should prompt for confirmation.
2FA app
If a 2FA app is chosen the following screen wil be shown.
After scanning the QR-code with the Topicus KeyHub-app, the screen will show the type of the smartphone. If the information is correct, 2FA can be enabled.
| The Topicus KeyHub-app requires an internet connection to setup and receive push-notifications. If no internet connection is present, the app can generate the 6-digit code as well. |
If another app is used, this app will add the Topicus KeyHub-account after scanning the QR-code. To finalise the 2FA-setup the 6-digit verification code will have to be entered in the above screen. After entering this code, 2FA is enabled.
This concludes step 2.
1.1.3. Step 3: Request groups
The final step in the registration process is to request groups. A group grants access to the specific passwords, servers, applications and linked systems of that group.
Groups can be found by using the search field. Depending on naming conventions the groups displayed could correspond to projects, teams, products or departments.
Click on the icon on the right side of a group to request access to that group. Select all groups that apply to the role for the account that is registered. After access to the required groups is selected, the Next-button will continue to the next screen.
The next step is to enter a reason for the request. This reason is displayed to the group managers of the group which can help them decide whether the request is valid and should be granted. It is highly recommended to enter a brief and clear description of why access to that group is requested.
| Before the secrets of the group are available, the access request should be validated and granted. This means that access to a specific group is not instant but takes some time, depending on the group manager(s). |
Finally the button Send and login sends out the requests and logs the user in on Topicus KeyHub.
1.2. Activation code
Registration of a Topicus KeyHub account can also occur by using a registration code. On the login-screen the option I have a registration code is available (or click on the link in the corresponding e-mail). The registration code can be entered in the next screen.
If the account details are correct, the next step is to choose a password. This password should consist of a minimum number of characters. Be advised that specific words or characters are considered invalid and will therefore not contribute to the total number of characters of a password.
The next step is to setup 2-factor authentication. For a detailed description see the corresponding paragraph enabling two-factor-authentication.
1.3. Resetting two-factor authentication
In some cases it is necessary to reconfigure 2FA, for example when the security key or smartphone is broken or stolen. In order to reset 2FA it is required that the 2FA is disabled for that specific account. Users can request to disable 2FA themselves on the login-screen using the option I cannot use 2FA anymore.
Clicking that specific button leads to the following page:
To reset 2FA a mandatory reason should be entered. The request to disable 2FA is then to be judged by another user in the organisation. If the request is granted, the user and the other user are notified by e-mail.
| A user can reconfigure the 2FA using the options available under the Profile-section in Topicus KeyHub. Users who have multiple smartphone apps or security keys registered can simply login using another registered 2FA method. Otherwise, the user should make sure they are still able to login using their current 2FA method, either by generating the current 2FA-code or using their security key, before reconfiguring 2FA. In the case of users who have a new smartphone and still possess the old one, they can reconfigure 2FA themselves in this way. |
1.4. Password lost
If the user has forgotten his or her password, a request to recover the password can be submitted via I forgot my password. The procedure for recovering a password differs per account type and depends on the options chosen for the password. The different procedures are discussed below.
1.4.1. Account from an LDAP directory
Users from an LDAP directory use the Topicus KeyHub password to open the vault. This password may be synchronised with the password from the directory. If synchronisation is activated and the password in the directory is changed outside Topicus KeyHub, a password synchronisation will be started. If the user has lost the old password here, a password recovery can be started. Password recovery with password synchronisation will ask for the new directory password and a reason for the recovery. This password is then also used as the new Topicus KeyHub password.
If password synchronisation is not enabled, the Topicus KeyHub password will be requested when the vault is opened. If the user has lost the password here, a password recovery can be started. The user enters the new password twice, along with a reason for the recovery.
After submitting the request, the account will be locked. During this stage the requester is informed which users are selected to process their request. Once the request has been approved by 2 users, the request can be completed.
After completing the request, the Topicus KeyHub password of the user has been changed to the new password. The request can be cancelled by the user at any time. The old or the new password must be entered here.
1.4.2. Account from an OIDC directory
Users from an OIDC directory use the Topicus KeyHub password to open the vault. After clicking on the link I forgot my password the user will arrive at the page where a new password for Topicus KeyHub can be chosen. The user must enter the new password twice, provide a reason for the recovery, and submit the request. After this, the account will be locked until the request has been processed. Once the request has been approved by 2 users, the request can be completed. After completing the request, the Topicus KeyHub password of the user has been changed to the new password.
1.4.3. Account from an internal directory
Users from an internal directory use the Topicus KeyHub password to log in to Topicus KeyHub and to open the vault. Clicking on the I forgot my password link will take the user to the 'forgot password' page below. After entering the username, the user will receive an email with an activation code. This code allows the user to initiate the recovery procedure.
After entering the code, the screen is displayed where the user can choose a new password for Topicus KeyHub. The user must enter the new password twice, provide a reason for the recovery, and submit the request. After this, the account will be locked until the request has been processed. Once the request has been approved by 2 users, a 30 minute cooldown period will begin. The request can be completed after these 30 minutes have passed, or as soon as a 3rd user approves the request. After completing the request, the user’s password has been changed to the new password.
1.4.4. Reset password and wipe associated data
| Only choose a password reset if the recovery procedure cannot be followed. For example, if there is nobody who can approve the recovery request. |
Instead of a password recovery, a user can also opt for a password reset if the password is forgotten. To perform a password reset, the user must authenticate against the directory and use 2FA. A password reset can therefore only be performed if the user has lost the Topicus KeyHub password, but knows the password for authentication against the directory. A password reset deletes all of the user’s keys, resulting in the loss of the following access:
-
Access to the personal vault and group vaults.
-
Manager privileges of groups.
-
Membership of the KeyHub administrators group.
The password entered by the user will be set as the new Topicus KeyHub password.
1.5. Mandatory password change
In some cases the following message can be displayed when signing in to Topicus KeyHub. This occurs when the password (no longer) complies to the criteria set by Topicus KeyHub. The password could be too short or the user could not yet have a personal password vault due to preliminary ending the registration wizard before. In this case the user will be guided through a three-step process in order to pick a new password. As this process is equivalent to the registration wizard, see the corresponding section in chapter 8 for more information about password usage and this three-step process.
1.6. Password synchronisation
A user can choose for password synchronisation between Topicus KeyHub and the directory. When the password is changed on the directory, Topicus KeyHub will detect this at logon and prompt the user for re-synchronisation. Topicus KeyHub will need the old and the new password to update the keys for vault. When the new password does not meet the password requirements set by Topicus KeyHub, the user will be asked to choose a new password.
1.7. Using Single Sign-On to logon to other applications
Topicus KeyHub can act as a SSO-provider as well. If such a SSO-connection is present, the login-screen of Topicus KeyHub will be displayed instead of the login-screen of the target application. The first time a SSO-connection is used, the user is asked for his/her consent.
The following screen is then displayed:
| In most cases the application will only request the profile of the user. Granting this request will provide the application read-only rights on only the profile of the user. This profile is ofter required to verify the identity of the user. |
Single Sign-On in Topicus KeyHub is provided through groups. This means that when a user tries to use SSO to an application without being a member of the corresponding group, the following screen will be displayed. This screen shows the group that the user should request in order to use SSO.
1.8. Synchronising TOTP time-offset
If a separate device is used to generate verification codes, the internal clock of such a device can fall behind KeyHub’s system clock. KeyHub will detect such an offset and will automatically apply a compensation. In exceptional cases, the shift may be too large to automatically compensate. When that happens, KeyHub will ask the user to input two consecutively generated codes, to verify the offset.
2. The dashboard
The dashboard shows all relevant information for the daily use of Topicus KeyHub. On the left side all groups are displayed which can be activated. The right side of the dashboard shows the ten most recent events of groups for which the current user account is a member or manager. Events that consider the current user account are displayed on the right side as well. Any pending requests are shown at the top right side where the user can grant or decline them if applicable.
2.1. Group activation
To gain access to the linked systems of a group, that group has to be activated. Click on a group to activate the user’s account(s) for one hour by default.
The desired end time for the activation can be set with the slider. The set activation duration will be set automatically with the next activation of the group. After the time period has expired, access to the group will be automatically deactivated. Access to a group can also be immediately deactivated by clicking on the group again. With manual deactivation of a group, the remembered activation duration is reset to the default of one hour.
A group can be configured with extended access. For groups with extended access, a button for Extended access will be displayed after activating the group. Clicking this button leads to the following screen::
The reason for extended access can be supplied and a request will be sent to the group managers. If the request is granted, this group will be displayed on the dashboard as:
Some groups require an explicit reason before activation is possible. This reason will be part of the audit trail and can be used for reporting purposes. If a group is configured with a mandatory reason, the following screen will be shown after clicking the group:
For a group it can be configured that authorisation is required for activation. In that case the screen below will be displayed on activation. After sending the request, a member of the authorising group will review this request. If accepted, the group will be activated with an end time of one hour in the future. The user can subsequently extend the activation himself during the permitted period. The end of the period is shown with a red triangle on the timeline. When the group becomes inactive, it can be reactivated, as long as this falls within the permitted period. If authorisation is combined with a reason, the reason for the request will be mandatory and recorded in the audit trail.
2.2. Dashboard layout
Groups can be combined into folders. Activating a folder activates all groups that are part of that folder at once. Click on Manage layout… to create and name folders for the user dashboard.
The screen for dashboard layout shows a list of all folders and the groups that are present within these folders. Every folder is displayed separately on the dashboard. Activating a folder activates all groups within that folder at once.
To add groups to a folder, a group can be dragged into a folder. Groups in the folder hidden groups are hidden on the dashboard. Hidden groups will not be visible by default but can be shown by pressing show all groups on the dashboard.
Click on Add folder at the top right side of the screen to create a new folder.
Each folder can be assigned a name. Pay attention to the name and choose a name that describes the purpose of the underlying groups. After clicking on Save the folder is added to the Dashboard layout and groups can be assigned to the folder. Click on the icon next to the group name to change the name.
3. The launchpad
The launchpad displays tiles that allow users to quickly navigate to certain applications. These tiles are shared through group membership. The different types of tiles are described below.
3.1. Manually created launchpad tiles
A group manager can manually add a tile to a group. For a manually added tile, the following information must be provided:
- Group
-
The group in which to display the tile.
- Logo
-
The logo to be displayed with the tile. An image is generated by default. By clicking on this an image can be specified.
- Title
-
The title to display with the tile.
- Link
-
The link that opens when the user clicks on the tile.
3.2. Launchpad tiles for SSO applications
A tile for an SSO application is created at the application itself by the technical manager of the application concerned. The tile is displayed for all groups that have access to the application. The name of the application is used as the title of the tile. For a tile for an SSO application, the following information must be provided:
- Logo
-
The logo to be displayed with the tile. An image is generated by default. By clicking on this an image can be specified.
- Use an IdP-initiated login
-
An IdP-initiated login can be used for applications that support this. This is possible with OAuth 2.0 applications where the Initiate login URI is entered or with a SAML v2.0 application. The application itself must of course support an IdP-initiated login.
- Link
-
If the application does not support IdP-initiated login, the link that is opened when the user clicks on the tile must be entered manually.
3.3. Launchpad tiles for vault records
A tile for a vault record is created at the vault record itself. Only managers of a group can make a vault record available as a tile on the launchpad. For the title and link of the tile, the name and link of the vault record are used. On a tile for a vault record, only the logo can be specified:
- Logo
-
The logo to be displayed with the tile. An image is generated by default. By clicking on this an image can be specified.
4. My groups
My groups shows all groups the user has access to. The description of the group is displayed as well. Groups where the user has management privileges are indicated with a star. For managers, a dashboard is available via the menu with insight into all groups of which the user is a manager.
4.1. Request access
To join a group the access has to be requested by clicking the button Request on the top right corner of the screen.
Every user can request access to a specific group. Each request has to be granted by at least one group manager. To speed up this process the access request can be provided with a specific reason. This reason may help the group managers decide whether or not to grant access. After access is granted, the group will be shown at My groups and on the dashboard if applicable.
4.2. Request new group
If a new group is required, a request can be send to create a new group. Click on Request new group at the top right corner of the screen to request a new group.
Every user can request a new group. A clear name should be chosen for the group that meets any requirements shown in the field. In the selection box the user can choose from prefixes that are already used within the Topicus KeyHub installation. If such a request is granted the requesting user will automatically be assigned group manager of the new group.
The requests for new groups are verified by a central management group and at least one manager has to grant the request. To speed up this process the request can be provided with a reason as of why this new group is required. After submitting the request, the pending request will be shown on the dashboard.
To send the group managers an e-mail, the link mail manager can be used. To leave a group the button Leave group can be clicked. After leaving a group the user has to request access to the group again if necessary.
4.3. Group information
- Group details
-
The name and description of each group is shown. Depending on the options chosen for the group, more fields can be displayed here. For a complete overview of the options of a group, see group details.
- Audits
-
The last 5 audits of a group are shown. If there are more audits, a link is shown to show them all. For more information about audits, see auditing groups.
- Members
-
All members of the group are shown. Managers are indicated with a star. If an end date is set for the membership, it will also be shown.
- Performs authorisation for
-
If the group performs authorization over other groups, they will be shown here. Details about the group can be get by clicking on the group. A dashboard is also available with insight into all groups over which authorization is performed.
- Nested groups
-
Any groups nested under this group will be shown here. Details about the group can be get by clicking on the group. For more information about nesting, see nested groups.
- Audit log
-
The group’s audit log is displayed. When clicking on more, the audit log can be searched for specific records.
For each group contact can be made with the managers of the group via mail manager. A group can also be left via Leave group. Please note that once a group is left, access must be requested and approved again in order to regain access to the group. To request to remove the group use the remove button. This requires permission of a KeyHub administrator.
4.4. Group details
For a manager of a group, it is possible to edit the properties of a group. A group consists of the following properties:
- UUID
-
A unique identifier of a group within Topicus KeyHub.
- Organisational Unit
-
The organisational unit to which the group belongs. Only users who are members of this organisational unit can join the group.
- Name
-
The primary name of the group. The first word of a group name is used to group multiple groups into a category. Group names have to be unique throughout the entire application.
- Classification
-
Groups can be divided into classifications. This classification sets policies for group settings so that the intended security can be enforced. The classification cannot be changed by the group manager. This is done by someone who has access to the auditor dashboard for groups.
- Extended access
-
By default a group can only be activated for a maximum of 12 hours on the dashboard. With this option you can choose to allow extended access to a group with a maximum of 1 or 2 weeks. To enable this extended access on the dashboard, the user must first request approval (with the exception of the
Up to 2 weeks, without approvaloption). Extended access may be required to perform lengthy operations on systems such as large copy operations. - Record audit-trail
-
When enabled, a user has to provide a reason every time this group is activated. This reason will be written to the audit log and can be useful certification purposes.
- Rotating password required
-
If checked, the user will only be able to activate this group if the user uses a rotating password (see password use). Requiring a rotating password significantly increases the security as potentially leaked passwords are only active for 24 hours.
- Private group
-
A private group is only visible to its members, KeyHub administrators and auditors. For all other users the group will not be visible in KeyHub or accessible in any way. This also means that they can not request access to this group, they’ll have to be added by a manager.
- Hide audit trail
-
The audit log records for this group are not shown to regular members on the dashboard and are only visible in the audit log under 'daily use'. For large groups with many mutations, these records are less relevant and could obscure other records that are more important. The group’s audit log can still be viewed by regular members under the details of the group.
- Vault recovery availability
-
Limit vault recovery options for vaults with highly sensitive information. With
Fully availableaccess to the vault remains available after a password recovery and the recovery key can be used as an emergency procedure to restore access. IfOnly with the recovery keyis selected, users will lose access to the vault after password recovery, but the recovery key can still be used.Not availablecompletely disables vault recovery and only allows members of the group to give users access. In this case, after deleting a group, it will not be possible to restore the contents of the vault. - Activation required for vault access
-
If enabled, activation of this group is required before passwords can be read.
- Authorising group for activation
-
When configured, the chosen group must authorise request to activate this group.
- Authorising group for membership
-
When configured, the chosen group must authorise adding new members and modify members' manager privileges for this group.
- Group with delegated privileges
-
When configured, the chosen group will get delegated manager privileges for this group.
- Authorising group for audits
-
When configured, the chosen group will have to approve an audit before it is made final. Any changes from the audit will only be applied after approval.
- Technical administration
-
When enabled this group can create and manage applications, linked systems and service accounts. Permission is required to enable this option. For more information, see the chapter about applications and the chapter about linked systems.
- Access profile administration
-
When enabled this group can create and manage access profiles. Permission is required to enable this option.
- Periodic audit months
-
The selection of months on which a periodic group audit must be carried out by the managers of the group. At the beginning of the month the manager will receive a notification on his dashboard. Then there is time until the second Tuesday of the month to carry out the audit. After this expiration date, the notification will change to an overdue audit.
- Description
-
A detailed description of the access this group provides and/or the purpose of this group. This information will be shown to members of the group and users who request access to this group.
4.5. Group members
The management of the members of the group is also the responsibility of a group manager. Existing members can be edited or removed by clicking on them. Click on Add to add a new user directly to the group. In the popup, the user must also choose whether this new user becomes a manager or a standard user. When a group membership is given an end date, the user will automatically be removed from the group when the date expires.
4.6. Auditing groups
Groups can be audited. This means that a group manager performs an audit on the group members and this audit is stored in Topicus KeyHub. An audit can be performed at any time and the event of an audit is stored in the audit trail.
Audits can be viewed via the details of a group. For managers this page also offers the possibility to start a new audit with the add button.
| If a group manager has multiple open audits and opens an audit from the dashboard, a bulk audit flow will be started. In this flow, the next audit will automatically open after saving the current audit. The flow ends when there are no more open audits or when the user presses Cancel. |
Every audit can contain a general description, for example with the reason of the audit. Additionally, every group member can be audited on whether the accounts is still valid for this group and possesses the correct role in the group.
Each group member can be audited by either checking the checkmark on the left. This indicates that the group member is valid. If a group member is not supposed to be part of the group, the group member can be removed from the group by checking the red cross on the right side. If a group member has the group manager role, the group manager can be reassigned to a regular group member by checking the middle, yellow icon. New members (or managers) can be added to the group as part of the audit via the add button.
For every group member an optional description can be added, for example to explain why this member was removed by this audit.
Only after saving the entire group audit are the changes put into effect. If an audit is saved as a draft, it can be further edited and saved later. Only one draft audit can exist per group. A draft is only visible to managers of the group and does not count in the audit schedule.
A group can be configured to require audits be reviewed by another group. If this is set, an audit will be put 'under review' when saved. A message will automatically be sent to the members of the reviewing group. The audit in review will be put back in draft if there is a change in membership within the group. A manager of the group will have to redo the audit and resubmit for review.
When performing a review of an audit, all actions and comments are displayed. These actions must be reviewed and then the audit must be either approved or rejected. When reviewing the audit, feedback can be given to the manager of the group.
4.7. Nested groups
A group can be nested within another group. The nested group will automatically inherit the group memberships from the parent group. Changes to parent group memberships affect the nested group immediately. With a nested group, it is still possible for a user to be a member of the group directly. In the event that the user is a direct member of both the nested and parent groups, the nested group’s direct membership properties will take precedence over those of the parent group. In this way, for example, a user can be made manager of the nested group, while being a normal member of the parent group. If an end date is set to a nested direct membership, the membership will be converted to a nested membership upon reaching that date.
When requesting nesting of a group, it can be specified how to deal with existing memberships:
- Retain
-
Existing memberships will be retained and only new, nested memberships will be added.
- Convert
-
Existing memberships are converted to nested memberships if they exist in the parent group. Other memberships will be retained.
- Remove
-
All current memberships will be deleted and replaced with nested memberships.
| Nested groups cannot have group membership authorisation. If this is configured on the top-level group, users can still be added directly to the nested group. |
4.8. Audits and nested groups
If a group is nested under another group, accounts inherited from the parent group will be hidden by default. It is possible to open these accounts and convert them to direct membership as part of an audit.
If a group has one or more nested groups under it (directly or nested under a nested group), these nested groups can be audited directly under certain conditions. All members of the nested group must originate from the nesting, and therefore not be direct. If the nested group has a designated authorizing group for audits, this should be set to the same as on the group being audited. All nested groups are displayed, and for each group it can choosen whether it will be directly included in the audit or not.
4.9. Delegated manager privileges
Within a group, another group can be designated for delegation of manager privileges. All members of the designated group are granted these delegated privileges. This allows the members of this group to perform management for the group without being a member of the group themselves. It allows them to perform the following operations:
-
Add, remove or edit group members.
-
Edit group properties.
-
Perform audits on the members of the group.
Since they are not members of the group itself, they do not have access to:
-
The vault of the group.
-
Connected applications via SSO.
-
Linked systems.
-
Requests handled by managers or members of the group, such as requests for new members to join the group and requests arising from the group’s responsibilities.
To prevent the delegated privileges group from becoming too much of a concentration of rights, it is mandatory to set up an authorizing group for membership before delegated manager privileges can be issued. Any addition or update to the members of the group must therefore be additionally approved. It is also not possible for users to add themselves to the group.
A group that delegates its manager privileges cannot be nested or itself have nested groups.
| For delegated manager privileges, the group vault key is split into two parts. The first part lives with the group with delegated manager privileges. The second part lives with the authorizing group for membership. While it is possible to designate the same group for both roles, this is strongly discouraged. This is because in such a situation the complete key will come to lie with a single group. This significantly reduces the database’s resistance to an offline attack. The same problem occurs if a user is a member of both groups. Then, the key is also only protected by a single factor. |
4.10. Removing groups
Removing a group from Topicus KeyHub requires permission of a KeyHub administrator. After repeating the name and an optional reason, this request will be send to the KeyHub administrators. Until the request is approved, the group is still visible and active.
| Removing a group cannot be undone. |
If a group is deleted, all elements that are attached to the group are also deleted. Elements that are removed are:
-
All vault records of the group.
-
All applications that are administered by the group or for which the group is owner.
-
All groups on linked systems for which the group is owner.
In some cases, a group cannot be deleted because there are elements attached to it that are not (directly) removable. The non-removable elements are shown in red on the page. Elements that cannot be removed are:
-
Linked systems for which group is the technical administrator. For these systems, administration must be transferred or they must be removed manually.
-
Built-in applications from Topicus KeyHub for which the group is owner or performs administration. The responsibility and/or administration will have to be transferred to another group.
-
An internal LDAP application that is used by a linked system. The associated linked system will first have to be removed.
-
Nested groups. The group nesting will first need to be undone.
5. Vaults
This page shows all vaults the user has access to. Every group of Topicus KeyHub has its own vault and each vault consists of vault records which contain data like secrets and passwords. Besides shared group vaults, each user has its own personal vault as well. Empty group vaults are not shown, but can be selected through the filter bar at the top.
All passwords, files and TOTP-secrets are encrypted with the password of the user. Depending on the password setting and login-method of the user, the vaults are already unlocked. If not, the user needs to provide the password to unlock the vaults.
5.1. Vault records
A vault consists of one or more vault records. Clicking on the Add record-button at the top right corner opens the screen to add a new vault record.
Each vault record consists of multiple fields.
- Vault
-
The vault where this record resides. It also indicates whether the record is shared with or from another vault.
- UUID
-
A unique identifier for the vault record within Topicus KeyHub.
- Name
-
The name of the vault record. This can be modified on a shared copy, doing so does not affect the original record and is only visible within the vault in which it resides.
- Colour
-
This colour is displayed in the vault and can be used to visually group multiple records.
- Launchpad tile
-
A records with a link can also be included as a tile on the launchpad. See the chapter about the launchpad for more information.
- Link
-
For records that belong to a website, this website can be specified. This link is also used by the browser extension to directly find the correct records for a site. If the full domain name, including subdomain, matches, the line will be displayed at the top. Records with a different subdomain are listed below exact matches.
- Additional links
-
Additional links that the browser extension uses to match sites to a vault rule.
- Username
-
The username associated with this vault record. This username can be filled in automatically by the browser extension.
- End date
-
An optional end date on which the record’s validity expires. See below for more information.
The following fields are encrypted and are therefore protected against (database) breaches.
- Password/secret
-
The password which is used to log in to a specific service or website. The 'Generate password' link can generate safe passwords for new credentials. Providing a predetermined password is also possible.
- TOTP/2FA key
-
The secret of a 'Time-based One-Time Password' which is commonly used for two-factor authentication. This secret is used to generate the 6-digit code and this code is valid for 30 seconds. A QR code is often displayed when setting up two-factor authentication for an application. Usually the key is also shown with this QR code. After storing a vault record with a TOTP-secret, this secret is hidden and can only be overridden with a new secret.
- File
-
A file like a SSL-certificate or a private key. This file has a size limit of 2 MB.
- Remarks
-
Any remarks or additional information for this vault record. The remark is encrypted as well.
Any vault record can be modified by clicking on the record.
5.2. Vault records with end date
A vault record can have an optional end date. When a vault record expires though, the secrets are still valid and can still be used. Providing an expiry date is especially useful for notifying all group member of the fact that a certain secret should be renewed.
This warning is displayed at the vault record page as well. Notifications of all expired vault records for the logged-in user are displayed on the dashboard.
Each vault record with an end date can be assigned a notification period as well. After providing the end date, this field will be visible and can be changed when required.
5.3. Password strength
The strength of each password in the vault is estimated. If the password is not assessed as very strong, this strength is displayed after the name of the vault record. Depending on the strength, the user is encouraged to a greater or lesser extent to change the password:
- Red
-
The password is very weak and should be replaced with a stronger password as soon as possible.
- Orange
-
The password has moderate strength. It is recommended to choose a stronger password, if this is acceptable for the application to which the password belongs.
- Light green
-
The password is strong but less strong than a password generated by Topicus KeyHub. To be on the safe side, the password can be replaced.
- No indicator
-
The password is very strong and probably generated.
A password may also contain an indication for a duplicate password. Reusing the same password for different services is unwise. If the passwords belong to different services, they should both be changed.
| Topicus KeyHub has a built-in password generator. These passwords are very strong, unique and consist of a mix of uppercase letters, lowercase letters, numbers and special characters. Preferably use these generated passwords. If a password generated by KeyHub is too long for a website or application, you can shorten it to the desired length manually. |
5.4. Move, copy or share vault records
The button behind the name of the vault serves to move, copy or share the record to another vault. These actions can only be performed by the manager of the group or the owner of the personal vault. If a record is shared with one or more other vaults, any change to the original will be immediately applied in all other safes. The name of a shared copy will not be overridden, if it has been modified within the vault it resides. The shared copies can be deleted, whereby the original will remain. If the original is deleted, all shared copies will also be deleted. It is also possible to specify a time period for sharing by selecting a period or a specific end date, so that the shared copy is automatically deleted after this time period has elapsed.
| It is possible to move or copy vault records to vaults that the user cannot access. In this case, the operation cannot be undone by the user himself. Topicus KeyHub will ask for additional confirmation by means of the warning below. |
5.5. Access to vaults
Management of a vault is the responsibility of the corresponding group manager. Each new group member automatically gains access to the vault and the vault records. As the vault records are encrypted with the password of each user, a password reset of a user withdraws access to the vault records. In such an event, the user will be presented the following message:
Here the user can request the group managers to restore access to the vault of the specific group.
5.6. Personal vault
Every user of Topicus KeyHub has its own personal password vault. This vault is only accessible to the user and it is not possible for other users to request access to a personal vault. It is possible to move vault records from the personal vault to another shared vault.
| After deactivating an account in Topicus KeyHub all vault records in the personal vault of that account will no longer be accessible. When deleting an account in Topicus KeyHub the corresponding personal vault will also be deleted. Therefore it is not recommended to store non-work-related items in the personal vault. The personal vault in Topicus KeyHub is meant only for personal work-related items. |
5.7. Export passwords
With the 'Export' button the contents of a vault can be exported as a CSV file. Only the personal vault or a vault of a group of which the user is a manager can be exported.
| TOTP secrets and files are not exported, nor are vault records shared from other vaults. Because the export format is the same as the import format, it contains an empty column for the TOTP secrets. |
6. Manage access
Manage access shows a list of all groups that the user can perform access management for. Members of groups with technical administration and managers of groups with access to systems can manage this access. For each group, the name shows which rights the user has within the group: technical administration and/or management privileges. A list of applications, linked systems, groups within these systems, internal directories and webhooks is also shown for each group.
For each line within the group, the following properties are visible:
- Name
-
The full name of the application, system, group, internal directory or webhook.
- Type
-
The type of the application, the linked system or the internal directory.
- Technical administration
-
The group which performs technical administration of the application or the linked system. This column is not available for a group on a linked system, an internal directory or a webhook.
- Owner
-
The group with ownership for the application, the group on a linked system or the internal directory. This column is not available for a linked system or a webhook.
- Access
-
If the group has access to the application or the linked group, this access can be configured or deleted here. This column is not available for a linked system, an internal directory, a webhook or if the group does not have access to the application or linked group.
6.1. Managing applications and/or linked systems
For groups where Application administration is enabled, applications and linked systems can be created and edited. The administration of an application and linked system includes the technical configuration of the application including webhooks. The technical administrator can add groups to a linked system or application, giving that group access to the system or application. This request must be approved by a person responsible for the application or linking group (see below). For more information on these topics, see the chapter on applications or the chapter on linked systems.
6.2. Responsibility of applications and groups on systems
Applications and groups on linked systems are a responsibility of the group managers of the appointed groups. Decisions on whether to grant access to a group on system or an application are the responsibility of the group managers. Transferring the technical management or the responsibility to another group is possible. This request has to be granted by a manager of the receiving group.
6.3. Access to an application
Access to an application can have two meanings, depending on the type of application and the configuration. The most common relationship is SSO: the users of the group can use SSO log on to the application. The exception is the OAuth2 client, where the application itself has access to the data of the group in Topicus KeyHub, such as its vault. It is also possible that an OAuth2 client will be granted permissions that normally belong to the members of the group.
The following property can be set with an SSO application:
- Activation required
-
To access this application, the user must first activate the group on the dashboard.
For an OAuth2 client, the granted permissions are shown. These permissions can be revoked if desired. See the chapter on permissions for OAuth 2.0 clients for more details on these permissions.
6.4. Access to a group on a linked system
The following property can be set for a group on a linked system:
- Activation required
-
This checkmark determines how accounts are provisioned to the group.
-
If checked, accounts are provisioned to the group on the linked system as long as the user has activated this group on the dashboard.
-
If unchecked, accounts are always provisioned to the group on the system, regardless of whether the group is enabled on the dashboard or not.
-
7. Manage access profiles
| This module is currently still under development. Not all of the functionality mentioned is available yet. |
Access profiles are part of the identity and lifecycle management module of Topicus KeyHub. Access profiles can be used to automate permissions and account provisioning. In addition, an access profile can be used to link users to directories and enrich attributes. An access profile is managed by a group. For this, the group must have access profile management activated.
The functionality of access profiles partially overlaps with that of groups, with the following differences:
-
Membership of access profiles can be automated.
-
Access profiles are centrally managed and do not have a manager role.
-
User attributes can be adjusted via access profiles.
-
Access profiles do not have a vault.
-
Workflows cannot be linked to an access profile and access profiles cannot be activated.
The access profiles can be found under Manage access in the Access profiles tab.
7.1. Access profile details
- Access profile details
-
The name, description and group with ownership of the access profile are displayed. Depending on the options selected for the access profile, more fields may be shown. For a complete overview of the options of an access profile, see edit access profile.
- Managed attributes
-
If this access profile manages attributes, these are displayed here. See attributes for an access profile for more information.
- Members
-
All members of the access profile are shown. If this access profile manages attributes, a summary of the attributes is shown behind the user name. See members of an access profile for more information.
- Groups
-
All groups linked to the access profile. See linking groups to an access profile for more information.
- Access
-
Access profiles can give members access to other systems. Possibilities here are access to groups on linked systems or single sign-on (SSO) on applications. See access via an access profile for more information.
7.2. Edit access profile
- UUID
-
A unique identifier for the access profile within Topicus KeyHub.
- Name
-
The name of the access profile. This name must be unique.
- Group with ownership
-
Members of this group can edit the access profile and add and remove users. Managers of this group can transfer this responsibility to another group.
- Linked directory
-
If an access profile has a linked directory, it is possible to manage attributes for the users who are members of the profile. Only users who exist within this directory can become members of the profile. Users who do not yet have a directory (and exist within the special directory
Pending accounts), will be transferred to this directory as soon as they become members of this profile. Linking a directory to an access profile is a request to the KeyHub Administrators. - Rule for automatic assignment
-
A script to determine whether an account should be automatically added to the access profile. A user is automatically added if this script returns
truefor that user. If the script returnsfalsefor a user who is already a member, the user is removed from the profile, unless that user is marked as a forced membership. See attributescripts for more information about these scripts. - Rule for activation
-
A script to determine whether the accounts within the linked systems should be active. See attributescripts for more information about these scripts.
- Description
-
A more extensive description of the access profile.
7.3. Attributes for an access profile
Attributes of Topicus KeyHub accounts can be managed by means of an access profile. To do this, the access profile must first be linked to a directory. With an access profile that is linked to a directory, only users from that directory can be members. Topicus KeyHub has a number of standard attributes, such as user name, primary e-mail address, first name, etc. In addition, it is possible to define your own attributes. These attributes can then be used to create accounts on linked systems.
7.3.1. Attribute rules
By default, an attribute is unmanaged. This means that the value of the attribute follows directly from how it was last provided. For example, a user’s email address is taken from the directory when the user is logging in. If the email address in the directory is changed, this will be taken over by the user within Topicus KeyHub when they log in.
With a managed attribute, there is full control over when, how and from which sources values are taken over. For example, you can choose to calculate attributes via a formula or to always retrieve them from a specific source. You can also choose to have the change of an attribute to be approved manually. The settings for an attribute are called an attribute rule.
An attribute rule has the following properties:
- Exclusive
-
For an exclusive attribute no rules can be defined in other access profiles.
- Update automatically
-
Automatically update the attribute when the calculated value changes. If disabled, a new value for the attribute will have to be applied manually.
- Priority for SCIM
-
The priority (1-5) of a value supplied via SCIM. A higher number gives this source priority over other sources. A missing value disables the source for this attribute.
- Priority for directory
-
The priority (1-5) of a value read from the directory. A higher number gives this source priority over other sources. A missing value disables the source for this attribute.
- Priority for script
-
The priority (1-5) of a value calculated by the script. A higher number gives this source priority over other sources. A missing value disables the source for this attribute.
- Script
-
A script to dynamically calculate a value. See attributescripts for more information about these scripts.
- Allow self-service
-
Users can supply a value for this attribute themselves. This value always has priority over all other sources, except manually overridden values.
- Allow manual override
-
Administrators can override the value for this attribute. This value always has priority over all other sources. For some attributes this option cannot be disabled because core functionality depends on this option.
- Default value
-
This value is used if no value is available from any of the other sources.
7.3.2. Attributes overview
A concise summary of the status of the attributes for all users is shown for the members of an access profile. Clicking on Attributes opens the overview screen that shows all attributes for all members in one overview. This overview shows the status of each attribute per user, where the expected value comes from, what the current value is and what the expected value is.
The following statuses are used:
- Synchronised
-
The current value matches the expected value.
- Not synchronised
-
The current value does not match the expected value. A new value may have been calculated and automatic updating is disabled. The value can be synchronised by clicking on Apply.
- Missing
-
No value has been supplied from the selected sources for this mandatory attribute.
- Duplicate
-
The calculated value from the selected source is already in use by another account.
- Invalid
-
The calculated value from the selected source is not a valid value for this attribute. For example, this could be a non-existent license role or an invalid phone number.
- Error
-
An error occurred while calculating the value of this attribute. There is probably an error in the script or the value of this attribute cannot be retrieved.
- Unknown
-
The status of the attribute is unknown. Press Refresh to determine the status again.
For manually overridable attributes, the value can be changed by clicking the pen icon displayed next to the current value. A manually overridden value always overrides values from other sources. Clearing the manually overridden value will switch back to a value from another source. The screen for overriding a value displays the following fields:
- Current value
-
The value currently selected for the user.
- Expected value
-
This displays the value the attribute should have had, if it differs from the current value. The displayed value can also be an invalid value.
- Value
-
Enter the new value here, or clear the field to return to an automatically determined value.
Clicking on the expected value of the attribute opens the details screen of the selected attribute. This screen shows how the value of the attribute was determined. All sources are shown, from which a value for the attribute is available. The blocks on the lines show the data points. A green block for a valid value, a red block for an invalid value or an error and a white block for an empty value. The bold line shows the origin of the current expected value, which is also highlighted in the overview.
7.4. Members of an access profile
Access profiles have members just like groups. The attribute rules of the access profile apply to these members. The members also get access to the linked systems and applications of the access profile. Unlike groups, the member management of an access profile is not done by the other members but by a designated group. All members of this designated group can add and remove users from the access profile, even if they are not members of the access profile themselves.
7.5. Linking groups to an access profile
Groups can be linked to an access profile. Users who join the access profile are automatically invited to join these groups. These requests must first be approved by managers of the groups, just like normal group membership requests.
7.5.1. Automatically add users
A business rule can be set for an access profile that allows accounts to be added and removed automatically.
If this rule is specified, accounts for which the script returns true will automatically become members of the access profile.
As soon as the script returns false for a member, this user will be removed from the access profile.
It is possible to select a member to be a forced membership, whereby the user will remain a member even if the script returns false.
For users who are added manually, this option is enabled by default, as they would otherwise be removed immediately.
7.6. Access via an access profile
An access profile can, as the name implies, provide access to certain applications or systems. Access via an access profile is always available to a user. Unlike access via groups, there is no possibility for dynamic activation. Activation of the accounts is determined by a business rule or can be manually overwritten. If the membership has the status active, any accounts on linked systems are activated immediately and the user can log in to linked applications.
7.7. Custom attribute definitions
Under the Attribute Definitions tab, custom attributes can be defined. These attributes can then be used in access profiles. An attribute definition has the following properties:
- Name
-
The name of the attribute definition. This name must be unique.
- Format
-
The format of the attribute values.
- List
-
The attribute contains a list of elements instead of a single value.
- Required
-
A valid value is required for this attribute. Effectively, this means that an empty value is considered invalid.
- Unique
-
The value of the attribute must be unique. If the value is already in use by another account, it is marked as duplicate in the Attribute overview.
- Freely useable
-
The attribute can be used to create an attribute rule on access profiles without a linked directory.
An attribute definition has one of the following formats:
- Email address
-
A valid email address, such as
john.doe@example.org. - Phone number
-
A valid, international phone number, such as
+31612345678. An attempt will be made to construct a valid phone number from the input when entering. The country code will be added automatically if it is missing. - Number
-
A valid positive or negative number, with or without a part after the period. Note that only English notation (with a period instead of a comma) is supported. An example is
-342.58. - Date
-
A valid date in ISO 8601 notation, such as
2025-05-26. - Date/Time
-
A valid date/time in ISO 8601 notation, such as
2025-05-26T12:59:43.123+02:00. The time zone is mandatory, but may also beZfor UTC. Date/times are stored in UTC and displayed in the current time zone. - Boolean
-
A boolean value,
trueorfalse. Anything that is nottrue(regardless of case) is consideredfalse. - Text
-
A free text.
8. Auditlog
The audit log provides an overview of all events to which the logged in account has permissions. For all users, the events related to their own account are visible. For all users, the events related to the groups they are a member of are visible. All events are visible to members of the "KeyHub administrator" group and for members of the group with the "Auditor" role.
Each line in the audit log consists of three columns: date, time and the actual event. By scrolling, more lines appear automatically. Lines are initially shown for the last two weeks. For older events you can click on SEARCH FURTHER BACK. This option appears at the bottom of the displayed events.
8.1. Filtering events
You can filter on various criteria. After selecting the criteria, press SEARCH to list the events that match the specified criteria.
- Only show my records
-
This option is only available to members of the "KeyHub administrators" and "Auditors" group. Checking this option will filter out events related to the user’s own account and groups of which the user is a member.
- Show daily use
-
By checking this option, a number of record types will become available at (ALL RECORD TYPES) that are not shown by default to maintain an overview. These will then become available for selection.
- All record types
-
Here you can choose which record types should be displayed.
| By checking Show daily use extra options appear in this selection box. |
- Search for keywords…
-
Values ​​entered here are used as a filter for the events to be displayed.
- Before…
-
Only events older than the selected date are displayed.
- Export
-
Generates a csv file with the filtered events. Before the export is made, a popup appears in which the date range can be adjusted. As soon as EXPORT is pressed, the csv file is generated and downloaded.
The csv file contains the following values:
seq,"timestamp","type","by party (UUID)","by party (name)","account (UUID)","account (name)","group (UUID)","group (name)","group2 (UUID)","group2 (name)","groupClassification (UUID)","groupClassification (name)","directory (UUID)","directory (name)","client (UUID)","client (name)","system (UUID)","system (name)","service account (UUID)","service account (name)","certificate (UUID)","certificate (name)","vault record (UUID)","vault record (name)","webhook (UUID)","webhook (name)","request (UUID)","organizational unit (UUID)","organizational unit (name)","access profile (UUID)","access profile (name)","security level","parameter 1","parameter 2","parameter 3"9. Profile
The Profile-page is used to change preferences and show all events and activities of a user.
9.1. Account
The first page that is shown is the Account tab. This screen shows the most relevant details of the current account. Changes regarding security and interface settings can be applied here as well.
9.1.1. Password usage
Topicus KeyHub uses passwords for various purposes. To fully understand the possibilities of passwords, it is important to know these uses. There are three different kinds of passwords used by Topicus KeyHub: the directory password, the KeyHub password and the temporary password. The different passwords have their own specific usecases:
- Authentication
-
The directory password is the primary factor of authentication. When logging on to Topicus KeyHub, this directory password is requested and used to authenticate the user against the directory. Topicus KeyHub will asks the user for his/her directory password every four (4) hours for security purposes.
- Vault encryption
-
The vaults of a user are encrypted with the KeyHub password. This is the password Topicus KeyHub asks for when opening a vault record. By default this is the same password as the directory password but as Topicus KeyHub is not aware of any outside changes to the directory password, these two password could go out of sync.
- Linked systems
-
When activating accounts on linked systems, i.e. when a specific group is activated on the dashboard, the KeyHub password will be used. After activating a group, this password is supplied to the linked system and to log on to applications that are connected to that linked system, the KeyHub password should be used. If the option for rotating password is enabled, the KeyHub password is replaced by the temporary password and the temporary password is to be used to log on to a linked system.
With the link Setup passwords these passwords and their configuration can be changed. The link navigates to a three-step wizard which guides the user through choosing a secure password and the right settings for synchronisation. The first step of this wizard is to enter the current password for verification purposes. The directory password is expected here.
| Depending on the specific directory the steps in this wizard could differ. For example for accounts from an external directory the current password is not requested as it is not possible to synchronise the password with the external directory. |
During the second step the vault of the user will be opened. If the user does not have a vault yey, or the password of the vault matches the directory password, no action is required from the user. When Topicus KeyHub requests a password during this step, the KeyHub password is to be supplied.
During the final step the changes are applied.
| If anything is unclear about the various password options, it is recommended to contact one of the administrators for help. |
- Synchronize with directory
-
The password of the user within the directory is synchronised with the KeyHub password. This results in matching passwords which removes any ambiguity when using passwords. The disadvantage of this option is that the new password is also set as new password in the directory. Potentially this means that the user’s password for e-mail will be changed as well.
- Choose a new password
-
Depending on the length of the current password, this option could be mandatory. The password that can be chosen with this option is the KeyHub password. When 'synchronize with directory' is enabled, this means that the new password will be set as the directory password as well. After saving this password the vaults of the user will be encrypted with this password as well. And if the user does not have the rotating password setting enabled, this password will also be used for linked systems.
- Use rotating password
-
Normally the password with which linked systems are provisioned will be the KeyHub password. This means however that when this password is compromised, criminals can use this password to log on to systems after the user activated the account on the system. By choosing the rotating password option, this is no longer a threat as the password will change on a daily basis. This "password of the day" can be accessed very quickly from either the submenu on the lower left bottom of the screen or the upper right corner of the screen. With this option enabled, the rotating password is used for all linked systems and the KeyHub password is only used for unlocking the vaults in Topicus KeyHub.
- Logout all sessions
-
This option is only visible when picking a new password and will log out all other sessions for this account after changing the password. The current session will stay logged in, but this will log the user out on all other devices or browsers, requiring them to log in again with the new password. This is generally advisable during a password change for security reasons, and this option is therefore turned on by default.
9.1.2. 2FA
Every user of Topicus KeyHub is required to have two-factor-authentication (2FA) enabled. For this, users can use either a security key or a smartphone with a specific app that supports the TOTP-protocol. Any FIDO2-compatible security key should work. For TOTP, the Topicus KeyHub-app is recommended as this will enable push notifications. With these notifications a user only has to click on Yes or No in order to log on, instead of entering the 6-digit number manually. Alternatives to the Topicus KeyHub app are Google Authenticator, Duo Mobile or Microsoft Authenticator.
Security key
After clicking on the link to add a new security key, KeyHub shows a popup and automatically tries to connect to a compatible security key. The browser will likely show a notification to this effect. The user simply has to activate their security key in the normal way to confirm they want to link it to KeyHub. KeyHub will automatically save the registered security key.
Users can add more than one security key, for example one for at the office and one for at home. It’s also possible to combine one or more security keys with a TOTP-based 2FA app.
From this screen it is also possible to remove a security key from the account.
By default, KeyHub generates a name for the security key. Users may wish to update the name of the security key to something recognizable.
2FA app
To (re)configure TOTP-based 2FA ,a QR-code is displayed which has to be scanned by the app on the smartphone.
Topicus KeyHub-app
After scanning the QR-code with the Topicus KeyHub app, the screen will display the smartphone type. If this type matches the smartphone of the user, the button Activate activates 2FA. Every time the 2FA-code is required to log on to Topicus KeyHub, a push notification will be send to the smartphone.
| The Topicus KeyHub-app requires an internet connection to setup and receive push notifications. After activating the app, it offers the possibility of generating a 6-digit code as well for when no internet connection is available. |
Alternative apps
If an alternative app is used, scanning the QR-code will add Topicus KeyHub as an account to that app. To finalize the connection, the 6-digit verification code has to be provided to Topicus KeyHub. After Activate the 2FA will be active and every time Topicus KeyHub requests the 2FA-key, the 6-digit code has to be provided.
Lost or broken devices
It happens that smartphones or security keys get lost, break or turn unusable in any way. In these cases a user may no longer be able to log on to Topicus KeyHub.
If the user has more than one registered 2FA method (ie, multiple security keys, or at least one security key and a TOTP app) they can simply remove the one that has become unusable. However, a user can never remove their last 2FA method.
In cases where the user is unable to use any already-registered 2FA method they can request a full reset of all their 2FA methods. When the user is still logged in, there is a link under Profile to reset 2FA.
To reset 2FA the user has to enter a reason and the request will then be evaluated by the KeyHub administrators. If the request is granted, the user will receive an email.
| When acquiring a new smartphone while the user still possesses the old smartphone, the user can reconfigure 2FA to his/her new smartphone him/herself. With the link reconfigure app the user will enter a wizard to support this process. The old smartphone is required for this step. |
9.1.3. Linked systems
On the right side of the Account tab an overview is presented of all user accounts on the various linked systems. The information provided can differ between different types of systems.
9.1.4. Change language
Topicus KeyHub supports English, Dutch and German and with the link Change language the preferred language can be chosen.
9.1.5. Public key for SSH
For users who use SSH on a regular basis, for example to log on to Linux-based systems, it is recommended to configure the SSH-key in Topicus KeyHub.
This SSH-key will be automatically provisioned to accounts on linked systems which enables logging in to those systems using the SSH-key.
Copy and paste the contents of the public key-file in the corresponding input area.
The value should start with ssh-rsa and end with the e-mail address.