PrivX web access architecture
PrivX can be used to connect to HTTP and HTTPS websites. Web connections established via PrivX offer the following benefits:
- Session-recording support for improved auditability.
- For sites that require login, you may store credentials in PrivX. PrivX automatically fills in the credentials, allowing users to log in without knowing any passwords. Access is provided in a role-based fashion.
Web browsing flow
- The administrator defines the target website URL as well shared username and password (if applicable) used to access the website. The data is store in Host Store (A) and the secrets are vaulted in PrivX Keyvault (G)
- User logs in to PrivX and is mapped to roles according to pre-defined rules in Role Store (B)
- The user connects to the target website, a connection is launched via the RDP Proxy (C)
- RDP Proxy (C) registers the connection to Connection Manager (D)
- RDP Proxy (C) queries web credentials from Host Store (A) and replaces the password with magic string
- RDP Proxy (C) notifies PrivX Web Proxy (E) about incoming connection
- RDP Proxy (C) initiates a connection to PrivX Carrier and provides the website address, username and the password magic string
- The connection is persisted to Audit Trail Storage (H) for playback and analysis (if enabled)
- The PrivX Carrier (I) launches a new Firefox or Chromium container (J) to the website address and pre-populates the browser password manager with the username and password magic string
- Browser has been configured to trust and use an TLS intercepting PrivX Web Proxy (E)
- After the user clicks login, PrivX Web Proxy server (E) analyses the request. If a password magic string is present, it replaces it with the real configured password.
- PrivX Web Proxy (E) makes a request against the target website using the augmented request and returns the response back to the user
- The target website (K) can be configured to only be accessible from the PrivX Web Proxy's (E) address.
SSO logins
For websites configured to utilize PrivX as an OIDC provider, PrivX offers the convenience of Single Sign-On (SSO) functionality, allowing users to log in to the target website without the need for passwords. This feature can also be utilized for Carrier connections.
See Setting up known targets for more info.