Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 34 Current »

In this documents you will find technical and security information about the services and tools used by Virtual Conference Platform as well as what accesses are needed for it to be able to work properly.

This document may be updated anytime to reflect changes made to the platform or services it uses.



Application Schema

Platform Schema.png


External Services

Hosting Services

Amazon Web Services

Database Services

MongoDB Cloud

Socket Database Services

Redis Labs

File Services

Amazon Web Services - (S3)

Media Services

Cloudinary

Video Services

8x8 Jitsi as a Service

  • Servers location: as per 8x8’s documentation it selects the closest location to the first person entering a room:

    • AP-Northeast-1 (Tokyo, Japan)

    • AP-South-1 (Mumbai, India)

    • AP-Southeast-2 (Sydney, Australia)

    • EU-Central-1 (Frankfurt, Germany)

    • EU-West-2 (London, U.K.)

    • SA-East-1 (São Paulo, Brazil)

    • US-East-1 (Ashburn, VA, U.S.)

    • US-West-2 (Phoenix, OR, U.S.)

  • SSL connection: YES

Wowza

Mailing Services

Mandrill

Others

All sub-processors are listed on the following link: https://privacy.bemyapp.com/sub-processors.


Technical Requirements

The following information are technical requirements and information that ensure the platform to work as expected.

They are mandatory, not respecting them will prevent access to part or entirety of the platform.

TCP port list

This list of TCP port need to be open:

  • 443

  • 4443

UDP port list

This list of UDP port need to be open:

  • 10000

List of allowed domains

The following list of domains need to be allowed to ensure the core features of the platform to work as expected.

Mandatory

*.bemyapp.com

*.virtualconference.com

*.amazonaws.com

*.redislabs.com

*.googleapis.com

*.gstatic.com

res.cloudinary.com/ideation

dcx09j7da0xyn.cloudfront.net/*

mandrillapp.com

The following list of domains is optional but they are needed to ensure specific features to work as expected.

Optional

Domain

Feature impacted

*.8x8.vc

Lobby, Meeting, Talk

streamyard.com

Talk

*.youtube.com

i.ytimg.com

img.youtube.com

cloud.wowza.com

js.stripe.com

Payment (related to Ticketing feature)

docs.google.com

Project

www.slideshare.net

via.placeholder.com

List of allowed URL

The platform make the use of many scripts placed on CDN. To ensure the proper loading of the platform, this list of URL need to be allowed:


Technical warning

Proxy

The platform does not support proxy on web services calls (/api path).

External IP

Documents and videos will not have security check if client have multiple external IP (especially with calls to cloudfront.net).

Supported Browsers

We are recommending Chromium based browser (Google Chrome, Microsoft Edge, Brave, etc.) to get the best experience on the platform.

Following is the list of browsers supported by the platform:

  • Chrome 98+

  • Firefox 102+

  • Edge 99+

  • Brave 1+

  • Opera 84+

  • Safari 15+

This list is considered as minimum versions, we highly recommend using last version of your browser for security reasons.

Internet Explorer 11 and Edge (under version 80) browsers are not supported.
The same goes for lower versions of supported browsers.


Security information

Platform URL

Due to SSL certificate generation limitations (RFC 5280), length of platform URL can’t exceed 64 characters including domain in order to be able to generate the according certificate.
As we are forcing the use of https protocol on the platform for security reasons, we can’t authorize URLs longer than 64 characters.

Password Policy

We are using bcrypt to hash passwords and Blowfish encryption with salting key with 10 iterations to store user passwords.

On the user side we are asking complex passwords with customizable options admin can activate through the back-office. The default complexity asked is 8 characters length, with both lowercase and uppercase characters. In addition the admin can make numbers and special characters mandatory in the password.

Authentication methods

The default authentication method is Email/Password authentication. Admins can enable additional authentication methods using external services.

Facebook

Anyone with a Facebook account can connect to the platform, no specific configuration needed.

Google

Anyone with a Google account can connect to the platform, no specific configuration needed.

LinkedIn

Anyone with a LinkedIn account can connect to the platform, no specific configuration needed.

Microsoft Entra (previously Microsoft Azure AD)

The client SSO team have to register a new application directly on Microsoft Entra Portal and select the following option: ID tokens (used for implicit and hybrid flows). Mandatory scope / API permissions: openid,email and profile.
Sign-in redirection URIs will be provided by BeMyApp to the client.

Only OpenID Connect (OIDC) option is supported.

To setup the integration, the following information must be provided by the customer to BeMyApp:

  • identityMetadata (provided by the Microsoft Identity Portal)

  • clientID (BeMyApp's client ID in AAD)

  • clientSecret

  • A testing account or a testing session with someone with an account

Okta

The client SSO team have to create a new integration directly on Okta dashboard and select the following options: OpenID Connect then Web Application. Sign-in redirect URIs will be provided by BeMyApp to the client.

Only OpenID Connect (OIDC) option is supported.

To setup the integration, the following information must be provided by the customer to BeMyApp:

  • Okta Domain

  • Public Okta Application Client Credentials (also known as clientID)

  • Private Okta Application Client Credentials (also known as clientSecret)

  • Identity Provider (optional)

  • A testing account or a testing session with someone with an account

Additional Authentication options

The platform also offer multiple options related to authentication:

Multiple Factor Authentication (MFA) for admins

When activated, all admins accounts need to fill a 8-digit code received by email in order to login.

Allowlist Sign Up

When activated, only allowed email domain(s) can register on the platform.

Blocklist Sign Up

when activated, user can not register with blocked email domains.

One active session per user limitation

When activated, this prevent user to be connected at the same time on different browser/device with the same account.

Disable Email/Password authentication

It is possible to disable the ability to login with email/password only if at least one SSO method is enabled.

Even with this option is enabled, BeMyApp staff will still be able to login to the platform using email/password.

Client admins could being given the ability to login using email/password if needed.

IP Filter

This feature is meant to limit platform access to allowed IP or range of IPs.
Users with an IP outside authorized ones won’t be able to even see the platform.

Be sure to have at least one of your IP allowed before enabling the feature, otherwise you won’t be able to access the platform anymore waiting for our intervention.

We recommend making sure your IPs aren't dynamic to prevent losing access to the platform unexpectedly during your event.

Note that our different offices are allowed by default and will keep access to the platform if this feature is activated.

Content Security Policy SECTION IN PROGRESS

The platform uses Content Security Policy (CSP) to limit domains whose content can interact with the platform.

  • No labels