In this documents you will find technical and security information about the services and tools used by Virtual Conference Platform as well as what accesses are needed for it to be able to work properly.
This document may be updated anytime to reflect changes made to the platform or services it uses.
Application Schema
External Services
Hosting Services
Amazon Web Services
Server location can be in one or more of the following AWS regions:
Asia
Hong Kong (ap-east-1)
Mumbai (ap-south-1)
Europe
Dublin (eu-west-1)
United States of America
North Virginia (us-east-1)
Security policy: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html
Database Services
MongoDB Cloud
Server location: Europe, Dublin (eu-west-1) in Amazon Web Services data centers
SSL connection: YES
Security policy: https://www.mongodb.com/security
Socket Database Services
Redis Labs
Server location: Europe, Dublin (eu-west-1) in Amazon Web Services data centers
SSL connection: YES
Terms: https://redislabs.com/terms/
File Services
Amazon Web Services - (S3)
Security policy: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html
Media Services
Cloudinary
Server location: Worldwide via Akamai CDN (Content Delivery Network)
More information about this can be found hereTerms: https://cloudinary.com/tos
Video Services
8x8 Jitsi as a Service
Servers location: as per 8x8’s documentation it selects the closest location to the first person entering a room:
AP-Northeast-1 (Tokyo, Japan)
AP-South-1 (Mumbai, India)
AP-Southeast-2 (Sydney, Australia)
EU-Central-1 (Frankfurt, Germany)
EU-West-2 (London, U.K.)
SA-East-1 (São Paulo, Brazil)
US-East-1 (Ashburn, VA, U.S.)
US-West-2 (Phoenix, OR, U.S.)
SSL connection: YES
Wowza
Server location: Worldwide via Akamai CDN (Content Delivery Network)
Security policy: https://www.wowza.com/company/security-measures
Mailing Services
Mandrill
Data security and privacy: https://mailchimp.com/about/security/
Others
All sub-processors are listed on the following link: https://privacy.bemyapp.com/sub-processors.
Technical Requirements
The following information are technical requirements and information that ensure the platform to work as expected.
They are mandatory, not respecting them will prevent access to part or entirety of the platform.
TCP port list
This list of TCP port need to be open:
443
4443
UDP port list
This list of UDP port need to be open:
10000
List of allowed domains
The following list of domains need to be allowed to ensure the core features of the platform to work as expected.
Mandatory |
---|
*.bemyapp.com |
*.virtualconference.com |
*.amazonaws.com |
*.redislabs.com |
*.googleapis.com |
*.gstatic.com |
res.cloudinary.com/ideation |
dcx09j7da0xyn.cloudfront.net/* |
mandrillapp.com |
The following list of domains is optional but they are needed to ensure specific features to work as expected.
Optional | |
---|---|
Domain | Feature impacted |
*.8x8.vc | Lobby, Meeting, Talk |
streamyard.com | Talk |
*.youtube.com | |
i.ytimg.com | |
img.youtube.com | |
cloud.wowza.com | |
js.stripe.com | Payment (related to Ticketing feature) |
docs.google.com | Project |
www.slideshare.net | |
via.placeholder.com |
List of allowed URL
The platform make the use of many scripts placed on CDN. To ensure the proper loading of the platform, this list of URL need to be allowed:
https://cdnjs.cloudflare.com/ajax/libs/pdf.js/2.0.550/pdf.min.js
https://cdnjs.cloudflare.com/ajax/libs/pdf.js/2.0.550/pdf.worker.min.js
https://cdn.jsdelivr.net/gh/kenwheeler/slick@1.8.1/slick/slick.min.js
Technical warning
Proxy
The platform does not support proxy on web services calls (/api
path).
External IP
Documents and videos will not have security check if client have multiple external IP (especially with calls to cloudfront.net
).
Supported Browsers
We are recommending Chromium based browser (Google Chrome, Microsoft Edge, Brave, etc.) to get the best experience on the platform.
Following is the list of browsers supported by the platform:
Chrome 98+
Firefox 102+
Edge 99+
Brave 1+
Opera 84+
Safari 15+
This list is considered as minimum versions, we highly recommend using last version of your browser for security reasons.
Internet Explorer 11 and Edge (under version 80) browsers are not supported.
The same goes for lower versions of supported browsers.
Security information
Platform URL
Due to SSL certificate generation limitations (RFC 5280), length of platform URL can’t exceed 64 characters including domain in order to be able to generate the according certificate.
As we are forcing the use of https protocol on the platform for security reasons, we can’t authorize URLs longer than 64 characters.
Password Policy
We are using bcrypt
to hash passwords and Blowfish encryption with salting key with 10 iterations to store user passwords.
On the user side we are asking complex passwords with customizable options admin can activate through the back-office. The default complexity asked is 8 characters length, with both lowercase and uppercase characters. In addition the admin can make numbers and special characters mandatory in the password.
Authentication methods
The default authentication method is Email/Password authentication. Admins can enable additional authentication methods using external services.
Anyone with a Facebook account can connect to the platform, no specific configuration needed.
Anyone with a Google account can connect to the platform, no specific configuration needed.
Anyone with a LinkedIn account can connect to the platform, no specific configuration needed.
Microsoft Entra (previously Microsoft Azure AD)
The client SSO team have to register a new application directly on Microsoft Entra Portal and select the following option: ID tokens (used for implicit and hybrid flows)
. Mandatory scope / API permissions: openid
,email
and profile
.
Sign-in redirection URIs will be provided by BeMyApp to the client.
Only OpenID Connect (OIDC) option is supported.
To setup the integration, the following information must be provided by the customer to BeMyApp:
identityMetadata
(provided by the Microsoft Identity Portal)clientID
(BeMyApp's client ID in AAD)clientSecret
A testing account or a testing session with someone with an account
Okta
The client SSO team have to create a new integration directly on Okta dashboard and select the following options: OpenID Connect
then Web Application
. Sign-in redirect URIs will be provided by BeMyApp to the client.
Only OpenID Connect (OIDC) option is supported.
To setup the integration, the following information must be provided by the customer to BeMyApp:
Okta Domain
Public Okta Application Client Credentials (also known as
clientID
)Private Okta Application Client Credentials (also known as
clientSecret
)Identity Provider (optional)
A testing account or a testing session with someone with an account
Additional Authentication options
The platform also offer multiple options related to authentication:
Multiple Factor Authentication (MFA) for admins
When activated, all admins accounts need to fill a 8-digit code received by email in order to login.
Allowlist Sign Up
When activated, only allowed email domain(s) can register on the platform.
Blocklist Sign Up
when activated, user can not register with blocked email domains.
One active session per user limitation
When activated, this prevent user to be connected at the same time on different browser/device with the same account.
Disable Email/Password authentication
It is possible to disable the ability to login with email/password only if at least one SSO method is enabled.
Even with this option is enabled, BeMyApp staff will still be able to login to the platform using email/password.
Client admins could being given the ability to login using email/password if needed.
IP Filter
This feature is meant to limit platform access to allowed IP or range of IPs.
Users with an IP outside authorized ones won’t be able to even see the platform.
Be sure to have at least one of your IP allowed before enabling the feature, otherwise you won’t be able to access the platform anymore waiting for our intervention.
We recommend making sure your IPs aren't dynamic to prevent losing access to the platform unexpectedly during your event.
Note that our different offices are allowed by default and will keep access to the platform if this feature is activated.
Content Security Policy SECTION IN PROGRESS
The platform uses Content Security Policy (CSP) to limit domains whose content can interact with the platform.