Identity Provider Authentication Workflow
The following diagram illustrates how IdP authentication works.
- User starts a Perspective Session.
- User attempts some action that requires authentication.
- User is Redirected to Identity Provider: The Session sees that authentication is required and redirects the user to a webpage hosted by the IdP.
- IdP Authenticates the User: The IdP prompts the user with a security challenge, such as requesting a username and password. The extent of the challenge depends entirely on the provider, but many providers may offer support for multi-factor authentication (MFA).
- User Responds: The user correctly responds to the security challenge.
- Redirect back to the Session: If the IdP successfully validates the user, it will redirect the user back to the Perspective Session. Some IdPs may have an additional workflow they will guide the user through, such as re-verifying an email address or replacing an expired password. The IdP will also return information about that user to the Session. This provides some context about the user that the Session can use to assign Security Levels.
- Update the User's Security Level: Once back at the session, the user will be mapped to the specified Security Level, giving the user access to the restricted action.
Types of Identity Providers
The following types of providers are available. More information on the types can be found on the Identity Provider configuration reference page.
- Ignition - The Gateway will act as an Identity Provider, accepting authentication requests from other Perspective Sessions. Users and roles are stored internally to Ignition. Useful when an external identity provider is unavailable.
- OpenID Connect 1.0 - Used to configure an external IdP via OpenId Connect.
- Security Assertion Markup Language (SAML) - Used to configure an external IdP via SAML.
Suggested External Identity Providers
Your organization's IT may have some sort of existing integration with an Identity Provider. Some popular Identity Providers are listed below.
Using Identity Providers
Once an Identity Provider has been configured, there are a few things that can be done to test and adjust how it works. You can map the attributes that are returned in the IdP response document to more familiar user properties that are available to use within the project. You can add rules to custom security levels that determine when a user falls into the level. Overrides can be given to users in the form of User Grants, so that they are granted certain security levels regardless of the rules. Finally, you can test out the IdP by logging in with a user to confirm what is returned in the response document.