Configure authentication and single sign-on

Semarchy xDM offers features to address multiple aspects of user authentication (identifying users) and authorization (controlling user access).

Overview

Semarchy xDM is installed with a built-in user management system - the Internal Identity Provider - to handle users and roles internally.

Semarchy xDM allows you to:

  • Configure third-party Identity Providers that allow requesting user authentication and receiving their authorization. They include Single Sign-On (SSO) identity providers such as Google, Active Directory, etc.

  • Define Roles with sets of privileges to access Semarchy xDM features and applications. These roles can be assigned to users that connect using the internal or third-party identity providers.

  • Provision and manage Users, as well as assign specific roles to these users.

Identity management

Identity providers

The Identity Management configuration is composed of one or more Identity Providers (IDP). Each IDP represents a method for a user to log in to the Semarchy xDM application. For example:

  • Single Sign-On (SSO) with Google, Microsoft Entra ID (formerly known as Azure Active Directory), OKTA, or Auth0.

  • Form authentication against an LDAP directory or user accounts defined in Semarchy.

Each IDP provides three main capabilities:

  • User authentication: The IDP confirms the identity of your users. Users provide their credentials in a login form or authenticate to an external service (for example, their Google authentication form) that redirects them to Semarchy xDM after the authentication.

  • Roles: The IDP can return a set of roles for an authenticated user. This set of roles may be enriched using a Role Mapping mechanism. Semarchy xDM also provides a Role Lookup mechanism to assign roles to users based on the content of a role mapping table.

  • Profile Synchronization: The IDP may synchronize or seed user profile information (for example, the user’s first/last name or their avatar).

The identity providers configured for Semarchy xDM define the login experience. For example, if two SSO identity providers (Google and Microsoft Entra ID, formerly known as Azure Active Directory) and one LDAP directory are configured, the login page will give users the choice to log in with any of these three methods.

Identity provider types

Semarchy xDM natively supports identity providers using the following methods and protocols:

  • OpenID Connect via SSO. OpenID Connect is a standard protocol for single sign-on and is supported by identity providers such as Google, OKTA, Auth0, Microsoft Entra ID (formerly known as Azure Active Directory), etc.

  • SAML v2 via SSO. SAML is a standard protocol for SSO, supported by platforms such as Microsoft Active Directory Federation Services (AD FS), Ping Federate, etc.

  • LDAP via form-based authentication. The Lightweight Directory Access Protocol (LDAP) is a standard protocol to connect to enterprise directories.

  • Active Directory via form-based authentication.

  • Windows Authentication via SSO (using the Windows-authenticated user) or form-based authentication. Note that you cannot have multiple "Windows Authentication - SSO" identity providers.

Internal identity provider

The built-in internal identity provider (internal IDP) stores users and roles in the Semarchy repository. It comes preconfigured and is useful when managing users and roles defined locally in Semarchy xDM, without an enterprise identity provider in place.

User management

When using a third-party identity provider, users, their role assignments, as well as their profile information, are managed in the identity provider interface.

For the Internal IDP, Semarchy xDM provides an administration interface to provision and manage users.

This interface may also be used to assign additional roles to users accessing the platform from a third-party identity provider or to allow these users to connect using the internal IDP.

Role management

Roles are declared in Semarchy xDM and may be granted privileges such as:

  • Platform-level privileges, such as access to the Application Builder or Dashboard Builder.

  • Model and application privileges, such as being able to view or edit data for a given entity, access a specific application or features of the application.

A user, when connecting, receives, through their login process, a set of effective roles that includes the following:

  • The roles returned by the third-party IDP, possibly transformed and enriched using the Role Mapping.

  • The Default Roles that are assigned to all users connecting with a given IDP.

  • The roles added from a database table using the Role Lookup mechanism.

  • The roles explicitly assigned to this specific user when configuring user management.

For each effective role of the user that matches a role declared in Semarchy xDM, the user is granted the privileges of this matching role.