Configure authentication and single sign-on

Semarchy xDM offers features to address multiple aspects of user authentication (identifying users) and authorization (controlling user access).

Overview

Semarchy xDM is installed with a built-in user management system - the Internal Identity Provider - to handle user and roles internally.

In addition, Semarchy xDM allows you to:

  • Configure third-party Identity Providers, which will provide means for users to authenticate and receive their authorization. These include Single Sign-On (SSO) identity providers such as Google, Active Directory, etc.

  • Define Roles with sets of privileges to Semarchy xDM features and applications, that may be granted to users connecting using the internal or third-party identity providers.

  • Provision and manage Users, as well as grant specific roles to these users.

Identity management

Identity providers

The Identity Management configuration is composed of one or more Identity Providers (IDP). Each IDP represent a method for a user to log into the Semarchy xDM application. For example:

  • Single Sign-On (SSO) with Google, Microsoft Entra ID (formerly known as Azure Active Directory), OKTA, or Auth0.

  • Form authentication against an LDAP directory or user accounts defined in Semarchy.

Each IDP provides three main capabilities:

  • User authentication: The IDP makes sure that your users are who they say they are. Users provide their credentials in a login form or authenticate to an external service (for example, their Google authentication form) that redirects them to Semarchy xDM after the authentication.

  • Roles: The IDP can return a set of roles for an authenticated user. This set of roles may be enriched using a Role Mapping mechanism. Semarchy xDM also provides a Role Lookup mechanism to assign roles to users based on the content of a role mapping table.

  • Profile Synchronization: The IDP may synchronize or seed user profile information (for example, the user’s first/last name or his avatar).

The identity providers configured for Semarchy xDM define the login experience. For example, if two SSO identity providers (Google and Microsoft Entra ID, formerly known as Azure Active Directory) and one LDAP directory are configured, the login page will give users the choice to log in with any of these three methods.

Identity provider types

Semarchy xDM supports natively identity providers using the following methods and protocols:

  • OpenID Connect via SSO. OpenID Connect is a standard protocol for single sign-on and is supported by identity providers such as Google, OKTA, Auth0, Microsoft Entra ID (formerly known as Azure Active Directory), etc.

  • SAML v2 via SSO. SAML is a standard protocol for SSO, supported by platforms such as Microsoft Active Directory Federation Services (AD FS), Ping Federate, etc.

  • LDAP via form-based authentication. The Lightweight Directory Access Protocol (LDAP) is a standard protocol to connect to enterprise directories.

  • Active Directory via form-based authentication.

  • Windows Authentication via SSO (using the Windows-authenticated user) or form-based authentication. Note that you cannot have multiple "Windows Authentication - SSO" identity providers.

Internal identity provider

The built-in Internal Identity Provider (Internal IDP) stores users and roles in the Semarchy repository. This identity provider is configured by default. It is commodity to user users and roles defined locally in Semarchy xDM, where there is no enteprise identity provider in place.

User management

When using a third-party identity provider, the users, their role assignments, as well as their profile information, are managed in the identity provider interface.

Semarchy xDM provides an administration interface to provision and manage users for the Internal IDP.

This interface may also be used to assign additional roles to users accessing the platform from a third-party identity provider or to allow these users to connect using the internal IDP.

Role management

Roles are declared in Semarchy xDM and may be granted privileges such as:

  • Platform-level privileges, such as access to the Application Builder or Dashboard Builder.

  • Model and application privileges, such as being able to view or edit data for a given entity, access a specific application or features of the application.

A user, when connecting, receives, through his login process, a set of effective roles, which includes the following:

  • The roles returned by the third-party IDP, possibly transformed and enriched using the Role Mapping.

  • The Default Roles that are assigned to all users connecting with a given IDP.

  • The roles added from a database table using the Role Lookup mechanism.

  • The roles explicitly assigned to this specific user in the User management.

For each effective role of the user that matches a role declared in Semarchy xDM, the user is granted the privileges of this matching role.