Configure authentication and single sign-on

This page describes key concepts relating to user authentication and single sign-on (SSO) in Semarchy xDM.

Semarchy xDM offers features to address multiple aspects of user authentication (i.e., identifying users) and authorization (i.e., controlling user access).

Overview

Semarchy xDM comes with a built-in user management system—​the internal identity provider—to handle users and roles internally.

xDM allows you to:

  • Configure third-party IDPs that allow requesting user authentication and receiving their authorization. They include single sign-on (SSO) IDPs such as Google, Active Directory, etc.

  • Define roles with sets of privileges to access xDM features and applications. These roles can be assigned to users who connect using internal or third-party IDPs.

  • Provision and manage users, and assign specific roles to these users.

Identity management

Identity providers

The identity management configuration is composed of one or more IDPs. Each IDP represents a method for a user to log in to the xDM application. For example:

  • SSO with Google, Microsoft Entra ID (formerly known as Azure Active Directory), OKTA, or Auth0.

  • Form authentication against an LDAP directory or user accounts defined in xDM.

Each IDP provides three main capabilities:

  • User authentication: the IDP confirms the identity of users. Users provide their credentials in a login form or authenticate to an external service (e.g., their Google authentication form) that redirects them to xDM after the authentication.

  • Roles: the IDP can return a set of roles for an authenticated user. This set of roles may be enriched using a role-mapping mechanism. xDM also provides a role-lookup mechanism to assign roles to users based on the content of a role mapping table.

  • Profile synchronization: the IDP may synchronize or seed user profile information (e.g., the user’s first/last name or their avatar).

The IDPs configured for xDM define the login experience. For example, if two SSO IDPs (Google and Microsoft Entra ID) and one LDAP directory are configured, the login page will give users the choice to log in with any of these three methods.

Identity provider types

Semarchy xDM natively supports IDPs using the following methods and protocols:

  • OpenID Connect via SSO. OpenID Connect is a standard protocol for single sign-on and is supported by IDPs such as Google, OKTA, Auth0, Microsoft Entra ID, etc.

  • SAML v2 via SSO. SAML is a standard protocol for SSO, supported by platforms such as Microsoft Active Directory Federation Services (AD FS), Ping Federate, etc.

  • LDAP via form-based authentication. The lightweight directory access protocol (LDAP) is a standard protocol to connect to enterprise directories.

  • Active Directory via form-based authentication.

  • Windows Authentication via SSO (using the Windows-authenticated user) or form-based authentication. Note that you cannot have multiple "Windows Authentication - SSO" IDPs.

Internal identity provider

The built-in internal IDP stores users and roles in the xDM repository. This IDP is configured by default. It is useful for users and roles defined locally in xDM where there is no enterprise IDP in place.

For security purposes, xDM enforces a temporary block on the user’s IP address for 24 hours following five consecutive failed login attempts. This security measure applies solely to users connecting to xDM through the internal IDP.

Platform administrators can either modify the maximum number of attempts by adjusting the value of the xdm.idm.maxloginattempts property, or deactivate this safeguard by setting the xdm.idm.maxloginattempts.enable property to false using the appropriate startup configuration method.

User management

When using a third-party IDP, users, their role assignments, and their profile information are managed in the IDP interface.

For the internal IDP, xDM provides an administration interface to provision and manage users.

This interface may also be used to assign additional roles to users accessing the platform from a third-party IDP or to allow these users to connect using the internal IDP.

Role management

Roles are declared in xDM and may be granted privileges such as:

  • Platform-level privileges, such as access to the Application Builder or Dashboard Builder.

  • Model and application privileges, such as being able to view or edit data for a given entity, or access a specific application or features of the application.

When connecting, a user receives a set of effective roles through their login process, which includes the following:

  • The roles returned by the third-party IDP, possibly transformed and enriched using the role-mapping mechanism.

  • The default roles that are assigned to all users connecting with a given IDP.

  • The roles added from a database table using the role-lookup mechanism.

  • The roles explicitly assigned to this specific user, as explained in the User management section.

For each effective user role that matches a role declared in xDM, the user is granted the privileges of that role.