How-tos

Authentication/Identity providers within Cloudentity

Let's see how authentication and identity providers can seamlessy integrate into Cloudentity platform to enhance the authorization context of users that can be used to dynamically control the authorization tokens issued to applications on behalf of users

Authentication (Identity) providers

Cloudentity abstracts away the concept of authentication from authorization and is a very important fundamental capability as there are products specializing in authentication. It paves a way to decouple authentication mechanism sources and use Cloudentity as a modern and advanced authorization platform for secure application architectures by consuming data from any of the authentication providers and keeps the applications agnostic of the authentication provider.

This approach allows organizations to seamlessly switch out authentication providers and also opens up organizations to configure their applications to be accessed by partner authentication sources. So in short, this feature is an enabler for digital expansion at scale beyond single source of authenticated users and is considered a fundamental cornerstone in the modernization and expansion journey. We sometimes refer to this capability as the Identity Hub.

Cloudentity integrates seamlessly with your existing identity and authentication providers using open standards such as OIDC, SAML, and SCIM or custom connectors. This way we enable your platform requests to be authorized on top of authentication from users authenticated from any source including a direct customer(B2C), business partner customer(B2B2C) etc or any customer/user model you want to use.

Cloudentity supports Bring your Own Identity Provider (BYOID) model and in addition, Cloudentity has its own built in high scale, highly configurable and customizable identity and authentication provider, for usecases where you don’t want to rely on an external identity provider.

BYOID Integration

Bring your Own Identity Provider (BYOID) concept allows you to take advantage of Cloudentity modern authorization capabilities without replacing your existing Identity and Access Management (IAM) product(s).

BYOID Overview

Multiple Identity provider integrations can be configured at the workspace level opening a flexible way to integrate with multitude of identity providers within the organization or to allow partner level identity providers. The workspace-level integration enables the organization to utilize a distinct source of the user data for administrators, service owners, developers (including the third-party ones), and consumers, ensuring a distinct separation of the duties enforcement.

During the user authentication with external identity providers, regardless of the protocol, Cloudentity creates an ephemeral authentication context for the authenticated user which can also be enhanced with other data enrichment points. This meta session includes all data attributes provided by the external provider.

TIP - Extensions

Cloudentity can extend the authentication context and enrich additional custom attributes from different sources. Such combined attributes are stored in the Cloudentity’s authentication context in a normalized fashion and can be utilized as part of the identity context attribute validation, scope governance and other dynamic authorization policy rules in various authorization token minting, governance and enforcement workflows within Cloudentity

OIDC based

Most of the modern authentication provider support OIDC authentication protocol. Cloudentity can integrate with external provider natively with OIDC protocol to obtain the idToken and user info of users after end users finishes the authentication process with the provider. Cloudentity does not store the tokens from external providers after this process and it discards those token once the user info is mapped to its user context.

Some of the most commonly used auth providers with OIDC based integration are:

Some of the providers described above are available as native templates within Cloudentity, but in case you don’t find the provider of your choice templatized, you can see the generic OpenID provider template to connect to any OIDC compliant authentication provider

TIP

Most of the providers may support both OIDC/SAML protocol. We recommend to use OIDC protocol in such scenarios but you may use SAML as well, its upto your choice of integration.

SAML based

Some modern authentication provider and most of the legacy products support SAML protocol. Cloudentity can integrate with external provider natively with SAML protocol to obtain the SAML assertion after end users finishes the authentication process with the provider. Cloudentity does not store the assertions from external providers after this process and it discards those assertions once the user info is mapped to its user context.

Some of the most commonly used auth providers with SAML based integration are:

Some of the providers described above are available as native templates within Cloudentity, but in case you don’t find the provider of your choice templatized, you can see the generic SAML provider template to connect to any SAML compliant authentication provider

Custom integration

Cloudentity offers an integration mechanism to integrate your authentication providers that are neither SAML/OIDC compliant. This might be the case in case you are in digital transformation phase and want to utilize existing non compliant authentication provider, until you migrate towards a new authentication provider.

Cloudentity Built In Providers

Identity Pool

Identity Pool is Cloudentity’s version of ultra scalable, high performance identity provider that is highly configurable at schema level and provides you the edge for high scalable use cases.

TIP

We recommend switching to identity pools rather than writing or maintaing your own custom built and home grown authenticationproviders. We are built for scale and using our platform means you don’t have to worry about scale, maintenance and security of your user credentials.

Sandbox Identity provider

Cloudentity also provides a built in sandbox identity provider to add some users at ease for demos and proof of concepts.

WARNING

This provider should not be enabled or added in production level environments. This is meant as quick demo identity provider without depending on any external identity provider to validate concepts etc