Skip to Content

Providers and Identities

Providers

Vinyl security model supports multiple, configurable security providers. Each security provider fulfills one or more of the following roles:

  • User authentication
  • Data source authentication
  • Connection-level security
  • Authorization policies

Note

New in Vinyl 3.3, you can configure Security Provider with import/export functionality.

Provider Types

Vinyl ships with the following provider types:

  • Jitterbit Harmony - authenticate HTTP requests to Harmony API Manager endpoints.
  • JWT SSO - Custom single sign-on (SSO) protocol.
  • Rewrite URL - Restores a URL rewritten by a reverse proxy.
  • Local User - Forms-based authentication provider.
  • Salesforce - Salesforce authentication and authorization using OAuth2. (3.1,   3.2,   3.3)
  • SAML - SAML Single Sign-On (SSO). (3.1,   3.2,   3.3)
  • SAML Identitiy Provider - SAML Single Sign-On (SSO) authentication. (3.1,   3.2)
  • WS-Federation - WS-Federation SSO. (3.1,   3.2,   3.3)
  • Integrated Windows Authentication (IWA) - SSO scheme for Active Directory domains. (3.1,   3.2,   3.3)
  • Active Directory (AD) - Forms-based authentication provider.
  • Web Access Management (WAM) - SSO schema for legacy Web Access Management systems.
  • OAuth - OAuth authorization provider. (3.1,   3.2,   3.3)
  • OpenID Connect - Enables support for OpenID Connect 1.0.
  • HTTP - Authenticates HTTP client requests to REST APIs. (3.1,   3.2,   3.3)
  • OData - OData data source authentication schemes.
  • SAP OData Services - SAP NetWeaver Gateway OData Service authentication schemes. (3.1,   3.2,   3.3)
  • SuccessFactors OData - SuccessFactors OData web service authentication schemes. (3.1,   3.2,   3.3)
  • SuccessFactors Password - Forms-based user authentication provider.
  • User Provisioning - Programmatic user registration.
  • API Key - REST API authentication provider.

Each provider defines a set of parameters. These can be configured by the site administrator. Vinyl ships with a configuration which enables a default set of security providers.

Identity Management

Authentication security providers and some data source security providers require additional configuration to map Vinyl users and security groups to third-party user accounts and groups.

Identities

Identities map third-party user accounts to local Vinyl users and vice versa. A user may only have one identity for a given security provider.

Identities have the following properties:

  • Provider - The security provider (user or data source) which owns the identity.
  • Name - Unique user name assigned by the security provider. This corresponds to the Name claim in claims-based authentication.
  • Identifier - Unique, immutable identifier assigned by the security provider. This corresponds to the NameIdentifier claim in claims-based authentication. This parameter is optional.

Identities are required when delegating user authentication to external security providers such as Salesforce or SAML Single Sign-On (SSO). Vinyl maps the supplied claims to a Vinyl user via a matching identity. Vinyl will attempt to match the NameIdentifier claim. If that fails, Vinyl will attempt to map the Name claim.

Identities can also be used for data source authentication. Some data sources support user-constrained authentication (as opposed to service accounts). When authenticating such data source requests, the security provider will use the identity Name if defined. If not, the security provider will fall back to the Vinyl user name. The identity's Identifier is not used.

Provider Groups

External authentication providers may define their own security groups (sometimes called roles or scopes). Security administrators can map these to Vinyl security groups.

Security provider groups have the following properties:

  • Provider - The security provider (user or data source) to which the group belongs.
  • Identifier - Unique name assigned by the security provider.
  • Group - The Vinyl security group to which the security provider group is mapped.

Registration

Security provider groups can be registered in one of two ways:

  1. Manual - Administrators can log into Vinyl and add security provider groups. This is typically necessary for data source security providers.
  2. Automatic - Vinyl can register new security provider groups during the user authentication process. At the same time, user group membership is updated. This feature is supported by the SAML and WS-Federation security providers. However, it must be explicitly enabled using the Supplies Group Membership flag.

Mapping

Regardless of how a security provider group is registered, it can be mapped to a Vinyl security group. Each security provider group can be mapped to one-and-only-one Vinyl security group.

Membership

Security provider groups can extend Vinyl user security group membership. When calculating a user's access rights, Vinyl will take into account both the user's direct security group membership, as well as any security groups that the user belongs to by way of the security provider.