Skip to Content

Security provider - Application authentication


The Application Authentication security provider allows developers to build their own login forms. Developers can authenticate clients using an approach suitable to the application. For example, applications may want to:

  • Maintain their own user accounts.
  • Validate credentials with a third-party.
  • Verify a phone number by texting a One-time Passcode (OTP).
  • Allow clients to sign in semi-anonymously.

The Application Authentication security provider is fundamentally a form of external user authentication. However, instead of redirecting clients to a third-party Identity Provider (IdP), clients are redirected to a Vinyl page. Otherwise, the flow is the same.


See Configure application authentication for steps on how to configure Application Authentication.



Parameter Default Description Example
LoginPath None The Vinyl-root relative path to the login page. The path must begin with a '/'. The path must be URL encoded. /app/AppAuth/Sign%20In


An application authenticates clients by inserting into the Authenticate public data object. The Authenticate data object requires a ProviderId. The ProviderId identifies the Application Authentication security provider. In addition, the application must supply one or both of the following claims:

  • Name - User name claim, e.g. arthur.dent.
  • NameIdentifier - Persistent, opaque identifier. [1]

The application may target the following columns to supply additional claims:

  • EmailAddress - Email address, e.g.
  • FullName - Full name, e.g. Arthur Dent.
  • DisplayName - Display name, e.g. Arthur.
  • PhoneNumber - Phone number.
  • Group - String type, the name of the Group you'd like added. Limited to a single group.
  • AppUserId - Internal application user identifier.

Vinyl will map the supplied identity to a user account. If the identity cannot be mapped to a Vinyl user account and User Provisioning has been enabled, Vinyl will attempt to provision a user. If User Provisioning is not enabled or the account cannot be provisioned, an error will occur.

Once signed in, Vinyl will automatically redirect the user. If the sign in process began with a challenge, Vinyl will redirect the user to the page that issued the challenge. Otherwise, Vinyl will redirect the user to the default page, either the security provider default page or the user's default page.


Applications can initiate the sign-in process by issuing a challenge. To issue a challenge, insert into the Challenge public data object. Vinyl will then redirect the client to the Application Authentication security provider.

The Challenge data object requires a ProviderId. The ProviderId identifies the Application Authentication security provider.


The Anonymous user must have access to the application and pages which constitute the login form. Consider creating a separate application for authentication purposes. Typically, the Show On Menu and Treat As Default Application options will be disabled for this application.

By targeting the AppUserId column, developers can supply an internal identifier. Although Vinyl does not make use of the AppUserId, it is available to developers via the who('appuserid') function.

If either the application or the security provider belong to a realm, they must belong to the same realm.


  • Developers may only supply a single group claim.
  • The Application Authentication provider only supports the aforementioned well-known claims: it does not support arbitrary claims.
  • The Application Authentication provider may be used to sign users into Vinyl. It cannot be used to authorize users who are already signed in.

[1] Name Identifier Profiles and Management in SAML 2.0