User Authentication Methods¶

Overview¶

This guide provides an overview of the different User Authentication methods which can be configured with Vinyl and Vinyl applications. More detail for these methods can be found on linked articles and guides.

User Authentication Methods¶

Single-Sign On¶

Protocols:¶

WS-Federation
SAML
WAM

Examples:¶

Microsoft AZURE AD
OKTA
Salesforce
CA (SiteMinder)
Other OAUTH2 Providers

For more detail, please see:

Local User Authentication¶

The Local User security provider type is a forms-based authentication provider. It allows Users to log into Vinyl using a username and password. Passwords are stored within Vinyl.

For more detail, please see the User and Group Management: Local Authentication guide.

Windows Integrated Authentication¶

The web server is responsible for authenticating the User against a Windows domain. The authentication provider maps the Windows User to a Vinyl Identity.

For more detail, please see the Configuring Integrated Windows Authentication article.

Active Directory¶

The web server is responsible for authenticating the User against a Windows domain. The authentication provider maps the Windows User to a Vinyl Identity.

For more detail, please see the Security Provider - Active Directory article.

Application Authentication (Custom)¶

The Application Authentication security provider allows developers to build their own login forms. Developers can authenticate clients using an approach suitable to the application. For example, applications may want to:

Maintain their own User accounts.
Validate credentials with a third-party.
MFA: Verify a phone number by texting a One-time Passcode (OTP).
Allow clients to sign in semi-anonymously.

The Application Authentication security provider is fundamentally a form of external User Authentication. However, instead of redirecting clients to a third-party Identity Provider (IdP), clients are redirected to a Vinyl page. Otherwise, the flow is the same.

For more detail please see the Security Provider - Application Authentication and Configure Application Authentication articles.

Anonymous Access¶

Users who have not authenticated are considered "anonymous". Typically, anonymous Users are not granted privilege to Vinyl resources. As a result, anonymous Users are redirected to the Vinyl login page. This section describes how to grant anonymous Users' access to a Vinyl application.

Anonymous authentication is enabled by default. Any request not associated with a Vinyl User is automatically associated with the "anonymous" User. At which point, the request executes under the User principal "anonymous".

For more detail please see the Anonymous Access and HTTP Anonymous Authentication articles.

User Provisioning¶

Unlike most other security provider types, the User Provisioning provider type is not a User or data source authentication scheme. Instead, it enables programmatic creation of User accounts.

Vinyl does not allow developers to build CRUD rules that write directly to the Vinyl User and group tables. Instead, Vinyl exposes a public data object named User_Create. Developers can build XP CRUD rules that insert records into the User_Create data object, thus creating User accounts.

The User_Create data object requires a ProviderId. The ProviderId identifies the security provider configuration to use when creating a new User account. Typically, it identifies a User Provisioning security provider.

This approach allows developers to build applications which support User account creation while allowing security administrators to maintain control of the authorization policies applied to new User accounts. This is done with security provider groups. See User & Group Provisioning for more information.

Provider Security Groups¶

External authentication providers may define their own security groups (sometimes called roles or scopes). Security administrators can map these to Vinyl security groups.

Security provider groups have the following properties:

Provider - The security provider (User or data source) to which the group belongs.
Identifier - Unique name assigned by the security provider.
Group - The Vinyl security group to which the security provider group is mapped.