Authentication mode
Authentication mode |
|
|
Based on the definition of how the system users will be managed, it is possible to choose the most appropriate authentication modes for each scenario. The authentication modes that the system offers can be classified into 3 groups, as shown below:
Except for the "Internal" authentication mode, all others depend on a domain configuration within the system and are only relevant if there are users synchronized with a directory service.
The domain defines the settings required to connect to the LDAP directory service and is used to synchronize and authenticate system users with the authentication server. It is possible to have more than one domain if the company has distributed LDAP servers in a "forest" infrastructure.
When should I select the "Internal" authentication type?Use internal authentication to authenticate users via SE Suite user creation, webservice, ADINTERFACE, or XLS spreadsheet. This authentication option does not apply to users synchronized with a directory service.
When should I use a user authentication mode and password in a directory service (NTLM v2 or LDAP)?These authentication modes are recommended in cases where there are synchronized users and the authentication server and SE Suite are within the same domain, without the need to authenticate externally. With these protocols, credentials are managed by the authentication service. With LDAP, communication can be considered simpler and less secure compared to NTLM v2 or single sign-on modes. It is not recommended using these options in cases where SE Suite is running in an environment external to the authentication server, such as a cloud server.
When must I select the SAML 2.0 or OpenID Connect authentication mode?SAML (Security Assertion Markup Language) and OpenID Connect are standards largely used to implement single sign-on (SSO) solutions, but there are some major differences between them. SAML is an older protocol consolidated in the corporate environment, designed to facilitate authentication and authorization data exchange involving different systems. SAML is XML-based and uses a complex assertion system and tokens for safe SSO. OpenID Connect, in its turn, is a more recent protocol, built on OAuth 2.0, an authorization structure widely spread in web applications. OpenID Connect provides a simpler and lighter approach for SSO compared to SAML and is specifically designed to be used in web and mobile applications. One of the main differences between SAML and OpenID Connect is their architecture. SAML is based on a federated identity model, which means that identity and authentication data are stored and managed by a central identity provider (IdP) and shared with other service providers (SPs), as needed. OpenID Connect, on the other hand, uses a distributed identity model, which allows users to use their existing accounts with third-party identity providers (IdPs), such as Google or Facebook, for authentication with other applications. Another difference between SAML and OpenID Connect is their level of complexity. SAML is a highly structured protocol with a pronounced learning curve and requires significant experience to be implemented and maintained. OpenID Connect, in its turn, is much simpler and lighter and can be implemented and set up with relative ease by developers who have basic knowledge on web application development. In terms of safety, both SAML and OpenID Connect provide strong protection against identity theft and other forms of attack. However, SAML is considered safer in general for using XML signatures and other advanced security resources. Choosing between these two authentication modes depends on the specific requirements of your organization and on the applications you are using. If you are mainly working with corporate applications and need a highly structured and safe SSO solution, then SAML could be the best choice. On the other hand, if you need a simple and light SSO solution, OpenID Connect could be a good option.
|