Configure authentication and single sign-on

Semarchy xDG provides functionalities to address multiple aspects of user authentication (i.e., identifying users) and authorization (i.e., controlling user access).

Overview

xDG comes with a built-in user management system—​the internal identity provider (IDP)—to handle users, groups, and roles internally.

xDG allows you to:

  • Configure third-party IDPs for requesting user authentication and receiving authorization. They include single sign-on (SSO) IDPs like Google, Microsoft, OpenID Connect, and more.

  • Establish groups with distinct sets of privileges for accessing xDG features and applications. These groups can be assigned to users who connect via internal or third-party IDPs.

  • Create and manage users, and assign them specific groups and module access.

Identity management

Identity providers

The identity management configuration comprises one or more IDPs, each representsing a method for users to log in to an xDG application.

Each IDP provides two main capabilities:

  • User authentication: the IDP verifies users' identity. Users input their credentials into a login form or authenticate through an external service (e.g., Google authentication) that redirects them to xDG post-authentication.

  • Mapping: the IDP can return a group set or seed user profile information for authenticated users.

The configured IDPs determine the login process for xDG. For example, if two SSO IDPs are configured (e.g., Google and Microsoft), the login page will present users with the option to log using either method.

Identity provider types

xDG natively supports IDPs using the following methods and protocols:

  • Social IDPs via SSO: a social identity provider delegates authentication to a trusted social media account. xDG supports prominent social networks like Google and Microsoft.

  • OpenID Connect via SSO: OpenID Connect serves as a standard protocol for SSO and is supported by IDPs such as Google, OKTA, Auth0, Microsoft Entra ID, and others.

  • Internal IDP: the built-in internal IDP stores user and group data within the platform. This IDP is configured by default. It is useful for internally defined users and groups in scenarios where there is no enterprise IDP in place.

Add an IDP

To add an identity provider:

  1. In the navigation drawer of the Site Administration interface, select Identity providers.
    The Identity providers view opens.

  2. In the header, click the Add provider Add provider button.
    The Add provider dialog opens.

  3. In the dialog:

    1. Select a provider type from the Type drop-down menu.

    2. Enter a name for the new IDP in the Name field.

    3. Click Confirm.
      The newly created IDP appears in the list.

  4. Click the IDP to configure it.
    The IDP editor opens.

  5. Enter the configuration properties for your IDP type. For detailed information about the required properties for each IDP type, see: