Authentication Methods
Digital.ai Agility supports multiple authentication methods for both on-premise and hosted deployments. This guide covers SAML SSO, NTLM SSO, and OID tokens.
Platform Identity Service
Starting October 19, 2022, you can connect your corporate identity provider using the Platform's Identity service. Once connected, Platform will act as an identity broker between your IdP (Identity Provider) and Digital.ai, allowing your users to securely access all products and the support, documentation, and community portals using the same credentials they use throughout your enterprise.
If you have not yet migrated your single sign-on (SSO) and user management to the Platform and want to do so, write to support@digital.ai for assistance.
If you are already using the Platform for SSO and want to learn more about the Identity service, click here. If you have any further questions, please reach out to your contact or write to support@digital.ai.
SAML SSO
Security Assertion Markup Language (SAML) is an XML-based framework for communicating user authentication, entitlement, and attribute information. Using SAML, organizations can centralize employee identity and authentication. Once authenticated, employees can access other protected resources in the organization without needing to re-authenticate. SAML enables web-based Single Sign-On (SSO) by redirecting the browser to a centralized authentication service when the user has not been authenticated.
Main Actors in SAML
- Identity Provider - The service responsible for authentication.
- Service Provider - The protected resource required by your employee.
SAML in Digital.ai Agility
SAML-based SSO is available to both on-demand (V1 hosted) and on-premise Agility customers. Using SAML, Agility integrates with your SSO environment and defers to your identity provider for user authentication when anyone attempts to access your Agility instance. This eliminates the need for separate credentials managed inside Agility. It also gives you better control over authentication, access and more flexibility with password rules for your users.
The following diagram illustrates SAML SSO using the Digital.ai Agility web application:
Notes:
- This diagram illustrates an unauthenticated user flow that starts with the user trying to access the Agility web application.
- Agility requires external (3rd party) software to fulfill the Service Provider role, which is why Agility and the Service Provider are shown as separate entities.
Implementation Resources:
- On-Demand customers should review the On-Demand SSO article for additional information and configuration details.
- On-Premises customers should review the On-Premise SSO article for additional information and configuration details.
Additional SAML Resources
For additional information on SSO and SAML:
NTLM SSO
Integrated Windows Authentication (NTLM SSO) is only available for on-premise installations. Windows Integrated is an option that must be selected by the Digital.ai Agility administrator during installation.
For more details on the Integrated Windows Authentication protocol, see: MSDN Blog Post: Integrated Windows Authentication with NTLM
OID Tokens
An OID is a unique system identifier that is not typically visible in the Digital.ai Agility user interface. OID Tokens are used throughout the API for identifying and referencing assets.
OID Token Format
OID Tokens are composed of the name of an asset type and an integer ID.
Examples:
Member:20identifies a Member asset with ID of 20Story:1234identifies a Story asset with ID of 1234Scope:0identifies the root Scope (System All Projects)
Important: OID Tokens are not the same as the user-visible Number attribute available on many (but not all) assets. For example, a Story might have:
- OID Token:
Story:1234 - Number attribute:
S-01234
The Number is displayed in the UI while the OID Token is used for API operations.
Comparison of Authentication Methods
| Method | Availability | Use Case | Setup Complexity |
|---|---|---|---|
| SAML SSO | On-premise and hosted | Enterprise SSO with external IdP | Medium to High |
| NTLM SSO | On-premise only | Windows domain integration | Medium |
| Basic Auth + OID | All deployments | API integration, programmatic access | Low |
| Platform Identity Service | All deployments | Modern centralized identity management | Medium |