Version: Deploy 22.3

SSO Authentication Options

This topic discusses how to set up SSO authentication for external users that are in external IDPs.

Deploy supports role-based access control (RBAC) with two types of users:

Internal users that are created by a Deploy administrator and managed by Deploy.
External users that are maintained in an external IDP such as LDAP Active Directory, Keycloak, or Office 365.

For more information about roles, permissions, and internal users, see Manage Internal Users.

The rest of this topic discusses how to set up authentication for external users that are in external IDPs.

SSO with Digital.ai Deploy

Digital.ai Deploy supports single sign-on (SSO) authentication with external identity providers (IDPs).

OIDC, SAML, or LDAP?

You must choose OIDC or SAML—which are the most widely used protocols supported by most modern IDPs such as Azure AD (Office 365), Okta, Digital.ai Platform Identity Service, and Keycloak—or LDAP.

Note: Digital.ai Deploy has no direct support for SAML. However, you can integrate Deploy as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.

Integration is done via:

the OIDC (xld-auth-oidc-plugin) plugin along with some configuration to the XL_DEPLOY_SERVER_HOME/centralConfiguration/deploy-server.yaml—for OIDC-based IDPs.
the XL_DEPLOY_SERVER_HOME/conf/deployit-security.xml file— LDAP-based IDPs.

Note:The OIDC (xld-auth-oidc-plugin) plugin is installed by default in Digital.ai Deploy.

Note:Though not widely used, Digital.ai Deploy supports integration with Windows Kerberos (SPNEGO). This is not recommended in favor of modern and flexible OIDC-based IDPs that are easy to set up and maintain.

Here's what you need to know to set up external authentication for Deploy depending on your site—JVM (on-premise) or Kubernetes (cloud)—and depending on your existing IDP, if any.

Authentication Options—On-premise Setup

Here's what you need to know to set up external authentication for Deploy on-premise.

Installing Deploy with Existing OIDC-compliant or SAML-compliant IDP

Use the Digital.ai Identity Service—recommended for sites that have OIDC or SAML compliant IDPs.

Integrate your IDP with Digital.ai Identity Service and later integrate Digital.ai Deploy with the Digital.ai Identity Service.

To simplify the sso configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
We recommend you integrate Digital.ai Deploy with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.

For more information, see Integrating Your Deploy Instance with Digital.ai Identity Service.

Note: Digital.ai Deploy has no direct support for SAML. However, you can integrate Deploy as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.

Integrate your Digital.ai Deploy directly with your OIDC-based IDP

For more information, see Set Up OIDC Authentication for Deploy.

Installing Deploy with an Existing LDAP IDP

The main use case is to integrate Deploy with LDAP servers.
Configuration is done via the XL_DEPLOY_SERVER_HOME/conf/deployit-security.xml file on the Deploy server and configuring the Spring beans in there.
You can integrate your LDAP server with the Digital.ai Identity service and use the OIDC plugin with identity service for SSO.
You must restart Deploy for any change you do to the XL_DEPLOY_SERVER_HOME/conf/deployit-security.xml file.

For more information, see Set Up LDAP Authentication for Deploy.

While existing customers can opt to live with LDAP, new customers must consider moving to a more secure and flexible OIDC-based sso authentication—preferably via the Digital.ai Identity Service.

Authentication Options—Kubernetes Setup

Here's what you need to know to set up external authentication for Deploy on Kubernetes.

Choose one of the options—listed in order of importance/preference.

Use the Digital.ai Identity Service—recommended for sites that have OIDC or SAML compliant IDPs.

Integrate your IDP with Digital.ai Identity Service and later integrate Digital.ai Deploy with the Digital.ai Identity Service.
- To simplify the sso configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
- We recommend you integrate Digital.ai Deploy with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.
- While setting up the Digital.ai Identity Service involves some manual tasks at the moment, the idea is to let customers plug-and-play with the Digital.ai Identity Service as they come on board with Digital.ai Deploy.
Use an External OIDC-compliant IDP

Choose this option—external [External OIDC Configuration]—if you have set up an external OIDC authentication server such as Keycloak, Okta, or Azure Active Directory (Office 365).
Use Deploy's Default Authentication (no-oidc [No OIDC Configuration])
- This is the default value for the OIDC configuration step.
- Choose this option to go with the native local user authentication that comes with Digital.ai Deploy.

For more information, see:

SSO with Digital.ai Deploy​

OIDC, SAML, or LDAP?​

Authentication Options—On-premise Setup​

Installing Deploy with Existing OIDC-compliant or SAML-compliant IDP​

Installing Deploy with an Existing LDAP IDP​

Authentication Options—Kubernetes Setup​