SSO Authentication Options
Internal and External Users
Release supports role-based access control (RBAC) with two types of users:
- Internal users that are created by a Release administrator and managed by Release.
- External users that are maintained in an external IDP such as LDAP Active Directory, Keycloak, or Office 365.
For more information about roles, permissions, and internal users, see Manage Internal Users.
The rest of this topic discusses how to set up authentication for external users that are in external IDPs.
External Authentication with Digital.ai Release
Digital.ai Release supports single sign-on (SSO) authentication with external identity providers (IDPs). You can integrate Digital.ai Release with external IDPs that support OpenID Connect (OIDC), SAML or Spring Security.
OIDC, SAML, or LDAP?
You must choose OIDC or SAML—which are the most widely used protocols supported by most modern IDPs such as Azure AD (Office 365), Okta, Digital.ai Platform Identity Service, and Keycloak.
You must choose Spring Security—which is a legacy protocol but still actively used by IDPs such as LDAP-based Active Directory.
Note: Digital.ai Release has no direct support for SAML. However, you can integrate Release as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.
Integration with OIDC or Spring Security compliant IDPs is done via:
- the OIDC (xlr-auth-oidc-plugin) plugin along with some configuration to the
xl-release.conffile for OIDC-based IDPs. - configuration to the
xl-release-security.xmlfile for Spring Security-based IDPs such as LDAP.
Note: The OIDC (xlr-auth-oidc-plugin) and Spring Security (xlr-auth-default-plugin) authentication plugins are installed by default in Digital.ai Release.
Note:Though not widely used, Digital.ai Release supports integration with Windows Kerberos (SPNEGO). This is not recommended in favor of modern and flexible OIDC-based IDPs that are easy to set up and maintain.
Important: You can have only one of the plugins—OIDC (
xlr-auth-oidc-plugin) or Spring Security (xl-release-security.xmlfile)—active at a given point in time.
External Authentication Options
Here's what you need to know to set up external authentication for Release depending on your site—JVM (on-premise) or Kubernetes (cloud)—and depending on your existing IDP, if any.
Installing Release with Existing OIDC-compliant or SAML-compliant IDP
Choose one of the options—listed in order of importance/preference.
-
Use the Digital.ai Identity Service—recommended for sites that have OIDC or SAML compliant IDPs.
Integrate your IDP with Digital.ai Identity Service and later integrate Digital.ai Release with the Digital.ai Identity Service.
- To simplify the sso configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
- We recommend you integrate Digital.ai Release with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.
For more information, see: Integrate Your Release instance with Digital.ai Identity Service.
Note: Digital.ai Release has no direct support for SAML. However, you can integrate Release as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.
-
Integrate your Digital.ai Release directly with your OIDC-based IDP
For more information, see Set Up OIDC Authentication for Release.
Installing Release with Existing Spring Security-based IDP (LDAP)
- This is the legacy configuration option that has been available in Release right from the beginning.
- Configuration is done via the
xl-release-security.xmlfile on the server and configuring the Spring beans in there. - The main use case is to integrate Release with LDAP servers.
- You must restart Release for any change you do to the
xl-release-security.xmlfile.
You must choose Spring Security-based integration if you use LDAP in your organization.
For more information, see Set Up LDAP Authentication for Release.
While existing customers can opt to live with LDAP, new customers must consider moving to a more secure and flexible OIDC-based sso authentication—preferably via the Digital.ai Identity Service.
Installing Release on Kubernetes
Choose one of the options—listed in order of importance/preference.
-
Use the Digital.ai Identity Service—recommended for sites that have OIDC or SAML compliant IDPs.
Integrate your IDP with Digital.ai Identity Service and later integrate Digital.ai Release with the Digital.ai Identity Service.
- To simplify the sso configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
- We recommend you integrate Digital.ai Release with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.
- While setting up the Digital.ai Identity Service involves some manual tasks at the moment, the idea is to let customers plug-and-play with the Digital.ai Identity Service as they come on board with Digital.ai Release.
-
Use the Embedded Keycloak that Comes with Release
Choose this option—embedded [Embedded Keycloak Configuration]—if you want to set up a Keycloak server as part of your Release installation or upgrade.
- The Kubernetes Operator-based installer supports installing Release with embedded Keycloak.
- In this setup, Keycloak takes care of connecting to the customer-specific Identity Provider.
- A vast array of protocols is supported, not only OIDC but also SAML, GitHub, and so on.
- Moreover, changes in configuration are instantaneous and don’t require a restart.
- The idea is that Keycloak is bundled with the Kubernetes Operator-based installer, and works out-of-the-box, eliminating the need for any complex configuration steps.
-
Use an External OIDC-compliant IDP
Choose this option—external [External OIDC Configuration]—if you have set up an external OIDC authentication server such as Keycloak, Okta, or Azure Active Directory (Office 365).
-
Use Release's Default Authentication (
no-oidc [No OIDC Configuration])- This is the default value for the OIDC configuration step.
- Choose this option to go with the native local user authentication that comes with Digital.ai Release.
For more information, see: