Authentication Options
This topic discusses how to set up SSO authentication for external users that are in external IDPs.
Release supports role-based access control (RBAC) with two types of users:
- Internal users that are created by a Release administrator and managed by Release.
- External users that are maintained in an external IDP such as LDAP Active Directory, Keycloak, or Office 365.
For more information about roles, permissions, and internal users, see Manage Internal Users.
The rest of this topic discusses how to set up authentication for external users that are in external IDPs.
SSO with Digital.ai Release
Digital.ai Release supports single sign-on (SSO) authentication with external identity providers (IDPs).
OIDC, SAML, or LDAP?
You can choose OIDC or SAML—which are the most widely used protocols supported by most modern IDPs such as Azure AD (Office 365), Okta, Digital.ai Platform Identity Service, and Keycloak—or LDAP.
Note: Digital.ai Release has no direct support for SAML. However, you can integrate Release as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.
Integration is done via:
- the OIDC plugin (xlr-auth-oidc-plugin) along with some configuration to the
xl-release.conffile—for OIDC-based IDPs. - the
xl-release-security.xmlfile—for LDAP-based IDPs.
Note: The OIDC (xlr-auth-oidc-plugin) and LDAP (xlr-auth-default-plugin) authentication plugins are installed by default in Digital.ai Release.
Note:Though not widely used, Digital.ai Release supports integration with Windows Kerberos (SPNEGO). This is not recommended in favor of modern and flexible OIDC-based IDPs that are easy to set up and maintain.
Here's what you need to know to set up external authentication for Release depending on your site—JVM (on-premise) or Kubernetes (cloud)—and depending on your existing IDP, if any.
Authentication Options—On-premise Setup
Here's what you need to know to set up external authentication for Release on-premise.
Installing Release with Existing OIDC-compliant or SAML-compliant IDP
Use the Digital.ai Identity Service—recommended for sites that have OIDC or SAML compliant IDPs.
Integrate your IDP with Digital.ai Identity Service and later integrate Digital.ai Release with the Digital.ai Identity Service.
- To simplify the sso configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
- We recommend you integrate Digital.ai Release with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.
For more information, see: Integrate Your Release instance with Digital.ai Identity Service.
Note: Digital.ai Release has no direct support for SAML. However, you can integrate Release as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.
Integrate your Digital.ai Release directly with your OIDC-based IDP
For more information, see Set up OIDC Authentication for Release.
Installing Release with an Existing LDAP IDP
- The main use case is to integrate Release with LDAP servers.
- Configuration is done via the
xl-release-security.xmlfile on the Release server by configuring the Spring beans in there. - You can integrate your LDAP server with the Digital.ai Identity service and use the OIDC plugin with identity service for SSO.
- You must restart Release for any change you do to the
xl-release-security.xmlfile.
For more information, see Set up LDAP Authentication for Release.
While existing customers can opt to live with LDAP, new customers must consider moving to a more secure and flexible OIDC-based sso authentication—preferably via the Digital.ai Identity Service.
Authentication Options—Kubernetes Setup
Here's what you need to know to set up external authentication for Release on Kubernetes.
Choose one of the options—listed in order of importance/preference.
-
Use the Digital.ai Identity Service—recommended for sites that have OIDC or SAML compliant IDPs.
Integrate your IDP with Digital.ai Identity Service and later integrate Digital.ai Release with the Digital.ai Identity Service.
- To simplify the sso configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
- We recommend you integrate Digital.ai Release with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.
- While setting up the Digital.ai Identity Service involves some manual tasks at the moment, the idea is to let customers plug-and-play with the Digital.ai Identity Service as they come on board with Digital.ai Release.
-
Use an External OIDC-compliant IDP
Choose this option—external [External OIDC Configuration]—if you have set up an external OIDC authentication server such as Keycloak, Okta, or Azure Active Directory (Office 365).
-
Use Release's Default Authentication (
no-oidc [No OIDC Configuration])- This is the default value for the OIDC configuration step.
- Choose this option to go with the native local user authentication that comes with Digital.ai Release.
For more information, see: