Sso Authentication Options
Internal and External Users
Deploy supports role-based access control (RBAC) with two types of users:
- Internal users that are created by a Deploy administrator and managed by Deploy.
- External users that are maintained in an external IDP such as LDAP Active Directory, Keycloak, or Office 365.
For more information about roles, permissions, and internal users, see Manage Internal Users.
The rest of this topic discusses how to set up authentication for external users that are in external IDPs.
External Authentication with Digital.ai Deploy
Digital.ai Deploy supports single sign-on (SSO) authentication with external identity providers (IDPs). You can integrate Digital.ai Deploy with external IDPs that support OpenID Connect (OIDC), SAML or Spring Security..
OIDC, SAML, or LDAP?
You must choose OIDC or SAML—which are the most widely used protocols supported by most modern IDPs such as Azure AD (Office 365), Okta, Digital.ai Platform Identity Service, and Keycloak.
You must choose Spring Security—which is a legacy protocol but still actively used by IDPs such as LDAP-based Active Directory.
Note: Digital.ai Deploy has no direct support for SAML. However, you can integrate Deploy as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.
Integration with OIDC or Spring Security compliant IDPs is done via:
- the OIDC (xld-auth-oidc-plugin) plugin along with some configuration to the
XL_DEPLOY_SERVER_HOME/centralConfiguration/deploy-server.yamlfor OIDC-based IDPs. - configuration to the
XL_DEPLOY_SERVER_HOME/conf/deployit-security.xmlfile for Spring Security-based IDPs.
Note:The OIDC (xld-auth-oidc-plugin) plugin is installed by default in Digital.ai Deploy.
Note:Though not widely used, Digital.ai Deploy supports integration with Windows Kerberos (SPNEGO). This is not recommended in favor of modern and flexible OIDC-based IDPs that are easy to set up and maintain.
Important: You can have only one of the plugins—OIDC (
xld-auth-oidc-plugin) or Spring Security (XL_DEPLOY_SERVER_HOME/conf/deployit-security.xmlfile)—active at a given point in time.
External Authentication Options
Here's what you need to know to set up external authentication for Deploy depending on your site—JVM (on-premise) or Kubernetes (cloud)—and depending on your existing IDP, if any.
Installing Deploy with Existing OIDC-compliant or SAML-compliant IDP
Choose one of the options—listed in order of importance/preference.
-
Use the Digital.ai Identity Service——recommended for sites that have OIDC or SAML compliant IDPs.
Integrate your IDP with Digital.ai Identity Service and later integrate Digital.ai Deploy with the Digital.ai Identity Service.
- To simplify the sso configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
- We recommend you integrate Digital.ai Deploy with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.
For more information, see Integrating Your Deploy Instance with Digital.ai Identity Service.
Note: Digital.ai Deploy has no direct support for SAML. However, you can integrate Deploy as an OIDC client with the Digital.ai Platform Identity Service and in turn connect the Digital.ai Platform Identity Service to your SAML-compliant IDP.
-
Integrate your Digital.ai Deploy directly with your OIDC-based IDP
For more information, see Set Up OIDC Authentication for Deploy.
Installing Deploy with Existing Spring Security-based IDP (LDAP)
- This is the legacy configuration option that has been available in Deploy right from the beginning.
- Configuration is done via the
XL_DEPLOY_SERVER_HOME/conf/deployit-security.xmlfile on the server and configuring the Spring beans in there. - The main use case is to integrate Deploy with LDAP servers.
- You must restart Deploy for any change you do to the
XL_DEPLOY_SERVER_HOME/conf/deployit-security.xmlfile.
You must choose Spring Security-based integration if you use LDAP in your organization.
For more information, see Set Up LDAP Authentication for Deploy.
While existing customers can opt to live with LDAP, new customers must consider moving to a more secure and flexible OIDC-based sso authentication—preferably via the Digital.ai Identity Service.
Installing Deploy on Kubernetes
Choose one of the options—listed in order of importance/preference.
-
Use the Digital.ai Identity Service—recommended for sites that have OIDC or SAML compliant IDPs.
Integrate your IDP with Digital.ai Identity Service and later integrate Digital.ai Deploy with the Digital.ai Identity Service.
- To simplify the sso configuration and customer onboarding processes, Digital.ai has introduced its own Digital.ai Identity Service that supports multiple protocols.
- We recommend you integrate Digital.ai Deploy with external IDPs via the Digital.ai Identity Service as it supports multiple protocols, configuration changes with almost nil downtime, and also supports user-friendly workflows for common tasks.
- While setting up the Digital.ai Identity Service involves some manual tasks at the moment, the idea is to let customers plug-and-play with the Digital.ai Identity Service as they come on board with Digital.ai Deploy.
-
Use the Embedded Keycloak that Comes with Deploy
Choose this option—embedded [Embedded Keycloak Configuration]—if you want to set up a Keycloak server as part of your Deploy installation or upgrade.
- The Kubernetes Operator-based installer supports installing Deploy with embedded Keycloak.
- In this setup, Keycloak takes care of connecting to the customer-specific Identity Provider.
- A vast array of protocols is supported, not only OIDC but also SAML, GitHub, and so on.
- Moreover, changes in configuration are instantaneous and don’t require a restart.
- The idea is that Keycloak is bundled with the Kubernetes Operator-based installer, and works out-of-the-box, eliminating the need for any complex configuration steps.
-
Use an External OIDC-compliant IDP
Choose this option—external [External OIDC Configuration]—if you have set up an external OIDC authentication server such as Keycloak, Okta, or Azure Active Directory (Office 365).
-
Use Deploy's Default Authentication (
no-oidc [No OIDC Configuration])- This is the default value for the OIDC configuration step.
- Choose this option to go with the native local user authentication that comes with Digital.ai Deploy.
For more information, see: