Skip to Content

Providers and identities

Providers

App Builder security model supports multiple, configurable security providers. Each security provider fulfills one or more of the following roles:

  • User authentication
  • Data source authentication
  • Connection-level security
  • Authorization policies

You can configure Security provider with import/export functionality.

Provider types

App Builder ships with the following provider types:

  • Jitterbit Harmony - authenticate HTTP requests to Jitterbit API Manager endpoints.
  • JWT SSO - Custom single sign-on (SSO) protocol.
  • Rewrite URL - Restores a URL rewritten by a reverse proxy.
  • Local user - Forms-based authentication provider.
  • Salesforce - Salesforce authentication and authorization using OAuth2. (3.1,   3.2,   3.3)
  • SAML - SAML Single Sign-On (SSO). (3.1,   3.2,   3.3)
  • SAML Identitiy Provider - SAML Single Sign-On (SSO) authentication. (3.1,   3.2)
  • WS-Federation - WS-Federation SSO. (3.1,   3.2,   3.3)
  • Integrated Windows Authentication (IWA) - SSO scheme for Active Directory domains. (3.1,   3.2,   3.3)
  • Active Directory (AD) - Forms-based authentication provider.
  • Web access management (WAM) - SSO schema for legacy Web Access Management systems.
  • OAuth - OAuth authorization provider. (3.1,   3.2,   3.3)
  • OpenID Connect - Enables support for OpenID Connect 1.0.
  • HTTP - Authenticates HTTP client requests to REST APIs. (3.1,   3.2,   3.3)
  • OData - OData data source authentication schemes.
  • SAP OData Services - SAP NetWeaver Gateway OData Service authentication schemes. (3.1,   3.2,   3.3)
  • SuccessFactors OData - SuccessFactors OData web service authentication schemes. (3.1,   3.2,   3.3)
  • Successfactors password - Forms-based user authentication provider.
  • User provisioning - Programmatic user registration.
  • API key - REST API authentication provider.

Each provider defines a set of parameters. These can be configured by the site administrator. App Builder ships with a configuration which enables a default set of security providers.

Identity management

Authentication security providers and some data source security providers require additional configuration to map App Builder users and security groups to third-party user accounts and groups.

Identities

Identities map third-party user accounts to local App Builder users and vice versa. A user may only have one identity for a given security provider.

Identities have the following properties:

  • Provider - The security provider (user or data source) which owns the identity.
  • Name - Unique user name assigned by the security provider. This corresponds to the Name claim in claims-based authentication.
  • Identifier - Unique, immutable identifier assigned by the security provider. This corresponds to the NameIdentifier claim in claims-based authentication. This parameter is optional.

Identities are required when delegating user authentication to external security providers such as Salesforce or SAML Single Sign-On (SSO). App Builder maps the supplied claims to an App Builder user via a matching identity. App Builder will attempt to match the NameIdentifier claim. If that fails, App Builder will attempt to map the Name claim.

Identities can also be used for data source authentication. Some data sources support user-constrained authentication (as opposed to service accounts). When authenticating such data source requests, the security provider will use the identity Name if defined. If not, the security provider will fall back to the App Builder user name. The identity's Identifier is not used.

Provider groups

External authentication providers may define their own security groups (sometimes called roles or scopes). Security administrators can map these to App Builder security groups.

Security provider groups have the following properties:

  • Provider - The security provider (user or data source) to which the group belongs.
  • Identifier - Unique name assigned by the security provider.
  • Group - The App Builder security group to which the security provider group is mapped.

Registration

Security provider groups can be registered in one of two ways:

  1. Manual - Administrators can log into App Builder and add security provider groups. This is typically necessary for data source security providers.
  2. Automatic - App Builder can register new security provider groups during the user authentication process. At the same time, user group membership is updated. This feature is supported by the SAML and WS-Federation security providers. However, it must be explicitly enabled using the Supplies Group Membership flag.

Mapping

Regardless of how a security provider group is registered, it can be mapped to an App Builder security group. Each security provider group can be mapped to one-and-only-one App Builder security group.

Membership

Security provider groups can extend App Builder user security group membership. When calculating a user's access rights, App Builder will take into account both the user's direct security group membership, as well as any security groups that the user belongs to by way of the security provider.