Skip to Content

Application authentication security provider in Jitterbit App Builder

Overview

The Application Authentication security provider allows developers to build their own login forms. Developers can authenticate clients using an approach suitable to the application. For example, applications may want to:

  • Maintain their own user accounts.
  • Validate credentials with a third-party.
  • Verify a phone number by texting a One-time Passcode (OTP).
  • Allow clients to sign in semi-anonymously.

The Application Authentication security provider is fundamentally a form of external user authentication. However, instead of redirecting clients to a third-party Identity Provider (IdP), clients are redirected to an App Builder page. Otherwise, the flow is the same.

Note

See Configure application authentication for steps on how to configure Application Authentication.

Configuration

Parameters

Parameter Default Description Example
LoginPath None The App Builder-root relative path to the login page. The path must begin with a '/'. The path must be URL encoded. /app/AppAuth/Sign%20In

Authentication

An application authenticates clients by inserting into the Authenticate public data object. The Authenticate data object requires a ProviderId. The ProviderId identifies the Application Authentication security provider. In addition, the application must supply one or both of the following claims:

  • Name - User name claim, e.g. arthur.dent.
  • NameIdentifier - Persistent, opaque identifier. [1]

The application may target the following columns to supply additional claims:

  • EmailAddress - Email address, e.g. arthur.dent@example.com
  • FullName - Full name, e.g. Arthur Dent.
  • DisplayName - Display name, e.g. Arthur.
  • PhoneNumber - Phone number.
  • Group - String type, the name of the Group you'd like added. Limited to a single group.
  • AppUserId - Internal application user identifier.

App Builder will map the supplied identity to a user account. If the identity cannot be mapped to an App Builder user account and User Provisioning has been enabled, App Builder will attempt to provision a user. If User Provisioning is not enabled or the account cannot be provisioned, an error will occur.

Once signed in, App Builder will automatically redirect the user. If the sign in process began with a challenge, App Builder will redirect the user to the page that issued the challenge. Otherwise, App Builder will redirect the user to the default page, either the security provider default page or the user's default page.

Challenge

Applications can initiate the sign-in process by issuing a challenge. To issue a challenge, insert into the Challenge public data object. App Builder will then redirect the client to the Application Authentication security provider.

The Challenge data object requires a ProviderId. The ProviderId identifies the Application Authentication security provider.

Design

The Anonymous user must have access to the application and pages which constitute the login form. Consider creating a separate application for authentication purposes. Typically, the Show On Menu and Treat As Default Application options will be disabled for this application.

By targeting the AppUserId column, developers can supply an internal identifier. Although App Builder does not make use of the AppUserId, it is available to developers via the who('appuserid') function.

If either the application or the security provider belong to a realm, they must belong to the same realm.

Limitations

  • Developers may only supply a single group claim.
  • The Application Authentication provider only supports the aforementioned well-known claims: it does not support arbitrary claims.
  • The Application Authentication provider may be used to sign users into App Builder. It cannot be used to authorize users who are already signed in.

[1] Name Identifier Profiles and Management in SAML 2.0