Third-party authentication uses a trusted, external identity provider to validate user credentials before granting access to one or more IT systems. The authentication process returns identifying information, such as a username and group membership, that is used to authorize or deny the requested access.
What is an identity provider?
A trusted, external system that administers user accounts, and is responsible for providing user authentication and identity information to relying applications over a distributed network.
What are the benefits of using an identity provider?
- Can impose advanced authentication requirements, like the use of smartcards or Multi-Factor Authentication (MFA), to increase confidence that a user is who they say they are.
- Decouples the process of authentication (verifying that an entity is what it
claims to be) from the process of authorization (establishing the rights an entity
has over the features and resources of a system).NOTE: Security Center only uses an external identity provider for user authentication. Authorization is handled internally, using partitions and privileges.
- Allows Single Sign-On (SSO), where one user authentication grants access to multiple IT systems or even organizations.
What methods of third-party authentication does Security Center support?Security Center supports the following third-party authentication methods:
- Active Directory integration
- ADFS using the WS-Trust protocol or WS-Federation protocol
- External identity provider using the OpenID Connect protocol
- External identity provider using the SAML 2.0 protocol
NOTE: Users authenticated by an external identity provider are only created in Security Center at first logon. Unlike with Active Directory, you cannot import external users to Security Center when the Authentication Service role connects to an identity provider.
To use third-party authentication, the following conditions must be met:
- Security Center clients must have network access to the external identity provider.
- A TLS encryption certificate for the identity provider must be trusted by the Security Center client.
- The scalability of the Directory is not impacted by third-party authentication.
- User logons using third-party authentication are expected to take slightly longer than native authentication, because they require the client to connect to one or more remote identity providers before connecting to the Directory.