PeopleStrong Authentication Service
PeopleStrong authentication service is an OIDC and Auth 2.0 based Identity Provider (IDP) as well as an Identity Broker (IDB) service.
To access PeopleStrong and Partner’s resources, IDB service can connect to different IDPs.
From a user perspective, an IDB provides a user-centric and centralized way to manage identities across different security domains or realms. An existing account can be linked with one or more identities from different IDPs or even created based on the identity information obtained from them.
As an intermediary service, the IDB builds a trusted relationship with the partners/customers IDP in order to use their identities.
Once the trust is established the users are seamlessly allowed to access the resources as well as allowed to login into PeopleStrong and Partner’s portals without providing credentials (SSO).
PeopleStrong Auth Server’s services (IDP and IDB) supports following authentication protocols to achieve the trust and SSO.
Understanding SSO Integration
PeopleStrong Authentication Server’s IDB (Identity broker) services is used between client and customer's own IDP. Trust is established between IDB and IDP, configurable for each tenant or realm (URL config, protocol, token params) whereby validation can be facilitated.
Transformation of Token happen at IDB level. e.g. A SAML based assertions are converted to relevant tokens for OIDC based auth for internal auth.
Field mappings are done at tenant or realm level in PeopleStrong Auth Server. This helps in propagating additional user level fields (e.g. email, employee code etc.) in the token and can potentially be used by service providers for user mapping and related authorization needs.
Following diagram show the flow of SSO integration with customers. In the below scenario customer’s users authenticate from customers IDP and wants to access PeopleStrong Alt Portals and resources. When a user comes to Alt Portals, he/she may (may not) be authenticated at their own portals.
Now user has logged-in into the PS Auth Server, and subsequent request will be served same as normal users authenticated with PS authentication server.
Below diagram show the flow of SSO integration with partner. In the below scenario a user once logged-in into the Alt Portal either through direct login or SSO from customers portals wants to access the partner portals.