Authentication and Authorization Overview
To ensure system security and to provide a tailored user experience, applications perform user authentication and authorization, matching a user to users in a registered users database and applying assigned profiles. LogicNets provides multiple options for authentication and authorization, both internal and external. This document provides the details for using those varied authentication methods.
Several LogicNets system applications, including user management, Designer, and Knowledge Center, require user authentication and authorization for specific functionality. Customer applications and access to remote resources through web-services may also require user authentication and authorization.
LogicNets supports OAuth 2.0/OpenID Connect (Authorization Code Flow). The LogicNets system provides different components to implement authentication and authorization flows and includes an internal user database for storing user information, passwords, and roles. LogicNets can also use external Identity providers—Azure AD (Office 365), Windows Live, Gmail, Windows Authentication and others—to implement single sign-on (SSO) functionality.
Internal User Authentication
With LogicNets' internal user authentication, the system stores the user’s password in the LogicNets admin database. When a user tries to log on, the system compares the password the user enters with the one stored in this admin database. If the user's credentials match, the user is authenticated and the system identifies the user's assigned profile details.
- The user starts a LogicNets application.
- The LogicNets run-time detects that the application requires authentication and redirects the user to the LogicNets Logon Module.
- The user fills in the user credentials and the LogicNets Logon module validates these.
- When the credentials are correct the user is redirected back to the LogicNets application.
- The run-time requests for the user access token
- The logon module returns the user access token. This token contains information about the user such as the user-name, email address, company name etc. and it contains information about the user roles and groups. The run-time checks whether the application roles are listed in the user access token.
External User Authentication
LogicNets applications can also use external user authentication. When this is used, the application does not access internal authentication methods but instead redirects the browser to an external identity provider logon screen. The external identity provider checks the user’s username and password, and if the user has entered the correct credentials the identify provider sends an authorization token with the user’s identity back to the LogicNets system. The LogicNets system verifies that this user is authorized to use this application.
Using external user authentication has distinct advantages, including the following:
- The user does not need to remember multiple passwords and usernames.
- Password expiry handling is managed by the external identity provider.
- Support for multi-pass authentication is possible.
- LogicNets does not need to store and secure passwords.
Authorization can be either role-based or user-based. When an application uses role-based authorization the LogicNets system only maintains a list of authorized user roles. If a logged on user has a role that matches one of the listed roles the system will allow the user to use the application. The advantage of this approach is that no specific user information is managed in the application.
If the external identity provider does not support role-based authentication the system must implement user-based authorization instead. For this type of authorization, the system maintains a list of authorized users, and when a user logs on the system looks up the user's id in the list of authorized users. If the system finds a match it grants the user access to the application.
The following sequence chart illustrates the high-level concept of using external identity providers.