Bring your Own Identity with ACP
Description of the BYOID concept by ACP
BYOID concept
Authorization Control Plane (ACP) does not provide any built-in authentication or user management capabilities. Instead, ACP integrates with your existing identity and authentication providers using open standards (such as OIDC, SAML, and SCIM) or custom connectors.
BYOID benefits
- Bring your Own Identity Provider (BYOIDP) concept allows you to take advantage of ACP OAuth and Authorization capabilities without replacing your existing Identity and Access Management (IAM) product(s).
- Capabilities to integrate with multiple identity providers and normalize disperse identity attributes provide a unified authorization layer regardless of the source of user attributes.
How BYOID works
IDP integrations are configured at the workspace level opening a flexible way to integrate with internal partners' or clients' identity providers. The workspace-level integration enables the organization to utilize a distinct source of the user data for administrators, service owners, developers (including the third-party ones), and consumers, ensuring a practical separation of the duties enforcement.
During the user authentication with external identity providers, regardless of the protocol, ACP creates an ephemeral authentication context for the user or the service. This meta session includes all data attributes provided by the external IDP.
Note
ACP can extend the authentication context and include additional custom attributes using protocols (such as SCIM, LDAP, and REST) or custom plugins. Such combined attributes are stored in the ACP’s authentication context in a normalized fashion and can be utilized as part of the identity context attribute validation in the policy design.
Supported IDPs
Supported types of identity providers
- OIDC
- Ability to integrate with any OIDC-enabled identity provider
- Custom
- Ability to integrate with SSO-based WAM products via custom extensions
- SAML
- Coming soon
Attribute extensions
Supported methods of attribute extensions
- Custom
- Ability to integrate with SSO-based WAM products via custom extensions
- SCIM
- Coming soon
- LDAP
- Coming soon
- REST
- Coming soon