Bring your Own Identity with ACP
Description of the BYOID concept by ACP
Authorization Control Plane (ACP) does not provide any built-in authentication or user management capabilities. Instead, ACP integrates with your existing identity and authentication providers using open standards (such as OIDC, SAML, and SCIM) or custom connectors.
- Bring your Own Identity Provider (BYOIDP) concept allows you to take advantage of ACP OAuth and Authorization capabilities without replacing your existing Identity and Access Management (IAM) product(s).
- Capabilities to integrate with multiple identity providers and normalize disperse identity attributes provide a unified authorization layer regardless of the source of user attributes.
How BYOID works
IDP integrations are configured at the workspace level opening a flexible way to integrate with internal partners' or clients' identity providers. The workspace-level integration enables the organization to utilize a distinct source of the user data for administrators, service owners, developers (including the third-party ones), and consumers, ensuring a practical separation of the duties enforcement.
During the user authentication with external identity providers, regardless of the protocol, ACP creates an ephemeral authentication context for the user or the service. This meta session includes all data attributes provided by the external IDP.
ACP can extend the authentication context and include additional custom attributes using protocols (such as SCIM, LDAP, and REST) or custom plugins. Such combined attributes are stored in the ACP’s authentication context in a normalized fashion and can be utilized as part of the identity context attribute validation in the policy design.