The orchestrator can be used to manage authentication and authorization for many different kinds of applications. The configurations used to describe these applications and how user identities interact with them are listed under
- Proxy applications are protected by an orchestrator acting as a reverse proxy. The orchestrator controls access to the app by intercepting all traffic bound for the application and controlling which users have access. Generally, a proxy app will redirect users to an IDP for authentication, then allow them through to locations on the protected app according to authorization policies, optionally adding headers required by the app which are populated from claims or attributes from the IDP.
- SAML applications are applications that use the orchestrator as a SAML IDP. The app definition is a service provider (SP or client) configuration for a corresponding SAML provider (
samlProvider) defined on the same orchestrator. A SAML provider can support multiple SAML apps, and each SAML app normally corresponds to a single SAML-enabled web application. Users are authenticated against a backing IDP or directory service, but authorization policy is enforced by the application based on the SAML assertions provided by the orchestrator.
- OIDC applications are applications that use the orchestrator as an OIDC IDP. The app definition describes an OIDC client for a corresponding OIDC provider (
oidcProvider) defined on the same orchestrator. An OIDC provider can support multiple OIDC Apps, and each OIDC App normally corresponds to a single OIDC-enabled web application. Users are authenticated against a backing IDP or directory service, but authorization policy is enforced by the application based on the OIDC claims from the tokens provided by the orchestrator.