OAuth2 / SAML Authentication
Authentication is a pillar of APS security. The solution supports several modern standards to enable secure and seamless access (Single Sign-On).
Server Authentication (Modern Auth)
In the v23 architecture deployed on Kubernetes, authentication is managed at the server level by a proxy (OAuth2-Proxy) acting upstream of the application.
OAuth2 / OpenID Connect (OIDC) Flow
- The user attempts to access a protected section (e.g.,
/internal/*). - The ingress controller (Nginx Ingress) checks the authentication status with OAuth2-Proxy.
- If the user is not logged in, they are redirected to the identity provider (Azure AD, Keycloak, etc.).
- After validation of credentials and membership in authorized groups, the user is redirected to APS with a valid session.
SAML 2.0 Support
APS can also be configured as a Service Provider (SP) SAML to integrate with identity providers (IdP) such as:
- ADFS (Active Directory Federation Services)
- Okta
- Ping Identity
SAML Configuration
SAML configuration is typically done at the web.config file level or via specific security modules upstream of the IIS server.
API Authentication
For third-party applications or automated scripts (M2M - Machine to Machine), authentication can be done via:
- Basic Authentication (not recommended over the Internet).
- Bearer Tokens (JWT) issued by a centralized authorization server.
- Client Certificates for maximum security between servers.
Directory Synchronization
Regardless of the chosen authentication method, APS allows automatic synchronization of user information (name, email, groups) from the source directory (LDAP, Azure AD Graph API) via dedicated agents such as the SynchronizationAzureADAgent.