Authentication Providers
WEM supports SAML2.0 and OAuth2.0
Last updated
WEM supports SAML2.0 and OAuth2.0
Last updated
Some external blogs about SAML vs OAuth:
The blog from StrongDM provides quite some clear information about the differences and when to use SAML or OAuth.
But, in short: SAML is a more secure way for user identification and authentication (login, single sign-on) and could well be used in WEM to let users login to your WEM application from your existing Identity Management environment (like Microsoft Azure AD or Entra ID).
And OAuth can very well be used to let users access their resources (or your company's shared resources) and external apps from within your WEM Application, using the OAuth authorization mechanism. Example: use Microsoft Graph via OAuth to access files and resources in a secure way.
Typically, SAML is for Authentication (who are you, what is your identity) and OAuth is for Authorization (what are you allowed to do or see, what are your permissions and privileges). Both can be used side-by-side in WEM. SAML is a bit like a house key. It grants you access to the facility. OAuth is a bit like the rules of the house that dictate what the person can and can't do once inside.
An application may require users to log onto the system (authentication). That means the application needs some kind of user management and users need to authenticate themselves and need to be authorized to access the application. To do this you have several options:
Create all user management functionality as part of your application (there is a great example available in My WEM that you can use as a base - look for Basic Authentication project in Quick Starters or the App Store);
Use an external authentication provider. In this case the WEM application relies on an external authentication provider to authenticate users. You may still need to link them to an application-specific list of users for additional details or specific in-app authorizations.
Using an external authentication provider means that users usually need to log onto their company network only once and don’t need to log into an application (like your WEM application) that relies on the authentication provider, such as e.g. Microsoft’s Active Directory or Entra ID. This is also known as “Single Sign-On” (or SSO).
The two most widely used protocols by authentication providers are SAML and OAuth2.
SAML is used for authentication and authorization and is mostly used in corporate/enterprise environments. Microsoft (Active Directory / EntraID), Google (G Suite), Oracle and Salesforce are just a few companies that have SAML based authentication and authorization products.
OAuth2 is mostly used as an authorization protocol and is widely used by social platforms like Facebook, LinkedIn, Twitter, etc. A lot of mobile apps use Oauth2 to authorize users to use the app (“Log in with your Facebook account”).
WEM supports both protocols. In the flowchart documentation about the authentication nodes you can find how to use these in your application. But before you can use them, the authentication providers need to be configured. That is the focus of this article.
First, choose which type (SAML or OAuth) you want to setup. Then go to the appropriate folder (SAML 2.0 authentication
or OAuth 2.0 authorization
) in the project tree and click on the Add authentication provider
option in the context menu [...].
Give your identity provider a name that will be used throughout the WEM Modeler.
Next, continue with either SAML or OAuth settings...