PingOne Advanced Identity Cloud

Authentication and roles

When a user authenticates, the user is given a set of default internal roles. These roles determine what Advanced Identity Cloud resources the user can access. Advanced Identity Cloud includes a number of default internal roles on the openidm/internal/roles endpoint. You can configure additional internal roles to customize how you restrict access to the server.

The following internal roles are defined by default:

openidm-admin

IDM administrator role, excluded from the reauthorization required policy definition by default.

openidm-authorized

Default role for any user who authenticates with a username and password.

openidm-cert

Default role for any user who authenticates with mutual SSL authentication.

This role applies only to mutual authentication. The shared secret (certificate) must be adequately protected. The openidm-cert role is excluded from the reauthorization required policy definition by default.

openidm-reg

Assigned to users who access Advanced Identity Cloud with the default anonymous account.

The openidm-reg role is excluded from the reauthorization required policy definition by default.

openidm-tasks-manager

Role for users who can be assigned to workflow tasks.

platform-provisioning

Role for platform provisioning access.

When a user authenticates, Advanced Identity Cloud calculates that user’s roles as follows:

  • Each authentication module includes a defaultUserRoles property. Depending on how the user authenticates, Advanced Identity Cloud assigns the roles listed in that module’s defaultUserRoles property to the user on authentication. The defaultUserRoles property is specified as an array. For most authentication modules, the user obtains the openidm-authorized role on authentication. For example:

    {
    "name" : "MANAGED_USER",
    "properties" : {
        ...
        "defaultUserRoles" : [
            "internal/role/openidm-authorized"
        ]
    },
    ...
}

  • The userRoles property in an authentication module maps to an attribute (or list of attributes) in a user entry that contains that user’s authorization roles. This attribute is usually authzRoles, unless you have changed how user roles are stored.

    Any internal roles that are conditionally applied are also calculated and included in the user’s authzRoles property at this point.

  • If the authentication module includes a groupRoleMapping, groupMembership, or groupComparison property, Advanced Identity Cloud can assign additional roles to the user, depending on the user’s group membership on an external system. Learn more in Map external groups to internal authz roles.

    The roles calculated in sequence are cumulative. Roles with temporal restrictions aren’t included in that list if the current time is outside of the time assigned to the role.

Dynamic role calculation

By default, Advanced Identity Cloud calculates a user’s roles only on authentication. You can configure Advanced Identity Cloud to recalculate a user’s roles dynamically, with each request, instead of only when the user reauthenticates. To enable this feature, set enableDynamicRoles to true in the JWT_SESSION session module in the authentication configuration.

Roles, authentication, and the security context

The security context (context.security), consists of a principal (defined by the authenticationId property) and an access control element (defined by the authorization property).

If authentication is successful, the authentication framework sets the principal. Advanced Identity Cloud stores that principal as the authenticationId.

The authorization property includes an id, an array of roles, and a component, that specifies the resource against which authorization is validated.