Open topic with navigation
Relativity includes a full set of APIs allowing you to configure authentication for your instance and users. Using Relativity's APIs you can perform the same actions programmatically that you normally would perform manually through the user interface. Typical use cases for the API include provisioning new users automatically and migrating users between environments.
To familiarize yourself with the general concepts of Relativity's authentication system, see Authentication and other related pages on the Relativity
This page contains the following information:
See these related pages:
The authentication APIs use the following concepts:
The authentication profile allows you to define up to one of each of the following: Password, Integrated Authentication, Active Directory, RSA, and Client Certificate. You can also define any number of OpenID Connect and SAML external identity providers. The API enforces validation rules such as making sure there are no logic conflicts or inconsistencies in your authentication profile.
This section outlines the steps required to configure authentication in your Relativity environment.
The API allows you to enable or disable authentication protocols on an environment level. As a best practice, you should only enable the protocols that you actually want to use in the environment. Relativity currently ships with all Provider Types enabled by default, and you can disable the ones you do not want to use.
See for Authentication provider type additional information and code samples.
Note: In a future release we expect to ship with all authentication provider types disabled by default except for Password. You should write your update logic to explicitly enable or disable Provider Types based on your individual requirements.
The Global Profile defines the environment-wide configuration options for each Authentication Provider (that is, Password, RSA, OpenID Connect). Some Providers have many options (such as Password) whereas some have just a few. The Global Profile has properties for each of the Provider Types.
See Authentication profile for additional information and code samples.
Note: In the current implementation of the authentication API, there is a single global authentication profile. This single entity is called the Global Profile. Admins currently do not have the ability to create multiple profiles.
In a future version of Relativity we expect to support multiple authentication profiles in order to support multiple login pages within the same environment. The idea is to structure the API so that we can support a multi-tenant, self-service model in the future. This is why Provider Types are separate from the authentication profile - even though they look redundant. In a multi-tenant scenario, an infrastructure admin could globally enable the protocols they want to support, while a tenant admin could customize their individual login page and settings.
Note: If you change any OpenID Connect or SAML 2.0 Providers on the authentication profile, you must perform an IIS reset on every web server in your environment. An upcoming release will correct this so that authentication profile dynamically updates on each server.
See Login profile for additional information and code samples.
The authentication API enforces several business rules when working with the Profiles. These rules enforce consistency and safety in the authentication configuration. If you violate any of the validation rules while saving an Authentication or Login profile, the API will return an error and will let you know how to correct the error.
Some of the key business rules include:
Note that it is perfectly valid configure some users for RSA, some for Password, and some for Active Directory. The restriction is that a specific user can only have one of those three Methods at a time. There are no user restrictions on any of the other Provider Types.