Identity Provider Reference Guide
In GlobalAI, a Provider is an authentication method and service used by the platform to verify users for an associated application. Providers and applications typically exist in a 1-to-1 relationship; every application requires a provider and every provider can be used with one application.
This guide provides a high-level reference of supported identity providers. For detailed configuration steps and provider-specific options, see the official documentation
Supported Provider Types
| Provider Type | Protocol | Primary Use Case |
|---|---|---|
| SAML | SAML 2.0 | Integrating with Service Providers (SP) using the SAML2 protocol. |
| OAuth2 / OIDC | OAuth2 / OIDC | Standard web-based authorization, machine-to-machine, and device flows. |
| LDAP | LDAP/S | Integration with services using LDAP, supporting LDAPS and SSSD for Linux. |
| SCIM | SCIM 2.0 | Provisioning and syncing users and groups from GlobalAI into other applications. |
| RADIUS | RADIUS | Applications that don't support other protocols or explicitly require RADIUS. |
| RAC | RDP / SSH / VNC | Allowing users browser-based access to remote Windows, macOS, and Linux machines. |
| Google Workspace | Sync / SAML | Integration with a Google Workspace organization to act as its source of truth. |
| Microsoft Entra ID | Sync / OAuth | Integration with an Entra ID tenant to act as the source of truth for users and groups. |
| Proxy | Custom | Providing authentication for applications that don't natively support SSO protocols. |
| SSF | SSF | Sharing asynchronous real-time security signals across applications (for example, Apple Business Manager). |
Detailed Characteristics
Find below the key capabilities, requirements, and behaviors of each supported provider type:
SAML Provider
- Metadata Exchange: Uses XML metadata to exchange certificates, entity IDs, Assertion Consumer Service (ACS) URLs, and logout URLs.
- Trust and Security: Employs signing certificates to prove data authenticity and integrity, and encryption certificates to keep user attributes confidential.
- Property Mapping: Aligns user attributes between the Identity Provider (IdP) and Service Provider (SP) using labels such as URN OIDs or schema references.
OAuth2 and OpenID Connect (OIDC)
- Versatility: Supports standard flows including Authorization Code, Client Credentials (M2M), Implicit (legacy), Hybrid, and Device Code.
- Security Principles: Implements practices such as no cleartext storage of credentials, configurable encryption, and automatic rotation of refresh tokens.
- Scopes: Uses scope mappings (for example,
openid,profile,email) to define and map information to OIDC claims.
SCIM Provider
- Role: Always serves as a backchannel provider used to augment the functionality of a main SSO provider (such as SAML or OIDC).
- Synchronization: Data is synced in real time upon modification and fully synchronized once per hour to maintain consistency.
- Compatibility Modes: Includes vendor-specific modes for AWS (disabling PATCH), Slack (filtering), Salesforce, and vCenter.
RAC (Remote Access Control) Provider
- Outpost Required: Requires deployment of a specific RAC Outpost to function.
- Unified Management: A single application and provider pair can manage multiple remote machine endpoints.
- Features: Supports bi-directional clipboard, audio redirection from the remote machine to the browser, and window resizing.
SSF (Shared Signals Framework) Provider
- Security Signals: Tracks real-time events captured by the IdP, such as MFA device changes, logouts, session revocations, and credential updates.
- Use Case: Commonly used for integrations such as Apple Business Manager, allowing users to enroll Apple devices using existing credentials.
- Backchannel: Functions as a backchannel provider assigned to a typical application and provider pair.
LDAP Provider
- Searchability: All users and groups in the database are searchable via the LDAP directory under a configurable Base DN.
- MFA Support: Supports code-based MFA (DUO, TOTP, static) by appending the code to the password with a semicolon (for example,
password;123456).
Proxy Provider
- Headers: The proxy outpost injects user-specific headers such as
X-authentik-username,X-authentik-groups, andX-authentik-emailinto the backend application. - Modes: Supports proxy and forward authentication modes, either per application or at the domain level.
RADIUS Provider
- Outpost Required: Requires deployment of a RADIUS outpost and supports authentication requests via a background flow.
- MFA: Supports code-based MFA using the semicolon separator for DUO, TOTP, and static authenticators.
Microsoft Entra ID and Google Workspace Providers
- Source of Truth: Allows GlobalAI to act as the source of truth by syncing users and groups to Entra ID or Google Workspace organizations.
- Discovery: Runs a discovery task to match identities based on email addresses for users and names for groups.
Technical Features
These technical features are shared across providers and enable consistent authentication and session management:
Property Mappings
Property mappings allow the platform to pass specific information, such as group membership, to external applications.
Single Logout (SLO)
Ensures users are logged out of all active applications when they log out of the central platform. Methods: Supports front-channel (browser-based iframe or native redirects) and back-channel (server-to-server HTTP POST) logout.
Platform Engine and Licensing
GlobalAI Identity Management is powered by the goauthentik engine, a source-available, robust authentication solution designed for high-scale enterprise environments. By integrating this industry-leading technology, GlobalAI ensures your identity infrastructure is built on transparent, community-reviewed code that prioritizes security and flexibility.
Enterprise Support and Capabilities
While core authentication features are available to all GlobalAI users, several advanced providers and synchronization features are designated as Enterprise capabilities. These require a specific license, which you can get via goauthentik.io, to unlock:
- Backchannel Signal Frameworks: Real-time security event tracking via the Shared Signals Framework (SSF).
- Advanced Cloud Sync: Direct, automated synchronization with Google Workspace and Microsoft Entra ID.
- Automated Provisioning: Scalable user and group management via SCIM 2.0 with OAuth authentication.
- Priority Support: Access to dedicated technical assistance and expert configuration reviews.
Related articles
Explore the following guides to begin configuring your selected providers and securing your infrastructure.
Manage External Providers
Connect your Group-based permissions to enterprise SSO systems like Okta, Entra ID, or Active Directory.
Customize Auth Flows
Define the sequence of stages—such as MFA or CAPTCHA—that users must complete to log in.
Secure the Platform
Configure global security settings, reputation scoring, and event retention to protect your organization.