This article provides an overview of identity provider support, capabilities, and requirements.
Supported IDPs
Vault File Manager supports the following identity providers:
- Ping Identity
- ADFS
- Okta
- Microsoft Azure AD
- VeevaID
How Authentication Works
Vault File Manager authentication works by:
- Consuming Authorization Server (AS) metadata retrieved from a Vault profile to allow users to authenticate with the AS via OAuth 2.0 / OpenID Connect or with Vault directly via username and password.
- Requesting the Vault session based on the
id_token
or theaccess_token
. - Allowing Vault to validate tokens locally if they are presented as JWT when the keys are published via the JWKs URI.
- Allowing Vault to validate tokens remotely using the introspection endpoint, if exposed by the AS.
Note: Beginning in 19R1.4, if you have “Ping” or “Other” selected in your OAuth 2.0 / OpenID Connect profile, we recommend that you update your redirection URI in your Authorization Server to com.veeva.vaultfilemanager://authorize. It is not recommended to continue using dynamic redirect URIs. Contact your Customer Success Manager for more information.
Authentication Support
Vault File Manager supports:
- OAuth 2.0 / OpenID Connect with no client secret.
Authorization Code
grant type withopenid
andoffline_access
scopes.- Silent refresh of the Vault session if the AS honors the
offline_access
scope and presents arefresh_token
. - Federation based on the user’s Federated ID or Vault User Name.
- Modern Windows Authentication (ADAL) to authenticate with Microsoft ADFS, when configured.
Requirements
Vault File Manager requires:
- The user’s Federated ID to be included in the
sub
claim of the token. Customers can configure an alternative identifier claim if thesub
claim is not available or cannot be modified to contain the correct Federated ID. - The AS to support the hard-coded client ID. Customers can create a mapping between the hard-coded client ID stored in the client apps, such as Vault File Manager, and the generated client ID required by the AS.
Note: Veeva Vault Platform strongly advises that Authorization Servers support PKCE.