Blog

How Does Authentication in Picturepark Work?

By Olivia Schütt • May 29, 2020

Authentication is a fascinating topic in both the physical and digital worlds. Much like the key that allows you to open your front door, Picturepark has an intelligent system for letting in the ‘right people’ and denying access to everyone else. We’re often asked about how authentication in Picturepark works, so we’re explaining it in more detail below.

At the end of this blog, you’ll also find a glossary section and the answers to some frequently asked questions. We’ve included these to help you understand more about the topic.

One ‘Key’ That Unlocks Many Doors

The Picturepark Content Platform uses a secure authentication system, the Picturepark IDS, built on OpenID Connect, which allows users to log in to one or more Picturepark Content Platforms, with the same Picturepark Account which they already use. This way agencies can access multiple customer systems with the same Picturepark Account and enterprise customers may have access to all systems of their subsidiaries to enjoy multitenancy. The Picturepark IDS Account is also the key to connect users with Picturpark Apps, Picturepark Microsites, or via direct user-centric API requests.

Benefits of one Picturepark IDS Account for multiple platforms:

  • One central user repository (Identity Provider) for authentication.
  • Different permissions per each platform role assignment.
  • Accessing multiple Picturepark platforms with the same account.
  • One login to connect them all, Picturepark apps, Microsites, and customer systems.
  • Authentication using the highly secure and flexible protocol Open ID Connect.
  • Easy administration and faster development cycles for new apps.

Separate User Databases: An Admin & Security Nightmare?

The Picturepark Content Platform serves the needs of multiple Picturepark customers, where separate user databases can easily become an administrative and security nightmare. For the purpose of saving valuable IT resources, Picturepark delegates user authentication and user provisioning to the Picturepark Identity Server (Picturepark IDS) as the default trusted Identity Provider (IdP), connected with OpenID Connect, the industry-standard protocol for secure and flexible authentication. The Picturepark IDS saves all user attributes required to authenticate users in one or more different Picturepark Content Platforms.

Picturepark IDS: Step by Step

  1. 💻 The user requests access to Picturepark via a Login Form.
  2. 🏢 The request is sent to the Picturepark IDS which verifies identity.
  3. 🔑 The Picturepark IDS grants or denies access.

Prerequisites

To configure the Picturepark IDS authentication, you’ll only need the following items:

  1. A Picturepark subscription.

Yes, that’s all! The Picturepark IDS authentication is inbuilt and needs no further configuration except the creation of a user, either via an administrator or via self-registration on the sign-up form. Try our Online Demo: https://picturepark.com/now

Can I use Other Providers for Federated Authentication?

Yes, instead of only using the Picturepark IDS you can connect another OpenID Provider, which will serve as Identity Provider to the Picturepark IDS. The desired Identity Provider (IdP) must support the standardized Open ID Connect protocol, which itself allows a flexible implementation that varies in required metadata or ACR values.

Benefits of adding an external OpenID Identity Provider (IdP) include:

  • Linking 3rd party accounts to your Picturepark Content Platform.
  • Connect to Picturepark quickly, seamlessly, and securely with an existing user account, e.g. from the company Active Directory or any trusted, in-place Identity Provider (IdP).
  • Add one or more supported OpenID Providers to your Picturepark easily.
  • Full control over permitted Identity Provider (IdP) on a user-by-user basis, by adding the allowed IdP to the user. The following scenarios make useful examples: ADFS for employees only, Azure for agencies, and Picturepark IDS for all other users.

External IdP Scenario

Let’s take a look at a typical external IdP scenario and how that works:

  1. 💻 The user requests access to Picturepark by clicking the "Connect via IdP" buttons.
  2. 🏢 The request is sent to the Picturepark IDS which checks supported IdP on the user.
  3. 🌍 The request is sent to the configured OpenID Provider (IdP) which verifies the identity and sends the configured claims.
  1. 🔑 The Picturepark IDS grants or denies access.

When users access Picturepark the next time and haven’t logged out from Picturepark, there is already an active IdP session. In this case, the login is done automatically, without clicking the “Connect via IdP'' button. An active session only expires after 30days of inactivity.

Prerequisites

To configure an Open ID provider, you will need the following items:

  1. A Picturepark subscription.
  2. A supported OpenID Provider setup and configured, e.g. ADFS on Windows Server 2016.

A lot of claims, carrying user attributes, are automatically mapped with Picturepark. Attributes like email, first name, last name, and language do not require additional mappings.

Questions and Answers on the Topic of Authentication

As we receive many questions on the topic of authentication, the below section strives to help you understand some of the key areas, which are most frequently asked about.

Do I have an inbuilt Identity Provider in Picturepark?

Yes, with any Picturepark Content Platform you get access to the Picturepark IDS as a default trusted Identity Provider.

Why worry about an external Identity Provider?

The Picturepark IDS as an Identity Provider is managed by Picturepark, while you manage the users in the user management area of your Picturpark. In an enterprise, there is often already a user repository in place (e.g. Active Directory) where all users of your organization are managed. To avoid unorganized user management, you can add your existing repository. This allows your IT department to still update user attributes and user access (e.g. leaving employees, new employees) in one central place. This option is available as an add-on for the Standard subscription and included in Premium and Enterprise plans.

Why Open ID Connect?

OpenID Connect was published in 2014. The standard offers the best options in usability, simplicity, and security and considers all learnings from other standards like SAML and OpenID 1.0 and 2.0. The major benefits are:

  • Easy consumption: The identity tokens are received as JSON Web Token (JWT), which are considered elegant and portable with great support for signature and encryption algorithms.
  • Based on the OAuth 2.0 protocol: The OAuth 2.0 flow is used to obtain the token, which supports web applications and also native or mobile apps. By adopting OAuth 2.0 there is one protocol used for authentication and authorization (getting access tokens).
  • Simple to integrate: The integration with apps is simple and straight-forward, while still offering features and security options required with enterprise integrations.

Learn More: Our Glossary

Authentication can be a tricky topic to understand if you’re new to it: that’s why we’ve included a few key terms below, that will help you ‘unlock’ greater insight into the topic and this blog.

Authentication is the act of proving that "you are who you say you are" usually done via passwords. The act of verifying the identity of a computer system user. Identity providers offer user authentication as a service. See Wikipedia Authentication.

Authorization is the process of verifying that "you are permitted to do what you are trying to do" by granting permissions. While authorization often happens immediately after authentication (e.g., when logging into a computer system), this does not mean authorization presupposes authentication: an anonymous agent could be authorized to a limited action set. Picturepark grants permissions via assignments to user roles. See Wikipedia Authorization.

Picturepark IDS (short: PIDS) is the Picturepark Identity Server, which serves as the default trusted Identity Provider of your Picturepark Content Platform. All identity information (e.g. user attributes) are saved in the Picturepark IDS. You can access multiple Pictureparks with the same identity.

Whenever Office 365 needs to verify a user, for example, Azure AD performs all identity and access management and is thus the trusted identity provider.

Identity providers (short: IdP, IDP) are systems that manage and maintain identity information (e.g. user attributes). Identity providers offer user authentication as a service. Picturepark outsources the user authentication to the Picturepark Identity Server as the default trusted identity provider and is thus a relying party application to it. See Wikipedia Identity Provider.

Whenever Office 365 needs to verify a user, for example, Azure AD performs all identity and access management and is thus the trusted identity provider.

OpenID Connect is a leading standard for authentication, specifically identity provisioning and single sign-on. It uses JSON-based identity tokens (JWT), delivered via OAuth 2.0 flows designed for web, browser-based, and native/mobile applications. OpenID Connect allows clients of all types, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, allowing participants to use optional features such as encryption of identity data, the discovery of OpenID Providers, and session management, when it makes sense for them. See the Picturepark Open ID Configuration for the live environment, add .well-known/openid-configuration to the identity server URL to get the configuration for your platform. Identity, Authentication + OAuth = OpenID Connect (YouTube)

OpenID Providers are implementations based on Open ID Connect, like servers or services or libraries. Open ID Providers are listed on the official Open ID Connect page: https://openid.net/developers/certified. Popular services like Google, Microsoft, or Amazon support Open ID, but each Open ID Provider can define different metadata describing the Open ID Connect configuration. Therefore not all Open ID Providers are supported with Picturepark.

If you plan to enable federated authentication for your Picturepark you may check support for your preferred Identity Provider with Picturepark first.

ACR Values are optional parameters, provided as a space-separated string. These values specify additional context values which the authorization server shall use to process the client request for authentication. If the client provides a value the IdP understands, it will be respected but if the IdP does not understand it, the authentication request is either denied or the acr_values are sent back to the client, which can then decide if the level of authentication is satisfying and carry on with the authentication or reject it. The values appear in order of preference. Possible values may be multi-factor or phishing-resistant. See here for more information: https://ldapwiki.com/wiki/Acr_values.

The authentication flow is the definition of how the tokens to identify users are exchanged. Picturepark external Identity Provider must support Authorization Code Flow with PKCE. PKCE, pronounced “pixy” is an acronym for Proof Key for Code Exchange, which does not require users to provide a client_secret. The standard Authorization Code flow would require this. The main benefit is the reduced risk for native apps, as there are no embedded secrets in the source code and this in return limits exposure to reverse engineering.

BE THE FIRST TO READ

Interested in getting notified about new blogs and other news from Picturepark? Follow us on Twitter, Linkedin or Facebook, and subscribe to our monthly newsletter

Picturepark News

We'll send you a monthly update of what is happening with Picturepark and the Digital Asset and Content Management industry.