Skip to main content
Version: 2.4.0

Authentication

EAS's only method of authentication is through Microsoft EntraID (formally Microsoft Active Directory). This document covers the implementation and deployment models

Implementation

EAS implements the OpenID Connect (OIDC) protocol where JWT tokens issued by an IdP are validated using published JWKS keys. The frontend implements the OAuth 2.0 Authorization code flow with PKCE to login the user and the resulting JWT is sent to EAS in every request. Both the frontend and EAS leave it to the IdP to perform any custom authentication rules such as MFA and session timeouts.

Deployment Models

There are two deployment models, each with their own tradeoffs.

Zepben Managed

This deployment methodology involves Zepben setting a up a dedicated EntraID tenant for your deployment. Zepben will then configure applications to use this tenant as its authentication provider. This is a fast, low overhead way of getting your Zepben platform setup.

With this deployment style:

  • User additions/removes/role assignemnts will be managed by Zepben support
  • Users will have a separate own username and password to login, password resets will be conducted by Zepben support
    • If the email addresses belong to their own EntraID tenant, then EntraID B2B Collaboration will be used where users use the source tenant credentials to login
  • Multi-factor authentication is used and resets are managed by Zepben support
  • There are no customizations available, eg. Geo-location rules, IP rules etc.

Customer Managed

This deployment methodology allow customers to bring your own EntraID tenant for authentication. Zepben will integrate our applications to allow logins from your tenant using EntraID Single Sign On (SSO).

With this deployment style:

  • Users additions/remove/role assignments are managed by the Customer
  • Customer will manage user password/MFA resets
  • Custom authentication rules using EntraID Conditional Access can be used to control authentication requirements
  • Zepben will continue to manage application configuration in our own tenant

Setup Process

  1. Customer will provide Zepben with their EntraID tenant ID
  2. Zepben will provision EntraID Application registrations as multi tenant applications
  3. Zepben will provide a set of Enterprise Application client ids to Customer
  4. Customer will add each Enterprise Application to their tenant
  5. Customer will grant admin consent for all roles in each Enterprise Application
  6. Zepben will configure applications to trust logins from customer tenant and provide customer platform URL
  7. Customer can assign users to application roles
  8. Users can now login to the Zepben platform