Alternate authentication and login options

In addition to using an identity provider to authenticate to Trust Protection Foundation, you can configure and use these other authentication methods:

• Certificate-based authentication
• Integrated MS Windows Authentication
• Local users (managed only within Trust Protection Foundation).

This section describes how to set up alternate ways to log in to the Trust Protection Foundation in place of the native log in. The web console supports the following authentication methods:

• Default username and password authentication built-in to Trust Protection Foundation. You can either use local users (managed within Trust Protection Foundation itself), or you can use an identity provider like LDAP or Active Directory to manage your users.
• Certificate-based authentication uses a client certificate installed on the user's machine to authenticate them to the system.
• Integrated MS Windows authentication allows users to be granted access to the system through their MS Windows operating system sign-in credentials.

In addition, the Web SDK supports the following additional authentication methods:

• Device authentication
• JSON Web Token (JWT) authentication

API Authentication Performance Penalty (Strict Mode)

When configuring remote access settings for API applications, administrators can control how API session credentials are cached using the Expiration Mode (known as Validate grant on every API access in the CyberArk Configuration Console).

• Normal mode (Recommended): Credentials are cached for up to five minutes. This saves the significant processing time required to check the credential's status on every single API call.
• Strict mode: If stringent security is required, you can enable strict mode to force the system to validate the credential against the database on every single API call.