About delegated authentication

Delegated authentication allows you to pass the responsibility of verifying user credentials to an external, central identity provider, such as CyberArk Identity or Microsoft Entra ID.

Instead of prompting users to enter a local password directly into the web console, Trust Protection Foundation redirects them to your central identity provider's login screen. Once the identity provider successfully verifies the user's credentials (and enforces any of your organization's multi-factor authentication rules), it passes a secure token back to Trust Protection Foundation, granting the user access.

Decoupling identity from authentication

In Trust Protection Foundation, authentication is treated as a separate process from identity provisioning. While an identity connector (such as a SCIM or Active Directory connector) provides the system with the list of users who exist, the delegated authentication profile is what actually proves a user's identity during login.

You configure delegated authentication on a per-connector basis. This decoupled architecture gives you immense flexibility. It allows you to have one identity connector authenticating users via OpenID Connect, another using SAML, and a third relying on local passwords, all running concurrently within the same system.

Supported protocols

Trust Protection Foundation supports two industry-standard protocols for delegated authentication:

• OpenID Connect (OIDC): A modern, REST/JSON-based authentication protocol built on OAuth 2.0. Because of its performance and simplicity, OIDC is the recommended authentication method for most modern integrations.
• SAML 2.0: A mature, XML-based authentication protocol that remains widely used in enterprise environments.