Supported Authentication Configurations

OneStream IdentityServer provides a single source of authentication for the OneStream platform using OIDC protocol. This is beneficial because it ensures:

  • Any OneStream application or process uses a well-defined standard authentication path.

  • You can use and manage multiple authentication paths, such as native, external IdP using OIDC, and external IdP using SAML 2.0 protocol.

    NOTE: OneStream IdentityServer does not support authentication using Microsoft Active Directory (MSAD) or Lightweight Directory Access Protocol (LDAP).

OneStream IdentityServer supports multiple configuration scenarios:

  • Native authentication.

  • Authentication with one external IdP. This can include native authentication.

  • Authentication with multiple external IdPs. This can include native authentication.

Native Authentication

When used with native authentication, the OneStream IdentityServer acts as an identity provider. Usernames and passwords are validated against corresponding values in the OneStream framework database. In this authentication path, the OneStream platform performs all processing with no external dependencies.

To use this authentication path:

  1. Submit a Support ticket requesting environment-specific support for native authentication. Environments must be initially configured for native authentication before you can use native login capabilities.

  2. Enable user accounts for native authentication. See How Users are Configured for Authentication and Native Authentication.

Similarly, contact the Support team if you later need to disable native authentication and native user accounts.

One External Identity Provider

If used with one external IdP, the OneStream IdentityServer acts as a service provider, passing authentication requests to a configured external IdP where users are challenged for their credentials. If a user has a valid SSO token, the request is processed without challenging the user for credentials. In this authentication path, processing depends on the OneStream platform and the external IdP. See How Users are Configured for Authentication.

Multiple External Identity Providers

In this authentication path, you can configure the OneStream IdentityServer for:

  • Native authentication with one or more external IdPs.

  • Multiple external IdPs.

OneStream IdentityServer evaluates usernames at login using a "Home Realm Discovery" process where it determines the IdP configured to authenticate a user. The user is then challenged for their IdP credentials unless their SSO token is still valid. See How Users are Configured for Authentication.