External IDP overview

A key functionality in the XProtect VMS is secure user authentication for any user who wants to access the XProtect VMS using one of the XProtect clients, the MIP SDK, or the supported APIs.

In the past, users have traditionally been managed in an organization’s on-premises Microsoft Active Directory (AD), or alternatively for installations that do not have an AD, as local Windows users or as basic users in the XProtect VMS.

However, nowadays many organizations have users that use a plethora of different products, services and solutions from many different vendors, running in browsers etc. on multiple platforms like PCs, MACs, or Smart Phones. These organizations need a centralized user-management system that works with the different equipment, platforms and interfaces used – which is not the case with the on-premises AD. Therefore, they chose to use another Identity Provider to manage their users and their permissions.

When these customers acquire an XProtect VMS, they will of course want to use the same Identity Provider as the one that they already have chosen and installed with their XProtect VMS. This is achieved by creating an integration between the Identity Provider and the XProtect VMS.

Login and authentication overview

When the Identity Provider and the XProtect VMS integration have been configured, the high-level login and authentication flow will look like this.

  1. When the XProtect VMS address has been entered in the VMS client’s login dialog, the authentication options are retrieved from the XProtect VMS and listed in the login dialog

  2. Choosing the external IDP option and clicking ‘Connect’, opens a browser window that displays the external IDP’s login page

  3. Entering the username and password authenticates the user with the external IDP

  4. After successful authentication, an OAuth token is transferred from the browser to the VMS client

  5. Using the external IDP’s OAuth token, the VMS client authenticates the user in the VMS, which then returns a VMS security token and the configuration for the user

  6. The VMS client is now started and provides access to the VMS resources that the user has permissions for