System authentication handler
Diffusion™ Cloud provides an authentication handler that uses principal, credential, and roles information stored in Diffusion Cloud to make its authentication decision.
System authentication store
The principal, credentials, and role information located in the system authentication store is used by the system authentication handler to authenticate users.
The system authentication store is designed to hold information about Diffusion Cloud administration users and system clients. It can manage hundreds or perhaps thousands of principals, but does not provide the administration tools necessary to support millions of principals. We recommend that you delegate such "internet scale" use cases to a third-party identity provider using a custom authentication handler. For example, by using the OAuth or OpenID protocol.
The hash scheme used is PBKDF-SHA256-1000.
Behavior of the system authentication handler
- If anonymous connections are allowed in the system authentication store and a client session connects anonymously, the system authentication handler returns an ALLOW decision and the list of roles an anonymous client session is assigned.
- If anonymous connections are not allowed in the system authentication store and a client session connects anonymously, the system authentication handler returns a DENY decision.
- If a client session connects with a principal listed in the system authentication store and the correct credentials, the system authentication handler returns an ALLOW decision and the list of roles that client session is assigned.
- If a client session connects with a principal listed in the system authentication store and incorrect credentials, the system authentication handler returns a DENY decision.
- If a client session connects with a principal that is not listed in the system authentication store, the system authentication handler returns an ABSTAIN decision.