User authentication

You can configure Diffusion® Cloud to allow clients to connect anonymously. This means that any client can connect and create a session.
For most applications, you must authenticate a client before it creates a session.

To access Diffusion® Cloud, a client must provide the following authorisation details:

Principal: (user name) This is the name of a principal (the user or program that is trying to connect to Diffusion® Cloud).
Credentials: (password) This is typically a password, but it can be any information that authenticates the principal, such as a cryptographic key or an image.

Granting roles using custom authentication handlers

The decision about which roles to grant to which principal is made by an authentication handler.
Diffusion® Cloud has a built-in system authentication handler that uses principal, credential, and roles information stored in Diffusion® Cloud.
The Security tab on the Diffusion® Cloud console displays the state of system authentication handler.

You can also write your own custom control authentication handlers, which can connect to Diffusion® Cloud and make authentication decisions instead of the built-in handler.
The custom handler can recognise a completely separate set of principals.

If you have multiple handlers, they can work together. A handler can choose to:

ALLOW or DENY a connection,
ABSTAIN and pass the decision to another handler.

For example, you can create a custom handler which knows about certain principals.
If a principal that it doesn’t recognise tries to connect, it abstains and passes the decision to the system handler instead.