Skip to main content

Authentication Providers

Parthenon supports multiple authentication methods to integrate with your organization's identity infrastructure. The super-admin can configure, test, and manage providers through Admin > Authentication Providers -- a fully implemented admin UI for centralized authentication management.

Supported Providers

ProviderTypeProtocolCommon Integrations
LocalUsername/passwordBcrypt hashedAlways available (fallback)
LDAP/ADDirectory serviceLDAP v3 / LDAPSActive Directory, OpenLDAP, FreeIPA
SAML 2.0Federated SSOSAML assertionsOkta, Azure AD (Entra ID), ADFS, Shibboleth, OneLogin
OAuth 2.0 / OIDCFederated SSOOAuth 2.0 + OpenID ConnectGoogle Workspace, GitHub, Keycloak, Auth0

Local Authentication

Local authentication is the built-in username/password system. It is always available and cannot be disabled -- it serves as the fallback when all external providers are unreachable.

How It Works

  1. User enters their registered email and password on the login page.
  2. Parthenon verifies the password against the bcrypt hash stored in the database.
  3. On success, a Sanctum session token is issued.
  4. The must_change_password check is evaluated -- if true, the non-dismissable password change modal appears.

Password Policy

Password policy is configurable in Admin > System Configuration > Security:

SettingDescriptionDefault
Minimum lengthMinimum password character count12
Uppercase requiredAt least one uppercase letterYes
Lowercase requiredAt least one lowercase letterYes
Number requiredAt least one digitYes
Special character requiredAt least one symbol (!@#$%^&*)No (optional)
Password historyNumber of previous passwords that cannot be reused5
Maximum ageDays before password expires (0 = disabled)90

Login Throttling

To protect against brute-force attacks, Parthenon throttles login attempts:

  • 5 attempts per 15 minutes per IP address
  • After the limit is reached, the IP is blocked with a 429 (Too Many Requests) response
  • The throttle resets automatically after the window expires
  • Failed login attempts are logged in the audit trail with the attempted email and IP

Configuring LDAP / Active Directory

The LDAP provider allows users to authenticate against your organization's directory service.

Setup Steps

  1. Navigate to Admin > Authentication Providers.
  2. Click Add Provider and select LDAP / Active Directory.
  3. Configure the connection settings:
FieldDescriptionExample
HostLDAP server hostname or IPldap.yourorg.com
PortConnection port389 (LDAP) or 636 (LDAPS)
Use SSLEnable LDAPS encryptionYes (recommended)
Base DNSearch base for user lookupdc=yourorg,dc=com
Bind DNService account distinguished namecn=parthenon-svc,ou=Services,dc=yourorg,dc=com
Bind PasswordService account passwordStored encrypted in the database
User FilterLDAP filter to identify valid users(&(objectClass=user)(memberOf=CN=Parthenon,OU=Groups,DC=yourorg,DC=com))
Username AttributeAttribute containing the user's emailuserPrincipalName or mail
Display Name AttributeAttribute containing the user's full namedisplayName
  1. Click Test Connection to verify the LDAP bind succeeds and the user filter returns results.
  2. Set Default Role for new LDAP-authenticated users (typically viewer).
  3. Toggle Enabled and click Save.
Active Directory specifics

For AD environments, use:

  • Port 636 with SSL enabled
  • userPrincipalName as the username attribute (format: user@domain.com)
  • A service account with read-only access to the relevant OU
  • Group-based filtering via memberOf to restrict access to authorized users

LDAP Group-to-Role Mapping

Map LDAP groups to Parthenon roles for automatic role assignment:

LDAP GroupParthenon Role
CN=Parthenon-Admins,OU=Groups,DC=...admin
CN=Parthenon-Researchers,OU=Groups,DC=...researcher
CN=Parthenon-Viewers,OU=Groups,DC=...viewer

When a user authenticates via LDAP, their Parthenon roles are synchronized with their LDAP group memberships.

Configuring SAML 2.0

SAML 2.0 enables single sign-on (SSO) with enterprise identity providers.

Setup Steps

  1. Select SAML 2.0 as the provider type.
  2. Configure the Identity Provider (IdP):
    • IdP Metadata URL -- enter the metadata endpoint URL (e.g., https://login.microsoftonline.com/TENANT/federationmetadata/2007-06/federationmetadata.xml)
    • Or upload XML -- upload the IdP metadata XML file directly
  3. Copy the Parthenon SP Metadata URL (displayed in the setup panel) and register it as a trusted Service Provider in your IdP.
  4. Configure attribute mapping:
IdP AttributeParthenon FieldRequired
email / nameIDUser email addressYes
displayName / nameDisplay nameYes
groups / memberOfRole mappingNo (optional)
  1. Click Test SAML Flow to perform a real authentication round-trip with your IdP.
  2. Toggle Enabled and click Save.

IdP-Specific Guides

  • Okta -- Create a SAML app, set ACS URL to https://parthenon.yourdomain.com/api/v1/auth/saml/callback
  • Azure AD (Entra ID) -- Register an Enterprise Application with SAML SSO, configure claims
  • ADFS -- Add a Relying Party Trust with the Parthenon SP metadata
  • Shibboleth -- Configure the SP metadata in the IdP's metadata-providers.xml

Configuring OAuth 2.0 / OIDC

OAuth 2.0 with OpenID Connect provides flexible SSO for cloud identity providers.

Setup Steps

  1. Select OAuth 2.0 / OpenID Connect as the provider type.
  2. Choose a Provider Template (pre-configured defaults for common providers):
    • Google Workspace
    • GitHub
    • Keycloak
    • Generic OIDC (custom configuration)
  3. Enter credentials from your OAuth application registration:
FieldDescription
Client IDApplication client ID
Client SecretApplication client secret (stored encrypted)
Issuer URLOIDC discovery document URL (e.g., https://accounts.google.com)
ScopesOAuth scopes to request (default: openid email profile)
  1. Configure the Redirect URI in your OAuth application to match the displayed Parthenon callback URL: https://parthenon.yourdomain.com/api/v1/auth/oauth/callback
  2. Click Test Connection to verify the OAuth flow.

Multi-Provider Setup

Multiple authentication providers can be active simultaneously. The login page dynamically renders:

  • The local login form (email + password) -- always visible
  • A button for each active external provider (e.g., "Sign in with Okta", "Sign in with Google")

Users who have accounts linked to multiple providers can use any of them to authenticate. Parthenon links accounts by email address -- if a user authenticates via SAML and their email matches an existing local account, the accounts are automatically linked.

Provider Priority

When a user's email exists in both local and external directories, authentication behavior follows the configured priority:

  1. External first (default) -- LDAP/SAML/OAuth authentication takes precedence. This prevents shadow local accounts from bypassing your central directory policies (password expiration, MFA, account disablement).
  2. Local first -- local authentication is tried first. Use this only if you need local accounts to override external providers.

Configure priority in Admin > Authentication Providers > Settings.

Testing providers

Always use the Test Connection button before enabling a new provider. The test performs the full authentication flow (for SAML/OAuth) or a bind + search (for LDAP) and reports step-by-step results. This catches configuration errors before they affect real users.

Provider Management

The Authentication Providers list shows all configured providers with:

ColumnDescription
NameProvider display name
TypeLocal / LDAP / SAML / OAuth
StatusEnabled (green) / Disabled (gray)
UsersNumber of users who have authenticated via this provider
Last UsedTimestamp of the most recent authentication
ActionsEdit, Test, Enable/Disable, Delete

Disabling a provider does not delete user accounts -- it only removes the provider as a login option. Users who only authenticate via a disabled provider will need to use password reset to set a local password or wait for the provider to be re-enabled.