Pyramid supports four types of authentication or identity providers (IDP) for user management: one internal ("database") and three external (LDAP, SAML and OpenID). The internal "database" provider is deployed initially by default with the initial master administrative user created during installation.
Note: All external authentication providers are not available in the Community Edition.
Supported Providers
Typically, customers change the IDP for the platform to an external vendor solution. Switching to any other provider can be set and configured from within the administrative console by an enterprise admin. When changing IDPs, its specific settings are required for the authentication engine, together with a new master user account from that provider. This new user will become the first enterprise admin user in the new setup.
Given that each vendor's setup and configuration can be quite unique, it is important that the provider changing process be done carefully, with all the relevant system backups.
- Click here for full information about changing provider
The table below summarizes which IDP vendors and authentication types are supported by Pyramid. It also shows which authentication features are supported.
Click the provider name below to see its details on setup and configuration.
As of Pyramid 2025 Newton, specific vendor setups are exposed for SAML and OpenID. If you are upgrading, you may need to switch your vendor from "generic" to the relevant vendor to access more functionality.
|
Provider Type |
Vendor |
Reciprocal Auth |
Provisioning |
Password Control |
MFA |
Auth Methods |
|---|---|---|---|---|---|---|
|
Internal Database |
N/A |
N/A |
yes |
yes |
forms, basic, API |
|
|
|
|
|
|
|
|
|
|
LDAP |
- |
yes |
Vendor |
- |
forms, basic, windows, API |
|
|
- |
yes |
Vendor |
- |
forms, basic, API |
||
|
Generic Open LDAP |
- |
- |
Vendor |
- |
forms, basic, API |
|
|
|
|
|
|
|
|
|
|
SAML |
- |
- |
Vendor |
Vendor |
IDP pop-up, API |
|
|
- |
yes |
Vendor |
Vendor |
IDP pop-up, API |
||
|
- |
yes |
Vendor |
Vendor |
IDP pop-up, API |
||
|
yes |
yes |
Vendor |
Vendor |
IDP pop-up, API |
||
|
- |
yes |
Vendor |
Vendor |
IDP pop-up, API |
||
|
|
- |
- |
Vendor |
Vendor |
IDP pop-up, API |
|
|
|
- |
- |
Vendor |
Vendor |
IDP pop-up, API |
|
|
|
|
|
|
|
|
|
|
OpenID |
- |
yes |
Vendor |
Vendor |
IDP pop-up, API |
|
|
|
- |
yes |
Vendor |
Vendor |
IDP pop-up, API |
|
|
|
- |
yes |
Vendor |
Vendor |
IDP pop-up, API |
|
|
|
yes |
yes |
Vendor |
Vendor |
IDP pop-up, API |
|
|
|
- |
- |
Vendor |
Vendor |
IDP pop-up, API |
Notes
- Reciprocal authentication allows Pyramid to authenticate requests from the IDP and the IDP can authenticate requests made by Pyramid.
- User and Group Provisioning allows Pyramid to add users and user groups via a search mechanism against the IDP itself. It also facilitates the automated provisioning engine to auto add, update and delete users from the platform. If not enabled (or available), users can only be manually added to the system.
- Password controls (strength and reset cycle) are managed by the vendor of the IDP technology. Pyramid offers these capabilities when using the internal database IDP.
- Multi-factor Authentication(MFA) is managed and supplied by the vendor of the IDP technology. Pyramid offers its own MFA capabilities when using the internal database IDP.
- The various authentication Methods show the various user experience options available by provider. In all cases, Pyramid offers API access to authenticating into Pyramid, assuming the user has tokens from the IDP.
Changing Providers
Before you begin
- You should back up the database repository for Pyramid, containing the settings of your current IDP, users and their content before you begin this process.
- You must have already set up the new external Authentication Provider that you are moving to. For Active Directory, you must have also set up one or more domains.
- You must have already created at least one initial user on your Authentication Provider. For Active Directory, you must set up one or more service accounts with sufficient access to search each your domains.
Step 1: Open the Change Provider page
- In the Admin Console, click Security > Authentication.
- From the top-right of the page, click Change Provider.
The Authentication Provider page opens with the details of your current Authentication Provider displayed.
The Change Provider page opens. By default, the Provider that you already have is selected in the Providers list.
Step 2: Set up the Provider
From the Change Provider page:
- Use the Provider drop-down to select one of the Authentication Providers and then a specific provider vendor.
- Once your new provider is selected, you need to specify all details for the new Authentication provider. For more details about each type, see the table above.
- Once you have set up your Authentication Provider and supplied its details, you need to set up details of the initial master user:
-
For the internal database and the Generic versions of SAML and OpenID, you just need to specify the details of the initial user.
-
For Active Directory, you need to set up an initial user and domain users, and click Test alongside each.
-
For the other providers / vendors, you need to set up the initial user details and click Test. This runs a test connection, which returns a token that you need to capture and copy into the initial user's External ID field. More details are available on each of the pages above.
- Once you have provided all relevant details, click Apply.
- If you are happy to delete all your current Pyramid users, click OK.
- If you have already migrated your users to your new Authentication Provider and you want to map your existing Pyramid users to those new users, you should select the Convert Users checkbox, upload your spreadsheet of users, and click OK. For full details describing how to convert users following this process, see Convert Users.
Important: When you click Test you are taken to an external login; the token you create will belong to the user that you are logged in as.
If you have users in your current database, a Delete dialog opens:
The new Authentication Provider is activated with your new initial user. The old users, managed by the old Authentication Provider, are handled in one of two ways:
- Users that were successfully converted are now mapped to users on the new Authentication Provider.
- Users that were not converted (either because the conversion failed or because they were not part of the conversion spreadsheet) are all deleted. When users are deleted by this process, all of their private data (the discoveries, publications, and so on that are stored in their My Content Folder) are "soft deleted." Soft deleted files are moved into the Deleted users content folder and can be restored by an admin if needed.
What next?
After you have created a new Authentication Provider, you should log in as the initial user.
You might also want to create some new users and roles. Depending on your new authentication provider, you can create users using search or one-at-a-time otherwise. Alternatively, you can use the bulk import tool to import new users. For a more continuous and automated approach, some providers support automated provisioning to add, update and remove users and user groups.