Authentication for Key Access
CipherTrust Data Security Platform Service authenticates users when a user identity is presented with the request. This authentication provides a mechanism to enforce permissions on a user.
When CipherTrust Data Security Platform Service authenticates a user, CipherTrust Data Security Platform Service checks the user's group membership, and applies the permissions associated with those groups.
Single Sign On Users
You can add some Data Protection on Demand (DPoD) users to the CDSPaaS tenant, so that they can log in with their DPoD usernames and passwords to the CipherTrust Data Security Platform Service UI. Such users must be assigned to at least one CipherTrust Data Security Platform Service group to associate permissions levels.
Note
Single sign on with DPoD credentials is only supported in the CipherTrust Data Security Platform Service UI.
Compatible DPoD users are tenant administrators or application owners within the DPoD subscriber tenant which hosts the CDSPaaS tenant.
REST API Authentication Tokens
To access CipherTrust Data Security Platform Service through the REST API, it is helpful to be aware of the two authentication token types, API Tokens (JWT) and Refresh TOkens.
Both authentication tokens can be issued (created) using username and password but the API Token (JWT) can alternatively be issued using a refresh token. API Tokens (JWT) are short lived tokens and are used for accessing the REST API as a "Bearer" token. API Tokens (JWT) are valid for 5 minutes.
Refresh tokens are long lived tokens and can be used as an alternative way to issue API Tokens (JWT). One typical use case for refresh tokens is for a long lived browser session where a user enters credentials to get a refresh token. This allows the browser to automatically issue new API Tokens (JWT) using the refresh token during the session.