AgilePoint NX platform is pretty flexible when it comes to choosing identity provider for the platform. It supports the concept of Bring Your Own Identity where customers are free to choose from any of the supported identity providers listed in the documentation.
As you can see, there is a wide variety of industry standard authentication providers supported OOTB. However we do not limit you to the supported authentication providers. In case a client uses an authentication provider not listed in the document, AgilePoint Professional Services team can work with clients to quickly add support to their preferred authentication provider. The reason it can be done easily is because we have kept authentication layer separate from core engine and hence using the externalized interface, we can bring in any authentication provider be it Barcode, custom database, RFID etc.
One question I get sometimes is that client has an existing authentication provider which uses SAML2 so should they be using that and can it be supported. As explained above, technically we can support any authentication provider but there are few considerations which need to kept in mind while making a choice at protocol level.
AgilePoint uses OAuth2 as a protocol for each of the authentication providers it supports OOTB. Reason we prefer OAuth2 Vs SAML2 is that SAML2 is a very nice protocol but more suitable for protecting front-end websites only for e.g. Office 365 Portal UI but if you see Office 365 API is also protected with OAuth2. In AgilePoint’s case, not just the website but the back-end REST API is also protected by external authentication as clients can kick off workflows using API as well.
Now when it comes to API access, SAML2 being XML based has a bigger payload and network traffic increases which is not good for performance. OAuth2 being based on compact JWT token format is much more compact and better for API efficiency specially when looking at global deployments. This is the reason we prefer OAuth2 over SAML2 and if you see, Office 365, Salesforce, they all have started doing same for their API which uses OAuth2. API speed is very important for performance.
However clients have a follow up question that how does that choice affect other apps which they have and which might be using SAML2. Most authentication providers listed in our documentation support both SAML2 and OAuth2 protocol from authentication provider side so they will need to select OAuth2 as a protocol while configuring authentication endpoint for AgilePoint. This does not affect their other existing apps which might be using SAML2 since this configuration is controlled at an app level on the authentication provider side. Those apps can use SAML2 but for AgilePoint, they can use OAuth2.
My recommendation is to stick to OAuth2 as much as you can from a performance point of view but if for any specific reason, you need to select SAML2, please discuss this with AgilePoint Professional Services team which can help you write a implementation for SAML2 endpoint.