Lineup Authentication and APIs

Lineup offers OAuth2 Integration, API Service, and Single Sign On (SSO) Support. 

Overview

Lineup uses OAuth2 JWT bearer token authentication and validates that each resource request includes a valid access token.  The token is also validated to ensure that it has not expired and comes from a registered and trusted identity provider.

The identity as a service platform we use, Auth0, is configured to only issue access token requests from authorized clients and domains.

The API enforces cross origin resource sharing (CORS) domain whitelisting to prevent responses to unauthorized clients making requests, even with a valid access token.

Integration

For customers with applications that need to integrate with lineup, we support the OAuth 2.0 Client Credentials Flow. This authentication flow allows machine-to-machine applications such as CLIs, daemons, or services running on your back-end to obtain an access token from our identity provider in order to securely access the Lineup API.

Additional Resources:

Lineup APIs

Once your system has been configured to obtain an access token from our identity as a service provider Auth0, it will be able to make API requests to obtain and modify user and application data for your instance of Lineup.

We are currently working on releasing a public API that will allow integration systems to perform many of the same actions that your Lineup admins can do via our web application.

Our API data is encrypted in transit using SSL/TLS certificates and at rest using AWS Key Management Service (KMS).

Lineup SSO

Lineup supports Single Sign On (SSO) to provide your users with a single method of authenticating with all of your organization’s applications.  We prefer Security Assertion Markup Language (SAML) based SSO integrations but can also support other common protocols such as Open Id Connect (OIDC), Active Directory (AD), and Lightweight Directory Access Protocol (LDAP).

The single sign-on provisioning process for us begins with setting up a SAML connection for your organization in our identity as a service provider Auth0. To do that, we’ll need the details below. If you can provide us with a SAML metadata file issued by your identity provider, we can obtain most of these fields from that document:

  • Signing Certificate

  • SAML Request/Login URL

  • SAML Logout URL

  • Any additional properties that should be included in the SAML Request ex. AssertionConsumerServiceURL (this is not common)

  • Any additional claims that will be included in the SAML Response

    • We require Given_Name, Family_Name, and Email

Once we’ve configured your connection, we’ll send a customized SAML metadata file with our authentication details so you can configure things in your identity provider. After configuration has been made in both systems, we’ll just need to coordinate testing authentication with someone in your organization before we fully enable SSO authentication.

Please note that SSO applies to all admin users of Lineup. End-users (i.e. those completing application forms and accepting team invitations) are not required to log in.

Contact us to learn how Lineup can enhance your business.