Authentication Overview

Our tenant supports multiple authentication methods to integrate external applications. Each integration method can be used according to specific scenarios and requirements.

User Roles and Capabilities

Before diving into authentication methods, it's important to understand the different user roles supported:

1. Super Admin - Selected @publica.la users (from an approved list) with elevated privileges

   • Can access all tenant features
   • Not affected by automatic login restrictions
   • Must be manually added to an approved list
   • Can only authenticate using Google Sign-in (email + password login is not allowed)

2. Admin - Users with administrative access to the tenant

   • Can access control panel (except during automatic login sessions)
   • Can access billing details (except during automatic login sessions)
   • Can preview content regardless of tenant settings

3. Plan Admin (commonly known as "Librarians" or "Bibliotecarios")

   • Managed via the plan_admin_users feature flag
   • Can manage specific subscription plans
   • Can view the list of users within their plan
   • Can monitor accessible content for their plan
   • Cannot access control panel during automatic login sessions

4. Regular User - Standard users with basic access permissions

   • Access determined by their subscription plan
   • May have restricted content visibility based on tenant settings

Note: While all @publica.la users are classified as pla_users, only those in a manually maintained list are granted Super Admin privileges.

User Identity and Access Control

Different authentication methods affect how user identity is handled:

1. Shared Identity Methods:

   • IP Authentication
   • URL Referrer These methods may share one user account among multiple people

2. Individual Identity Methods:

   • LTI
   • SAML
   • Token Authentication
   • External Auth Embedding These methods maintain individual user identity

3. Access Restrictions:

   • Users authenticated via automatic login methods (IP, LTI, Referrer) cannot access:
     • Billing details
     • Control panel
     • Account settings
   • Admin and Plan Admin privileges are disabled during automatic login sessions

Authentication Methods

You can authenticate users in the tenant using:

1. IP
2. URL Referrer
3. LTI
4. Token
5. External Auth Embedding
6. SAML
7. Arc XP (Legacy)

Use Cases

Based on customer needs, we recommend specific integration methods:

• University/Institution Access

  • IP Authentication
  • URL Referrer
  • LTI Authentication

• Individual/Subscription Access (e.g. newspapers, external subscriptions)

  • Token Authentication
  • External Auth Embedding
  • Arc XP (Legacy - only for existing integrations)

The choice of authentication method should consider the customer's technical capabilities and infrastructure.

Integration Complexity

Simpler to Integrate:

1. IP
2. Referrer

Requires Third-Party Configuration:

1. LTI
2. Token
3. External Auth Embedding
4. SAML
5. Arc XP (Legacy)

Important Considerations

1. All authentication integrations require an Enterprise plan (exceptions may exist for specific customers with manually assigned feature flags)
2. Some authentication methods affect user capabilities:
   • IP and Referrer logins may share one user account among multiple people
   • LTI, SAML, Token and External Auth Embedding logins maintain individual user identity
   • Users authenticated via IP, LTI, or Referrer cannot access billing details or control panel
   • Admin and Plan Admin privileges are disabled during automatic login sessions

---