Purpose: Orion supports several methods for authenticating to the Orion Connect platform or the Orion API including basic, SAML 2.0, and OAuth. In each case an Orion ID and Secret will be required to help in identifying the authenticating platform and its API calls. This ID and Secret will be created by Orion upon approval of access and the provided to the customer or integrating partner.
In addition to identifying the source of the authentication, the ID and Secret is also used in data scoping for certain aspects of Orion data including SSN and CUSIP. API endpoints containing this data are masked until the customer or partner receives approval by Orion, at which point the scoping is set to TRUE to allow unmasking of data.
Orion’s authentication always takes place in the context of a user, which can either be the true user of an actual person (for example an Admin, Advisor, or Rep) or a special Advisor level user can be created and assigned to the API/Integrations Role to serve as a type of “Service Account” for the connection. When authenticating as a normal user, all access to the API is restricted to the same access as the user would have when accessing Orion Connect. The user type assigned to the API/Integrations Role by default has full access to the API and does not have an expiration on its password.
There are several solutions towards the end of this section which may be useful in several contexts. This includes impersonating a user, creating a token URL for SSO from Orion Connect into an external platform, and generating a token to Orion’s platforms other than Orion Connect.
Use Cases:
BASIC – Best used for simple changes made by an API user or service account. The Orion token can be used to call the Orion API and learn additional details about the user. This method is useful when you want to store a username and password to open a connection each day to run automated jobs, however ensure that the credentials are stored in a secure manner.
SAML – Best used when the originating platform will serve as the identity provider. The user will only know the credentials to authenticate into the first platform. User will need to be linked between platforms based on an already known value such as username, email or Rep ID.
Oauth – Best used when the user knows their Orion Connect credentials and will input them into the OAuth UI from the originating platform. Can use a token and refresh token to keep connection current.
Impersonation – Best used for representative and client level users, when the details of the user are known to the authenticating platform, but the user may or may not exist within the Orion platform. Impersonation can create the user in the moment and then authenticate as that user.