Authentication Overview
RAMP supports multiple authentication methods to meet the needs of different deployment scenarios. This guide helps you choose the right authentication method for your organization.
Available Authentication Methods
Section titled “Available Authentication Methods”| Method | Best For | Complexity | Features |
|---|---|---|---|
| RAMP Native | Small teams, getting started | Low | Username/password, MFA, password reset |
| OIDC/OAuth2 | Modern SSO, cloud environments | Medium | SSO, external IdP, OAuth2 |
| Windows Auth | Corporate intranets, AD environments | Medium-High | Seamless Windows login, AD integration |
| LDAP | Enterprise directories, OpenLDAP | Medium | Directory integration, centralized users |
| ADFS | Legacy enterprise SSO | Medium-High | WS-Federation, claims-based auth |
Decision Guide
Section titled “Decision Guide”Choose RAMP Native If:
Section titled “Choose RAMP Native If:”- You’re getting started with RAMP
- You have a small team (< 50 users)
- You don’t have an existing identity provider
- You want to manage users directly in RAMP
- You need Multi-Factor Authentication (MFA)
Choose OIDC/OAuth2 If:
Section titled “Choose OIDC/OAuth2 If:”- You use Microsoft Entra ID (Azure AD), Google Workspace, Okta, or Auth0
- You want modern Single Sign-On (SSO)
- You need to integrate with cloud-based identity providers
- Your users already authenticate with OAuth2/OIDC
- You want to leverage external identity provider features
Choose Windows Authentication If:
Section titled “Choose Windows Authentication If:”- RAMP will run on your internal network (intranet)
- All users are on Windows domain machines
- You want seamless authentication (no login prompts)
- You have Active Directory
- RAMP will be hosted on Windows Server with IIS
Choose LDAP If:
Section titled “Choose LDAP If:”- You have Active Directory or OpenLDAP
- You want centralized user management
- You need to authenticate against enterprise directories
- You want to search/browse directory users
- RAMP can be hosted on Linux or Windows
Choose ADFS If:
Section titled “Choose ADFS If:”- You already use Active Directory Federation Services
- You need claims-based authentication
- You have legacy WS-Federation integrations
- You want SSO across multiple on-premise applications
- Your organization uses Windows Server with ADFS
Multi-Provider Support
Section titled “Multi-Provider Support”RAMP can support multiple authentication providers simultaneously. For example:
- Internal admins use RAMP native accounts with MFA
- Employees use Windows Authentication or LDAP
- External contractors use OIDC with Google Workspace
Each user has an IdentityProvider field that determines how they authenticate.
Common Features Across All Methods
Section titled “Common Features Across All Methods”Multi-Factor Authentication (MFA)
Section titled “Multi-Factor Authentication (MFA)”- Available for RAMP native users
- TOTP-based (Google Authenticator, Authy, Microsoft Authenticator)
- 10 backup codes per user
- Admin-configurable policies (None/Optional/Required)
See MFA Setup Guide
Role-Based Access Control (RBAC)
Section titled “Role-Based Access Control (RBAC)”- All authentication methods integrate with RAMP’s permission system
- Users get roles regardless of authentication source
- Permissions are enforced uniformly
Audit Logging
Section titled “Audit Logging”- All login attempts are logged
- Failed authentication tracked
- User activity audited
Security Best Practices
Section titled “Security Best Practices”General Recommendations
Section titled “General Recommendations”- Use HTTPS in production — Never deploy RAMP with HTTP-only
- Rotate secrets regularly — JWT secrets, client secrets, service account passwords
- Enable MFA — For administrative accounts at minimum
- Monitor failed logins — Watch for brute-force attempts
- Use strong passwords — Especially for bootstrap administrators
- Limit scope — Grant minimum required permissions
Network Security
Section titled “Network Security”- Deploy RAMP on internal networks when using Windows Authentication
- Use VPNs for external access
- Configure firewalls to restrict API access
- Use reverse proxies (nginx, IIS) with proper TLS configuration
Secret Management
Section titled “Secret Management”- Development: Use ASP.NET Core User Secrets
- Production: Use Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault
- Never commit secrets to source control
See Email Setup Guide for SMTP password security
Quick Setup Comparison
Section titled “Quick Setup Comparison”| Feature | RAMP Native | OIDC | Windows Auth | LDAP | ADFS |
|---|---|---|---|---|---|
| Setup Time | 15 min | 30-60 min | 2-4 hours | 1-2 hours | 2-4 hours |
| External Dependencies | None | IdP account | AD + IIS | LDAP server | ADFS server |
| SSO | No | Yes | Yes | No | Yes |
| Directory Search | No | Optional | Yes | Yes | Limited |
| MFA Support | Yes (built-in) | Via IdP | No | No | Via IdP |
| Password Reset | Yes (email) | Via IdP | Via AD | Via LDAP | Via IdP |
| Auto-Provisioning | Manual | Yes | Yes | Yes | Yes |
Next Steps
Section titled “Next Steps”- Review your requirements using the decision guide above
- Choose an authentication method
- Follow the setup guide for your chosen method
- Configure additional features:
- Test authentication before deploying to production
- Review security settings and enable audit logging
Frequently Asked Questions
Section titled “Frequently Asked Questions”Can I use multiple authentication methods?
Section titled “Can I use multiple authentication methods?”Yes! RAMP supports multiple providers simultaneously. Each user has an IdentityProvider field indicating their authentication source.
Can I migrate from one method to another?
Section titled “Can I migrate from one method to another?”Yes, but it requires careful planning. Users must be recreated with the new identity provider. Contact support for migration assistance.
Which method is most secure?
Section titled “Which method is most secure?”All methods can be secure when properly configured. For maximum security:
- Enable MFA for RAMP native users
- Use SSO with an enterprise IdP (OIDC, ADFS)
- Keep all systems patched and updated
Do I need a database for authentication?
Section titled “Do I need a database for authentication?”Yes, RAMP stores user metadata (roles, preferences, assignments) in its database regardless of authentication method. The database doesn’t store passwords for external IdP users.
Can external users access RAMP?
Section titled “Can external users access RAMP?”Yes, use OIDC with a public IdP (Google, Microsoft, Auth0) and configure appropriate role assignments for external users.