Authenticate User + Device
In standalone implementations, the FileOpen authentication scheme involves the matching of a device, identified at the level of its hardware or firmware, with a specific user. This unfolds in two stages: at first the device is unrecognized, being new, so the user is asked for credentials of one sort or another and, if these are valid, the device is registered to that user. In subsequent events the device is recognized and the identity of the user is derived from the record created in the first step.
Active Directory Support
In environments with some generalized user identity framework in place, e.g. Active Directory in a corporate environment, the FileOpen software can be configured to be subordinate to this authority. Here the FileOpen Client obtains identifiers specific to the user's login and passes these to the FileOpen PermissionServer which relays them to the AD controller. The AD system then replies with the user's status and Group memberships, enabling the FileOpen PermissionServer to determine whether the particular document access should be permitted and if so with which controls.
In browser environments it is now possible for the FileOpen solution to inherit user identity from a pre-existing login or identity. PermissionServers like the one from FileOpen which implement the frameworks for such interactions, primarily OAuth and SAML, can enable a seamless experience in which a user's access to documents is determined by that user's previous login to a portal or other identity management environment.