AgilePoint NX platform is pretty flexible when it comes to choosing identity provider for the platform. It supports the concept of Bring Your Own Identity where customers are free to choose from any of the supported identity providers listed in the documentation.
https://documentation.agilepoint.com/10/admin/cloudportalThirdPartyAuthentication.html
As you can see, there is a wide variety of industry standard authentication providers supported OOTB. However we do not limit you to the supported authentication providers. In case a client uses an authentication provider not listed in the document, AgilePoint Professional Services team can work with clients to quickly add support for their preferred authentication provider. The reason it can be done easily is because we have kept authentication layer separate from core engine and hence using the externalized interface, we can bring in any authentication provider be it Barcode, custom database, RFID etc.
One question I get sometimes is that client has an existing authentication provider which uses SAML2 so should they be using that and can it be supported? As explained above, technically we can support any authentication provider but there are few considerations which need to kept in mind while making a choice at protocol level.
AgilePoint uses OAuth2 framework and OpenID Connect (OIDC) is a thin protocol layer which sits on top of OAuth2 framework to provide authentication feature and uses JSON Web Token (JWT) as identity token. AgilePoint uses this for each of the authentication providers it supports OOTB. To know more about OAuth2, OpenID Connect and SAML, please refer to following article from Okta.
https://www.okta.com/identity-101/whats-the-difference-between-oauth-openid-connect-and-saml/
Reason AgilePoint prefers OpenID Connect Vs SAML2 is that SAML2 is a very nice protocol but more suitable for protecting front-end websites only for e.g. Office 365 Portal UI but if you see Office 365 API is also protected with OpenID Connect. In AgilePoint’s case, not just the website but the back-end REST API is also protected by external authentication as clients can kick off process using API as well.
Now when it comes to API access, SAML2 being XML based has a bigger payload and network traffic increases which is not good for performance. OpenID Connect being based on compact JWT token format is much more compact and better for API efficiency specially when looking at global deployments. This is the reason we prefer Open ID Connect over SAML2 and if you see, Office 365, Salesforce, they all have started doing same for their API which uses OpenID Connect. API speed is very important for performance.
However clients have a follow up question that how does that choice affect other apps which they have and which might be using SAML2. Most authentication providers listed in our documentation support both SAML2 and OpenID Connect from authentication provider side so they will need to select OpenID Connect while configuring authentication endpoint for AgilePoint. This does not affect their other existing apps which might be using SAML2 since this configuration is controlled at an app level on the authentication provider side and both work seamlessly with Single Sign-On i.e. if I am logged into one app using SAML2 and then go to AgilePoint which uses OpenID Connect then I will be automatically logged in. Those apps can use SAML2 but for AgilePoint, they can use Open ID Connect.
My recommendation is to stick to OpenID Connect as much as you can from a performance point of view as each identity provider supports both but if for any specific reason, you need to select SAML2, please discuss this with AgilePoint Professional Services team which can help you write a implementation for SAML2 endpoint.