Skip to content

User Authentication

A User Authentication trust requirement allows you to require that a user must have authenticated with a nominated authority on their device before connectivity can be established.

An authority is a provider of authentication, sometimes called an Identity Provider (or IdP). You can have a different authority for each trust requirement, if you wish (this can be useful when managing a diverse estate of authentication providers).

When this trust requirement is applied, users will be presented with the prompt to authenticate, at which point we conduct the authentication flow with the nominated authority.

Authorities and OpenID Connect

Enclave authenticates users using the standard OpenID Connect (OIDC) protocol to allow authentication against a diverse set of Identity Providers. The OpenID Connect protocol is supported by a large number of identity providers, and we have verified support for

You can also use any compatible identity provider, with our Custom OIDC authority.


If your users are running Windows, iOS or Android, and you need to provide authentication credentials, you will get a notification in your system tray that login is required; upon opening the Enclave application, you will be presented with a Login button to initiate the login process.

On Linux and macOS, where we do not currently have a tray app, you can open a terminal and run:

enclave auth

This will launch the appropriate authentication flow via the system browser.


Enclave will gather a refresh token for the user during login, which will remove the need for the user to login again frequently, unless your authority has constraints on how often a user must log in.

Non-interactive Contexts

In a system where we cannot launch a web browser to complete an authentication flow (for example, in an SSH session to a raspberry pi), running enclave auth will initiate a "device flow", where you can visit a URL on another device, enter a code, and complete the authentication process that way.