This guide uses the following terms in very specific ways.

Users – JasperReports Server users are either people who access the web-based interface or applications that access the same content through web services. Authentication is slightly different for each type of access but operates on the same principles. For simplicity, this guide considers users to be people accessing the web-based interface.
Internal database – User accounts are created by administrators and stored in a private, internal database. For example, when you install JasperReports Server with the default settings, it requires a PostgreSQL database server where it stores the internal database tables containing user information. The internal database is independent of databases that store your operational data, although it may be on the same database server.
Authentication – Authentication is the verification of a user’s identity to allow access to JasperReports Server. By default, anonymous access is disabled, and all users must present valid credentials to log in: a user ID, a password, and in certain cases an organization ID. Authentication is more than gathering the user credentials, it's a process that ensures that every page is secure — either displayed to a verified user or denied until valid credentials are provided.
External authentication – External authentication is the process of gathering and verifying user credentials through a third-party application, for example, a corporate LDAP directory. The external application is called an authority because it's trusted to contain valid user information. The process of external authentication depends on the nature of the external authority, and the various configurations support different use scenarios. For example, with simple external authentication, users log into the JasperReports Server page, but their credentials are verified externally; in a single sign-on configuration, the user may log into another application, then navigate to JasperReports Server without seeing the server’s login page.
Principal object – Authentication happens only once at the beginning of the user’s session. After authentication, the user’s session is represented by an in‑memory instance referred to as the principal object. The existence of the principal object determines that the user is logged on and can access pages throughout the application. The principal object also stores the user's roles and organization ID, which are required for authorization within JasperReports Server.
Authorization – Authorization is the verification of a user’s roles and organization ID to access features of the server, resources in the repository, and, in some cases, data. For every page the user requests, the server determines which menu items, resources, and report contents the user can access, based on the principal object. Authorization happens every time a user accesses a resource.

In the JasperReports Server architecture, which is based on the Spring Framework and Spring Security, authentication may be configured through an external authority, but authorization is always performed by internal mechanisms. Part of configuring external authentication is to define a mapping of external roles and organization IDs into the principal object so authorization can proceed internally. Profile attributes can also be mapped from the external authority; however, you need to write a custom processor to do so. See Creating a Custom Processor.

Synchronization – When an external session is established, the user's current organization and roles are mapped into the principal object. The first time an external user logs in, the synchronization mechanism creates the user's organization folder, roles and user account in the internal database. The server uses these structures to enforce authorization for the external user just as for internally-defined users. The synchronization mechanism updates the roles every time the external user logs in, so that the internal database reflects the contents of the external authority.