Authentication protocols supported by the platform
Basic Identity Manager
This Identity Manager is a custom development on Spring Cloud Secuirity and supports:
User Repositories:
ConfigDB: This is the default user repository that comes with the platform, normally over a MySQL or MariaDB database, although it can be over other relational technologies.
LDAP: It is possible to replace the user repository with an Active Directory or LDAP, so that authentication is delegated to it. The first time a user logs in, it will be replicated locally on the platform in order to be able to use all the platform's functionalities. For information on how to set up this type of repository, please refer to the following guide https://onesaitplatform.atlassian.net/wiki/pages/createpage.action?spaceKey=DOCT&title=C%C3%B3mo%20delegar%20la%20autenticaci%C3%B3n%20de%20la%20plataforma%20en%20un%20directorio%20LDAP%3F&linkCreation=true&fromPageId=2220846227
Extensible by plugins: Identity Manager can be extended through plugins to connect to other repositories.
Authentication protocols
Open ID / OAuth2: This standard is available for both ConfigDB and LDAP/AD scenarios but not for SAML v2, as it is a multi-step synchronous protocol and therefore incompatible. Usage: OAuth2 Authentication in Platform with OAuth2 Server
SAML v2: If integration with SAML v2 is required, it is partially possible. The platform is able to integrate an authentication via SAML with an external IdP, but it loses the REST authentication capabilities via Oauth, it is only possible to integrate the Web App part (Control Panel).
If it is a requirement to use SAMLv2 + Open ID/OAuth2 it would be necessary to install the advanced version of IM.
Extensible by plugins: Identity Manager can be extended through plugins to connect to other repositories.
Â
Advanced Identity Manager
In scenarios where a more sophisticated IM is required we offer an integration with Keycloak.
In this guide there is a short introduction of how we approach such IM integration.: Soporte a Keycloak como Identity Manager AvanzadoUNDEFINED
User repositories
Unlike basic IM, several user repositories can be configured simultaneously:
ConfigDB.
LDAP.
Kerberos.
Any other type of repository, but it is associated with the development of a Keycloak plugin.
Identity Brokering
Through the concept of Identity Brokering, we can delegate the authentication through protocols such as SAMLv2, OpenID/OAuth2...to other IMs, but the authentication process is still performed through our IM, so OpenID/OAuth2 could still be used as the REST authentication interface.
NOTE: although this standard can still be used for authentication, only the Oauth2 authorization code flow will be available, the implicit authentication flow is unfeasible due to technical limitations (necessary redirections to external IM, etc.).
External IM
Finally, platform authentication can also be delegated to an external IM, so that for all purposes the platform would take on the role of Identity Service or Resource Server, and the platform would not issue any tokens, it would only validate them against the external IM/IdP.
To use this type of authentication, the only requirement is that the external IM can be authenticated via OpenID/Oauth2.
The following guide should then be followed How to integrate Platform Security with your own Identity Manager with OAuth2 or OpenID? and complete a small Java plugin for the correct IM-platform role mapping.
Â
Â
Â