group and authorization config is always on OpenAM?

This topic has 3 replies, 2 voices, and was last updated 7 years, 8 months ago by Peter Major.

  • Author
    Posts
  • #2841
     handongwang
    Participant

    Suppose I configure OpenAM to use a authentication connector to a remote identity store (let’s say it is not LDAP based because a big customer of ours have their own kerberos based identity server. Federation is not preferred because there are 7000+ active users in the identity server).

    I assume OpenAM will store users in the remote identity store.Am I right?
    Can I use OpenAM to create and modify users?

    If i need to set up authorization policies for my application, I believe authorization configuration (Applications, policies) are still configured and stored on OpenAM, not the remote identify store. Am i right?

    Let’s further assume my authorization policies are based on groups, e.g. group A can do GET or POST to a given RESTful API. Where do I define and store groups? If groups are defined and stored on OpenAM, can I still assign users, which are defined and stored in remote identity store, to groups on OpenAM?

    • This topic was modified 7 years, 8 months ago by handongwang.
    #2844
     Peter Major
    Moderator

    I assume OpenAM will store users in the remote identity store.Am I right?

    OpenAM mainly consumes identity information from the configured data stores. OpenAM on its own doesn’t store any kind of user data (even when using the embedded data store, you are leveraging an embedded OpenDJ instance, and it’s not OpenAM that stores the data).

    If i need to set up authorization policies for my application, I believe authorization configuration (Applications, policies) are still configured and stored on OpenAM, not the remote identify store. Am i right?

    Policies are stored as part of the configuration, and as such, they are stored separately from user data, yes.

    Let’s further assume my authorization policies are based on groups, e.g. group A can do GET or POST to a given RESTful API. Where do I define and store groups?

    Both users and groups should be defined in the configured (user) data stores (you can set these up under Access Control – realm – Data Stores tab).

    If groups are defined and stored on OpenAM, can I still assign users, which are defined and stored in remote identity store, to groups on OpenAM?

    This probably depends on the actual underlying technology. If your directory performs referential checks to ensure that users are only members of real and existing groups, then obviously will fail. The best practice is still to store both users and groups in the same data store.

    #2847
     handongwang
    Participant

    Your reply is very prompt!

    Please bear with me as I am new to OpenAM.
    I understand how thing works using LDAP user store that is used by OpenAM to store users.
    What I am not sure is how openAM manage users and groups if users are stored in non-LDAP store.

    If customer have their own kerberos based authentication server. Do I need to install an authentication module or Connect on OpenAM so that I can use OpenAM console to list/create/update users on the kerberos authentication server?

    OpenAM console has OAuth2/OpenID Connect page. What is the relationship btw Connect and authentication module? (Maybe I should post a separate question)

    #2857
     Peter Major
    Moderator

    Kerberos authentication is normally tied to an Active Directory server, so I would assume that you would need to set up that Active Directory as a data store.
    I’m not really sure how OpenID Connect module comes into the picture, I would suggest you read the corresponding chapters of the documentation:
    http://docs.forgerock.org/en/openam/12.0.0/admin-guide/index.html#chap-auth-services
    http://docs.forgerock.org/en/openam/12.0.0/admin-guide/index.html#config-data-store

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?