August 2, 2016 at 9:42 pm #12384rusty.deatonParticipant
Let’s say I have two datastores, separate in nature. For the purpose of discussion let’s assume they are both LDAPv3 compliant. Let’s assume for the sake of ease that there is a value across the two that is both unique, and can be correlated however the two datastores cannot be combined. I understand there is a use case that could happen here for OpenIDM, but my focus here is on OpenAM itself.
I have attributes in both of these datastores for a given user that are relevant to a given policy; in this case let’s say having access to a specific part of a website. I want OpenAM to be able to make a policy enforcement for a given user based off of both of these datastores, for this user simultaneously, for this policy decision.
Is this possible, for OpenAM policies to consume external resources as a Policy information point when necessary? I’ve looked over the documentation and done a little tooling, and I can’t seem to find a satisfactory answer to this question.
RustyAugust 3, 2016 at 4:40 pm #12415rusty.deatonParticipant
Any ideas on this, anyone?August 4, 2016 at 11:11 am #12431Peter MajorModerator
As long as the users in the data stores can be looked up using the same attribute value (the one that is returned after a successful authentication), you should be able to just use the OOTB response providers to return your attributes. If your data structure is more complex than that, you could still just write a custom response provider implementation that collects the necessary attribute values for you.August 15, 2016 at 1:50 pm #12633Andrew PotterParticipant
You could create a scripted policy condition that queried the two LDAP stores, combined the results and returned the appropriate authorisation decision.
I used a scripted condition to query a single LDAP in an experiment I blogged about here: http://yaunap.blogspot.co.uk/2016/07/fun-with-openam13-authz-policies-over.html
It’s not all relevant to your specific case but the script might be useful for you to adapt.
You must be logged in to reply to this topic.