Question RE: Identities across datastores / Policy Information Points in OpenAM

This topic has 3 replies, 3 voices, and was last updated 5 years, 12 months ago by Andrew Potter.

  • Author
    Posts
  • #12384
     rusty.deaton
    Participant

    Hey all,

    Let’s say I have two datastores, separate in nature. For the purpose of discussion let’s assume they are both LDAPv3 compliant. Let’s assume for the sake of ease that there is a value across the two that is both unique, and can be correlated however the two datastores cannot be combined. I understand there is a use case that could happen here for OpenIDM, but my focus here is on OpenAM itself.

    I have attributes in both of these datastores for a given user that are relevant to a given policy; in this case let’s say having access to a specific part of a website. I want OpenAM to be able to make a policy enforcement for a given user based off of both of these datastores, for this user simultaneously, for this policy decision.

    Is this possible, for OpenAM policies to consume external resources as a Policy information point when necessary? I’ve looked over the documentation and done a little tooling, and I can’t seem to find a satisfactory answer to this question.

    Thanks,

    Rusty

    #12415
     rusty.deaton
    Participant

    Any ideas on this, anyone?

    #12431
     Peter Major
    Moderator

    As long as the users in the data stores can be looked up using the same attribute value (the one that is returned after a successful authentication), you should be able to just use the OOTB response providers to return your attributes. If your data structure is more complex than that, you could still just write a custom response provider implementation that collects the necessary attribute values for you.

    #12633
     Andrew Potter
    Participant

    Hi Rusty
    You could create a scripted policy condition that queried the two LDAP stores, combined the results and returned the appropriate authorisation decision.
    I used a scripted condition to query a single LDAP in an experiment I blogged about here: http://yaunap.blogspot.co.uk/2016/07/fun-with-openam13-authz-policies-over.html
    It’s not all relevant to your specific case but the script might be useful for you to adapt.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?