March 2, 2017 at 1:40 am #16083evanhyangParticipant
Instead of using MySql or LDAP as the datastore, I’m doing a POC on hooking up OpenAM with a web service that provides REST APIs to do CRUD operations to the DB.
Is it possible do implement this with OpenAM? If so how to do it?
Thanks in advance :)March 2, 2017 at 11:14 pm #16096Scott HegerParticipant
Looks like you are trying to build a custom Identity Repository Plugin. Start here: https://backstage.forgerock.com/docs/openam/13.5/dev-guide#sec-identity-repo-spi
That is assuming you are using OpenAM 13.5. If not, then go to the same section of the Developer’s Guide of the OpenAM version you are using.March 2, 2017 at 11:23 pm #16099evanhyangParticipant
Would it be a custom authentication module(https://backstage.forgerock.com/docs/openam/13.5/dev-guide/chap-customizing#about-custom-auth-module) instead of a custom identity repository plugin?
I would like OpenAM to talk to a web service then let the web service do CRUD to DB, instead of directly hooking up DB with OpenAM.March 3, 2017 at 12:14 am #16102Scott HegerParticipant
It depends. If you are looking to hook into this web service for the purpose of authentication, then yes, build as an authentication module. But, if your realm is set to require user profiles (which is the default setting) then after authentication OpenAm will need to find the user’s profile by way of your data store. If looking up the user profile will require talking to the same web service then you would need a custom Identity Repository Plugin.March 8, 2017 at 7:39 am #16172eurekaajParticipant
Thanks Scott! Would you help with 3 more questions:
Does that mean I have to build 2 modules: authentication module and identity repo?
So the SampleAuth.java has process() method and the IdRepo plugin has authenticate() method. Should I call the authenticate() method inside process() method?
I am also customizing the registration and login page (https://backstage.forgerock.com/docs/openam/13/dev-guide#sec-custom-attr). The previous link has a section “Procedure 4.2. To Update the Identity Repository For the New Attribute” . How would I update my web service for the new attributes? Or do I have to do anything since all I do is to make HTTP calls to the web service?
Thanks for your help :)March 8, 2017 at 1:43 pm #16187Peter MajorModerator
1) if you want to both authenticate against that webservice and perform user related operations, then you have two choices:
a) either you implement the authentication in the IdRepo’s authenticate method and use the DataStore authentication module for authentication
b) or you write both the data store and the auth module
2) that’s a possibility, but the OOTB provided DataStore auth module does exactly that already.
3) your custom IdRepo impl does not have to have any restrictions on the usable attribute names, you could leave all that to the web service to sort out.March 22, 2017 at 2:10 pm #16430muunenParticipant
I’m also planning to try to build such a ‘webservice identity provider’ but from the (13.0) documentation it is not really clear to me where to specify the class name CustomRepo class during register since ssoadm has no -c option anymore?
Can you clue me on this. I registered my repo but it is not visible yet in the OpenAM DataStores.March 23, 2017 at 1:01 am #16443Peter MajorModerator
As long as the SubSchema has the name attribute set correctly things should work just fine in my opinion.September 11, 2018 at 6:56 pm #23171sromeroParticipant
Hi Peter, I have developed a custom data store consuming a Rest API. It is working fine but I can’t see on the UI the sub-schema attributes. I can see them on the LDAP and with the ssoadm show-datastore command but not on the plugin configuration form.
So what do you mean with “has the name attribute set correctly” ? Can it be an issue with the attribute names ? Is there any documentation I can check to understand that ?
Thanks in advance.
You must be logged in to reply to this topic.