Using a Web Service as the Datastore

This topic contains 8 replies, has 6 voices, and was last updated by  sromero 2 months, 1 week ago.

  • Author
    Posts
  • #16083
     evanhyang 
    Participant

    Hi:

    Instead of using MySql or LDAP as the datastore, I’m doing a POC on hooking up OpenAM with a web service that provides REST APIs to do CRUD operations to the DB.

    Is it possible do implement this with OpenAM? If so how to do it?

    Thanks in advance :)

    #16096
     Scott Heger 
    Participant

    Looks like you are trying to build a custom Identity Repository Plugin. Start here: https://backstage.forgerock.com/docs/openam/13.5/dev-guide#sec-identity-repo-spi

    That is assuming you are using OpenAM 13.5. If not, then go to the same section of the Developer’s Guide of the OpenAM version you are using.

    #16099
     evanhyang 
    Participant

    Would it be a custom authentication module(https://backstage.forgerock.com/docs/openam/13.5/dev-guide/chap-customizing#about-custom-auth-module) instead of a custom identity repository plugin?

    I would like OpenAM to talk to a web service then let the web service do CRUD to DB, instead of directly hooking up DB with OpenAM.

    #16102
     Scott Heger 
    Participant

    It depends. If you are looking to hook into this web service for the purpose of authentication, then yes, build as an authentication module. But, if your realm is set to require user profiles (which is the default setting) then after authentication OpenAm will need to find the user’s profile by way of your data store. If looking up the user profile will require talking to the same web service then you would need a custom Identity Repository Plugin.

    #16172
     eurekaaj 
    Participant

    Thanks Scott! Would you help with 3 more questions:

    1.
    Does that mean I have to build 2 modules: authentication module and identity repo?

    2.
    I am looking into both https://backstage.forgerock.com/docs/openam/13/dev-guide#about-custom-auth-module and https://backstage.forgerock.com/docs/openam/13/dev-guide#about-custom-auth-module .

    So the SampleAuth.java has process() method and the IdRepo plugin has authenticate() method. Should I call the authenticate() method inside process() method?

    3.
    I am also customizing the registration and login page (https://backstage.forgerock.com/docs/openam/13/dev-guide#sec-custom-attr). The previous link has a section “Procedure 4.2. To Update the Identity Repository For the New Attribute” . How would I update my web service for the new attributes? Or do I have to do anything since all I do is to make HTTP calls to the web service?

    Thanks for your help :)

    #16187
     Peter Major 
    Moderator

    1) if you want to both authenticate against that webservice and perform user related operations, then you have two choices:
    a) either you implement the authentication in the IdRepo’s authenticate method and use the DataStore authentication module for authentication
    b) or you write both the data store and the auth module

    2) that’s a possibility, but the OOTB provided DataStore auth module does exactly that already.

    3) your custom IdRepo impl does not have to have any restrictions on the usable attribute names, you could leave all that to the web service to sort out.

    #16430
     muunen 
    Participant

    I’m also planning to try to build such a ‘webservice identity provider’ but from the (13.0) documentation it is not really clear to me where to specify the class name CustomRepo class during register since ssoadm has no -c option anymore?

    Can you clue me on this. I registered my repo but it is not visible yet in the OpenAM DataStores.

    #16443
     Peter Major 
    Moderator

    As long as the SubSchema has the name attribute set correctly things should work just fine in my opinion.

    #23171
     sromero 
    Participant

    Hi Peter, I have developed a custom data store consuming a Rest API. It is working fine but I can’t see on the UI the sub-schema attributes. I can see them on the LDAP and with the ssoadm show-datastore command but not on the plugin configuration form.

    So what do you mean with “has the name attribute set correctly” ? Can it be an issue with the attribute names ? Is there any documentation I can check to understand that ?

    Thanks in advance.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2018 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?