![]() ![]() In contrast, the users/groups synchronized into the repository should be considered a volatile cache and ideally are immutable (i.e. Your external identity provider should be considered the single source of truth (SSOT) for all users and groups defined and managed by it. The following best practices should be followed: External Identity Provider as SSOT The external authentication module in Oak comes with the option to synchronize external identities into the content repository (see section User and Group Synchronization). See Authentication with External Login Module : Examples for a detailed explanation as well as alternativeĬonfigurations. The following JAAS configuration is an example when running an Oak repository with external authentication in combination with Apache Sling: Ranking However, if authentication of local users is unlikely, the external oak login should have a ranking. unauthentication login with GuestCredentials) the default login module should have a higher ranking. The optional order depends on the frequency of default vs external login: if login or impersonation against local users occurs frequently (e.g. If this is desired, it is recommend to also add the default LoginModule to the JAAS configuration. This also includes support for default users like ‘anonymous’ (guest) and ‘admin’ with full access to the repository. Oak comes with a default login for user accounts stored and managed inside the JCR content repository. Make sure the token login module has control flag ‘SUFFICIENT’ and is evaluated prior to the external login that connects to the external IDP. It is therefore recommended to use external authentication in combination with an additional authentication mechanism like e.g. only lasting for a single HTTP request) authentication against an external IDP may not perform well. Whenever JCR sessions created with Oak are short-lived (e.g. Potentially expensive authentication against a third party identity provider as well as those for rare use cases should be defined with a lower ranking.Īdditional reading: Combination with Token Authentication The order should be chosen such that optional and sufficient login modules come first. When combining external authentication with other built-in or custom login modules make sure to define a configuration with the optimal order and the proper control flag for each module to cover all cases. User Management for External Identitiesīefore you get started make sure you are familiar with the basic concepts of JCR authentication, and its implementation in Apache Jackrabbit Oak.Įxternal authentication in Oak refers to integrating a third party identity provider like LDAP or SAML into the authentication setup optionally combining it with other built-in authentication mechanisms.Combination with Default Authentication.Best Practices for External Authentication ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |