The OpenIAM Identity Manager allows you to define an authentication policy that will manage the behavior of authentication related tasks. This policy can be configured through the ADMIN CONSOLE or it can be done by directly updating the POLICY_ATTRIBUTE table OpenIAM data store. Authentication related attributes have a POLICY_ID of 4001 The authentication policy contains the following parameters:
Attribute Name |
Description |
Example |
|---|---|---|
AUTO_UNLOCK_TIME |
If defined, then an account that has been locked due several failed authentication attempts will automatically be unlocked in specified time. |
15 |
TOKEN_TYPE |
Defines the format of the security token. If SAML2_TOKEN is defined then the token format will be SAML 2 |
SAML2_TOKEN |
LOGIN_MODULE_SEL_POLCY |
Allows you define rules on which login module you should use. |
authn/loginModSel.groovy |
FAILED_AUTH_COUNT |
Number of failed authentication attempts after which the account will be locked. |
3 |
DEFAULT_LOGIN_MOD |
Login module that should be used when no other rules apply. |
org.openiam.idm.srvc.auth.spi.DefaultLoginModule |
TOKEN_LIFE |
Number of minutes in which the token will expire. |
15 |
TOKEN_ISSUER |
Name of the issuer. |
openiam |
|
|
|
|
|
|
Login Modules
Authentication in OpenIAM carried out through an authentication service. Most implementations will carry out authentication against this service and it shields the client from the details of the underlying store. By default, the OpenIAM service authenticates using the data in its own repository. However, customers often have requirements to other repositories such as LDAP or AD. To facilitate this, OpeIAM provides the following login modules to carry out authentication against the target system. These login modules should be defined in the DEFAULT_LOGIN_MOD value shown above.
- DEFAULT: org.openiam.idm.srvc.auth.spi.DefaultLoginModule
- LDAP: org.openiam.idm.srvc.auth.spi.LDAPLoginModule
- Active Directory: org.openiam.idm.srvc.auth.spi.ActiveDirectoryLoginModule
In the current implementation, regardless of the login module used, the User record must exist with in OpenIAM. OpenIAM maintains a series of status / state values to control if a user can be authenticated. For example: If you have a user Bob.Nelson and you want to authenticate this user against LDAP, the following must be setup:
- Create a user in openiam with the identity bob.nelson. We should not store the password in open, just the identity.
- Make sure the users status is ACTIVE
- Create the identity in LDAP or other target system
- During authentication, the system will check if the user is active in OpenIAM. If it is, then the final authentication against ldap will occur.
Authenticating against Multiple User Repositories
There are situations where we need to authenticate against against multiple repositories. For example, we may want to authenticate internal users against LDAP and external users against the default openiam repository. The challenge then is to determine the type of user and then to user utilize the appropriate login module.
The policy parameters shown above allow you to define a module selection policy - LOGIN_MODULE_SEL_POLCY. This policy is essentially logic that is in a script. The sample below shows how we can look at a users type to determine which login module to pick.