Skip to end of metadata
Comment: Migrated to Confluence 4.0
Go to start of metadata

Login Modules

Authentication in OpenIAM is carried out through an authentication service. Most implementations will carry out authentication against this service and it shields the client from the details of the underlying store.  By default, the OpenIAM service authenticates using the data in its own repository. However, customers often have requirements to other repositories such as LDAP or AD.  To facilitate this, OpeIAM provides the following login modules to carry out authentication against this repositories. The login module should be defined in the DEFAULT_LOGIN_MOD attribute in the authentication policy. 

  • DEFAULT: org.openiam.idm.srvc.auth.spi.DefaultLoginModule
  • LDAP: org.openiam.idm.srvc.auth.spi.LDAPLoginModule
  • Active Directory: org.openiam.idm.srvc.auth.spi.ActiveDirectoryLoginModule

Note: Future releases of OpenIAM will contain login modules for authentication with certificates, kerberos, security tokens, etc.

Regardless of the login module used, the User record must exist with in OpenIAM.   OpenIAM maintains attributes pertaining to the status of a user, fail authentication attempts, password expiration, etc. to control if a user can be authenticated.  

Authenticating against Multiple User Repositories

There are situations where we need to authenticate against against multiple repositories. For example, we may want to authenticate internal users against LDAP and external users against the default openiam repository. The challenge then is to determine the type of user and then to user utilize the appropriate login module. 

The policy parameters shown above allow you to define a module selection policy -  LOGIN_MODULE_SEL_POLCY.  This policy is essentially logic that is in a script.  The sample below shows how we can look at a users type to determine which login module to pick.

Labels:
None
Edit Labels