Custom Identity Provider for OpenAM/OpenSSO

人走茶凉 提交于 2021-02-07 10:27:04

问题


We are looking to use OpenAM/OpenSSO to act as a SSO provider. We need, however, to have OpenAM use our mongo datastore under the hood to manage its authentication needs.

With this in mind, I found this: http://www.badgers-in-foil.co.uk/notes/installing_a_custom_opensso_identity_repository/ which looks promising.

Apparently, this should allow me to add an "Access Manager Repository plugin", but I have since read this:

The Access Manager Repository plugin is also called amSDK or legacy SDK as it provides downward compatibility to work with the existing Sun Access Manager 7.x version deployment identity stores. This repository is tightly coupled with the Oracle DSEE server; hence, will not work with any other LDAP servers.

This makes me wonder whether this is really what I want to create, being as though I dont want to be tied to Oracle DSEE server (whatever this is).

Basically, where should I be looking to implement a custom Identity provider for openAM?


回答1:


You can write a Custom Authentication Module in OpenAM.

This is an easy way to authenticate users against a custom datastore. You need to configure callbacks (Eg. username/password) which you need to process in a custom written com.sun.identity.authentication.spi.AMLoginModule. The runtime values for these callbacks will be provided as input to process the login module. Based on those values, you should decide whether the user can be authenticated or not.




回答2:


For a custom identity repository, specifically, this is likely what you'll want to do:

Develop and Deploy a Custom IdRepo Plugin https://wikis.forgerock.org/confluence/display/openam/Develop+and+Deploy+a+Custom+IdRepo+Plugin

I'm also doing this for MongoDB - hopefully it will go well. If the logic of your login process is sufficiently unique, then a Custom 'Auth' module is necessary. I like keeping the data access layer separate from the auth process, however -rather than having connect statements in the Auth module.




回答3:


See section 16.3 and beyond in the OpenAM Developer's Guide, http://openam.forgerock.org/doc/dev-guide/index/chap-identity-repo-spi.html



来源:https://stackoverflow.com/questions/6457711/custom-identity-provider-for-openam-opensso

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!