问题
We are looking to use OpenAM/OpenSSO to act as a SSO provider. We need, however, to have OpenAM use our mongo datastore under the hood to manage its authentication needs.
With this in mind, I found this: http://www.badgers-in-foil.co.uk/notes/installing_a_custom_opensso_identity_repository/ which looks promising.
Apparently, this should allow me to add an "Access Manager Repository plugin", but I have since read this:
The Access Manager Repository plugin is also called amSDK or legacy SDK as it provides downward compatibility to work with the existing Sun Access Manager 7.x version deployment identity stores. This repository is tightly coupled with the Oracle DSEE server; hence, will not work with any other LDAP servers.
This makes me wonder whether this is really what I want to create, being as though I dont want to be tied to Oracle DSEE server (whatever this is).
Basically, where should I be looking to implement a custom Identity provider for openAM?
回答1:
You can write a Custom Authentication Module in OpenAM.
This is an easy way to authenticate users against a custom datastore. You need to configure callbacks (Eg. username/password) which you need to process in a custom written com.sun.identity.authentication.spi.AMLoginModule. The runtime values for these callbacks will be provided as input to process the login module. Based on those values, you should decide whether the user can be authenticated or not.
回答2:
For a custom identity repository, specifically, this is likely what you'll want to do:
Develop and Deploy a Custom IdRepo Plugin https://wikis.forgerock.org/confluence/display/openam/Develop+and+Deploy+a+Custom+IdRepo+Plugin
I'm also doing this for MongoDB - hopefully it will go well. If the logic of your login process is sufficiently unique, then a Custom 'Auth' module is necessary. I like keeping the data access layer separate from the auth process, however -rather than having connect statements in the Auth module.
回答3:
See section 16.3 and beyond in the OpenAM Developer's Guide, http://openam.forgerock.org/doc/dev-guide/index/chap-identity-repo-spi.html
来源:https://stackoverflow.com/questions/6457711/custom-identity-provider-for-openam-opensso