User provisioning

Since: 1.3(Previous version: 1.1)

The User Factory is a component of the OpenASelect Server which allows you to manage the OpenASelect user. It provides the ability to manage OA users by defining an internal storage in which the user is automatically added if certain configured conditions are met.

Table of Contents

  1. User factory
  2. Translator
    1. Profile
  3. Storage Manager
    1. JDBC Internal Storage
    2. JDBC External Storage
    3. JNDI External Storage
    4. File External Storage

User factory

The User Factory requires the following configuration to be added to the main configuration: 

<userfactory class="com.alfaariss.oa.engine.user.provisioning.ProvisioningFactory">
	<main>
		<translator>[translator_id]</translator>
		<internalstorage>[internalstorage_id]</internalstorage>
	</main>
	<translator id="[translator_id]" class="com.alfaariss.oa.engine.user.provisioning.translator.standard.StandardTranslator">
		<main>
			<externalstorage>[externalstorage_id]</externalstorage>
			<profile>[profile_id]</profile>
		</main>
		<profile id="[profile_id]" class="com.alfaariss.oa.engine.user.provisioning.translator.standard.StandardProfile">
			<account>
				<enabled default="[account_enabled]" field="[field]" converter="[converter_id]"/>
				<authentication>
					<method id="[method_id]">
					  <registered default="[registered_enabled]" field="[field]" converter="[converter_id]"/>
					</method>
					...
				</authentication>
			</account>
			<convertermanager> 
				<converter id="[converter_id]" 
				class="com.alfaariss.oa.engine.user.provisioning.translator.standard.converter.exist.ExistConverter"/>
				...
			</convertermanager>
		</profile>
		...
	</translator>
	...
	<storagemanager>
		<storage id="[storage_id]" class="[storage_class]>
		  ...
		</storage>
		...
	</storagemanager>
<userfactory>

The following parameters can be configured in the main section of the userfactory:

  • [translator_id] The id of the translator configured in the "translator" section.
  • [internalstorage_id] (optional) The id of the storage configured in the "storagemanager" section to use as the internal storage. An internal storage can be configured if you want to add usermanagement.

Translator

The translator section provides the configuration on how to create a user, based on his existence, in the external storage.

  • [translator_id] The id of the translator.

In the main section of the translator the following parameters can be configured:

  • [externalstorage_id] The id of the storage configured in the "storagemanager" section to use as the external storage.
  • [profile_id] The id of the profile configured in the "profile" section.

Profile

The profile section creates a user object by converting fields from the externaI storage.

  • [profile_id] The id of the profile.

Account

In the account section it is possible to define conditions for the users from the external database.

  • [account_enabled] (optional default false) "true" if the accounts from the external database should be enabled for Open A-Select by default.
  • [field] (optional) With this parameter it is possible to configure a field in combination with a converter. This e.g. requires that the field should be available for the user in the external database, before he is enabled for Open A-Select.
  • [converter_id] (optional) The id of the configured converter in the "convertermanager" section.
  • [registered_enabled] (optional default false)

Converter Manager

A converter manager can be configured (optional). Currently there is only one converter: The ExistsConverter. This converter validates if a configured "field" parameter for the user from the external storage is available. It can be used in combination with the "enabled" section in the "account" section or for every authentication method separately in a "registered" section. It validates enabled for the account or registered for the specific authentication method as "true" if the configured field is available for the user from the external storage.

  • [converter_id] The id of the converter.

Storage Manager

The storage manager manages the external or internal storages. Currently the storage manager supports four types of storages which are discribed below:

  • [storage_id] The id of the storage
  • [storage_class] The storage class. The following storage types are available:
    • com.alfaariss.oa.engine.user.provisioning.storage.internal.jdbc.JDBCInternalStorage
    • com.alfaariss.oa.engine.user.provisioning.storage.external.file.FileExternalStorage
    • com.alfaariss.oa.engine.user.provisioning.storage.external.jdbc.JDBCExternalStorage
    • com.alfaariss.oa.engine.user.provisioning.storage.external.jndi.JNDIExternalStorage

JDBC Internal Storage

It is possible to configure an internal storage (option). If configured, the users from the external storage are added to the internal storage as soon as an authentication for the external user is done. When the username is provided during authentication, the userprovisioning validates if it is available in the external or internal database. When the user existst in the external database, but he is not yet available in the internal, he is added to the internal storage. Based on fulfilling the stated condition in the "enabled" section within the profile's "account" section, the account is set to enabled in the internal storage. For every authentication method configured in the "authentication" section, it is validated if the user fulfills the stated condition in the "registered" section. If so, the user is set to registered for the specific authentication method. 

<storage id="int_jdbc" class="com.alfaariss.oa.engine.user.provisioning.storage.internal.jdbc.JDBCInternalStorage">
	<resource>

		<!-- JDBC Resource configuration -->

		<account table="[account_table]" />
		<profile table="[profile_table]"/>
	</resource>
</storage>
  • [account_table] (optional) The name of the table containing the user accounts. Default: account.
  • [profile_table] (optional) The name of the table containing the user account profiles. Default: accountprofile.
JDBC Resource configuration

There are several ways to configure JDBC resources in OpenASelect which are described in the JDBC Resource Configuration page.

JDBC External Storage

OA offers the possibility to configure a JDBC back-end for the external database. 

<storage id="ext_jdbc" class="com.alfaariss.oa.engine.user.provisioning.storage.external.jdbc.JDBCExternalStorage">
	<resource>
		<table name="[table_name]">
			<column userid="[column_name]" />
		</table>

		<!-- JDBC Resource configuration -->

	</resource>
</storage>

  • [table_name] The table name where to find the OpenASelect users.
  • [column_name] The column name containing the OpenASelect users.
JDBC Resource configuration

There are several ways to configure JDBC resources in OpenASelect which are described in the JDBC Resource Configuration page.

JNDI External Storage

As an external database it is possible to configure a JNDI storage. 

<storage id="ext_jndi" class="com.alfaariss.oa.engine.user.provisioning.storage.external.jndi.JNDIExternalStorage">
	<resource>
		<driver>[driver]</driver>
		<url>[url]</url>
		<security_principal>
			<dn>[dn]</dn>
			<password>[password]</password>
		</security_principal>
		<dn>
			<base>[base]</base>
			<user>[user]</user>
		</dn>
	</resource>
</storage>
  • [driver] The JNDI driver used to connect with the back-end. For example "com.sun.jndi.ldap.LdapCtxFactory".
  • [url] The URL to the JNDI server (e.g. "ldap://somehost:389").
  • [dn] The name of the environment property for specifying the identity of the principal for authenticating the caller to the service. The format of the principal depends on the authentication scheme. If this property is unspecified, the behaviour is determined by the service provider.
  • [password] The credentials of the principal for authenticating the caller to the service. The value of the property depends on the authentication scheme. For example, it could be a hashed password, clear-text password, key, certificate, and so on. If this property is unspecified, the behaviour is determined by the service provider.
  • [base] The base DN in the JNDI back-end server.
  • [user] The DN of the user.

File External Storage

As an external database it is possible to configure a File storage. 

<storage id="ext_file" class="com.alfaariss.oa.engine.user.provisioning.storage.external.file.FileExternalStorage">
	<file>[file_location]</file>
</storage>
  • [file_location] The location of the file.

The file should contain the following structure: 

<users>
	<user id="[user_id]">
		...
	</user>
	...
</users>
  • [user_id] The OpenASelect user id.

For every user it is possible to add extra fields. For example: 

<users>
	<user id="user">
		<name>user</name>
		<password>pass</password>
		<phone>0612345679</phone>
		...
	</user>
	...
</users>

With these fields it is possible to add rules with the help of the convertermanager.

Back to the configuration reference

Documentation

OpenASelect Server

Overview

Features

Interconnectivity

Guide & References

Developers

OpenASelect

Integrators

Discussion

Browse source

Tickets

Downloads

 
© Alfa & Ariss B.V. All rights reserved | Privacy | Disclaimer | Contact