Account Provisioning

OpenASelect uses a flexible system for user management. User management is part of the authentication process, and more specifically, is responsible for identification of the user.

Besides identification, user provisioning allows OpenASelect components to utilize arbitrary user attributes as input in the authentication process or other basic OpenASelect operations. Also, the component can be used as a caching mechanism for user databases.

Database types

Two different kinds of databases can be distinguished that are used by OpenASelect:

• Internal database - The internal user database is used by OpenASelect to store user-specific settings used by OpenASelect or one of its components. For example, user account status (enabled/disabled) can be stored, as well as status values for authentication methods;
• External database - External databases are used for user identification and, if possible, to extract information from that can be stored in the internal database for use by OA or an OA component.

OpenASelect does not require the internal database to be used. By using only the external database, OA deployments can use only the identity management context of the deployment's environment.

Flow

The workflow of the user provisioning component is depicted in the figure below:

The first step in the sequence is not displayed in the above figure. It involves the lookup of user information in the external user database. If user information is not found in the external database, user records stored in the internal database are deleted as well. This action ensures that the internal database is always up-to-date.

If the user's information is found both internally and externally, the user provisioning component finishes and returns the user information found in the internal database to the authentication method which can use it to authenticate the user.

If instead the user information is not found in the internal database, the user provisioning component will attempt to find the information in the external database and if it does, it will map the information to store it internally for uses denoted above. The user provisioning component uses a mapper that interprets the data from a specific attribute in the external database and places it into the appropriate field of the internal database.

Usage example

Let us explain the above by the following example:

• A user (Alice, not currently known in the internal database), needs to authenticate for accessing a web service. The web service requires that the authentication profile includes an identifying method with password and a second method using SMS authentication;
• The external database is an LDAP directory, containing a set of attributes among which is the user's telephone number. However, the telephone number may not be present for every user;
• The user provisioning component is set to map the telephone number stored in the LDAP directory to a boolean value indicating the availability of the SMS authentication method in the internal database. If a telephone number is found, the attribute is set to true;
• If the user tries to access the resource at the web service, the web service will guide the user to the OpenASelect identity provider (e.g. via an HTTP redirect). The following steps will take place after that (irrelevant steps are omitted):
  1. The OpenASelect profile receives the request sent by the web service via the user agent. The profile component forwards the request to the WebSSO component;
  2. The WebSSO component retrieves the authentication profile that is required by the web service. Pre-authorization is performed;
  3. The authentication profile indicates that the first method is the LDAP password method;
  4. The user provides her UID and password;
  5. Now, the user provisioning component comes into action and retrieves Alice's UID and telephone number from the LDAP backend, after verifying the supplied password;
  6. The user provisioning component recognizes the fact that a telephone number is available and will set the appropriate attribute value in the internal database;
  7. The Authentication manager uses the above attribute value and executes the SMS Authentication method;
  8. Information in the external database can now be used by the SMS authentication method in order to send an SMS message to Alice, so that she can finish the authentication sequence;
  9. Alice is now authenticated and is able to access the resource at the web service.
• The internal database now holds the UID and telephone number status of Alice.