Just In Time Provisioning

LiveCycle ES2 (9.0.0.2) SDK Sample

Overview of the sample
Prerequisites for the sample
Files needed for the sample
Deploying the sample

Configuring the sample
Running the sample
Next steps
Legal disclaimer

Overview of the sample

Just in Time Provisioning is a concept of creating a user automatically in the LiveCycle system once it gets authenticated successfully from an Authentication Provider. With the Just in Time Provisioning feature disabled, then when a user is successfully authenticated but it is not found in the LiveCycle User Management database, the authentication fails. Just in Time Provisioning adds a step in the authentication to create the user and assign the roles and groups.

This sample includes two customized components:

Prerequisites for the sample

Ensure LiveCycle ES2 Service Pack 2 (9.0.0.2) is installed.

Files needed for the sample

Filename
Location
Description
adobe-sample-ap.jar CustomAssignmentProvider.zip Jar file to deploy and source code
adobe-sample-ic.jar CustomIdentityCreator.zip Jar file to deploy and source code

Deploying the sample

Before deploying the sample, extract the two zip files described above your local path. To deploy the sample:

  1. Start Workbench ES2.
  2. Log in to Workbench ES2.
  3. Select Window>Show Views >Components. This action adds the Components view to Workbench ES2.
  4. Right-click the Components icon and select Install Component.
  5. Select the adobe-sample-ic.jar through the file browser and click Open.
  6. Right-click the component named SampleIdentityCreator and select Start Component. A green arrow appears next to the name if it succeeds.
  7. Repeat the step 4.
  8. Select the adobe-sample-ap.jar through the file browser and click Open.
  9. Right-click the component named SampleAssignmentProvider and select Start Component. A green arrow appears next to the name if it succeeds.

Configuring the sample

This sample provides details on using the Just in Time Provisioning feature in an LDAP environment. Before starting the configuration steps, ensure that there is an LDAP server is available for testing purposes. You can use other types of authentication providers if needed; reference the Just In Time Provisioning in the LiveCycle documentation.

Note: If the DSCs are not visible while creating an Enterprise/Hybrid Domain in Administration Console, navigate to Home > Settings > User Management > Configuration > Advanced System Attributes. Click Reload.

Create Enterprise Domain in LiveCycle

  1. Log in to LiveCycle Administration Console (http://[hostname]:[port]/adminui) using administrator user.
  2. Click Settings > User Management > Domain Management.
  3. Click New Enterprise Domain and input ID and Name.
  4. Select Enable Just In Time Provisioning.
  5. Click Add Authentication. Navigate to the New Authentication panel displayed below. In the Identity Creator drop-down, select AdobeBasicLDAPIdentityCreator. In the Assignment Provider drop-down, select CustomAssignmentProvider and in Authentication Provider drop-down, select LDAP. Leave the Custom LDAP Authentication check box blank. Click OK.
  6. Authentication Configure1

  7. In the page New Enterprise Domain again, click Add Directory, input Profile Name, click Next.
  8. In the page New Directory, configure the properties:
  9. Click Test. If the configuration is correct, the message "The Server test was successful" displays. Otherwise, modify the configuration. See Directory settings if problems persist.
  10. Click Next. If you selected Populate Page With in the previous step, then the properties are set as default values in User Settings. The exception is the Base DN, which needs manual entry. For details about configuring the properties, see Directory settings.
  11. Click Next to input the Base DN manually. See Directory settings for additional information.
  12. Click Finish.
  13. Return to the New Enterprise Domain panel and click OK.
  14. Select the domain that you created, and click Sync Now.
  15. Navigate to Settings > User Management > Users and Groups, in the drop-down list named "and domain". Select the domain that you created and click Find. See if the users have already been synced from LDAP to the specific domain.

Note: In step 5, the drop-down list Identity Creator contains at least two items. One is AdobeBasicLDAPIdentityCreator which is deployed when you configure your LiveCycle server, and it works for both Enterprise Domain and Hybrid Domain. The other, CustomIdentityCreator, is deployed by this sample and only works for Hybrid Domain.

Running the sample

  1. Go to your LDAP server and use the proper client to create a user in your LDAP server that doesn't exist in your LC server.
  2. Log in to LiveCycle Administrator Console (http://[hostname]:[port]/adminui) using the user credential that you created in LDAP server in the previous step. If you can log in successfully, then it means that the user has already been created in LiveCycle database. Since the user only has the Admin_Console role, they do not have other permissions to operate in the Administration Console.
  3. To check to see if the user has been created, log in to Administration Console using administrator user. Click Settings > User Management > Users and Groups, in the drop-down list named "and domain", select the domain that you created, then click Find.
  4. Note: Using the configuration specified above, the user was created in LiveCycle using the Identity Creator named "AdobeBasicLDAPIdentityCreator". The role assigned by the Assignment Provider is named "CustomAssignmentProvider".

  5. In LiveCycle Administration Console again, click Settings > User Management > Domain Management.
  6. Click the domain that you created in the Configuring the sample.
  7. Click Convert to Hybrid Domain to confirm, click OK.
  8. Then go back to page Edit Hybrid Domain, click LDAP.
  9. In Identity Creator, select CustomIdentiyCreator, in Assignment Provider, select CustomAssignmentProvider, and then click OK.
  10. Authentication Configure2

  11. Click OK to save the change.
  12. Repeat the steps 1 and 2 to result in successful logging and the user created in the LiveCycle database.
  13. Note: Using the configuration specified above, the user was created in LiveCycle using the Identity Creator named "CustomIdentityCreator". The role assigned by the Assignment Provider is named "CustomAssignmentProvider".

Next Steps

To customize your IdentityCreator and AssignmentProvider as component:

Setting up your development environment

  1. Creating an Eclipse Java project. The version of Eclipse that is supported is 3.2.1 or later.
  2. As in other Java projects, add the necessary JAR files. The Java business logic is dependent on the project class path. To customize the Identity Creator and Assignment Provider, add the adobe-livecycle-client.jar, adobe-usermanager-client.jar, um-spi.jar and um-client.jar files to the project class path.

Develop your own component that implements the interface of Just In Time Provisioning

  1. Define the service implementation, which implements the interface that is exposed in User Manager. Create a user and assign role to the user as needed. For example:
  2. Identity Creator interface definition

    Assignment Provider interface definition

    UserProvisioningBO contains the authentication data and keeps in credential map.
    AuthResponse extracts the User from the credential Map and passes it to AssignmentProvider if registered.

  3. Create a component XML file to deploy the component to LiveCycle.
  4. Package the component into a JAR file.
  5. After deploying the component to your LiveCycle server, the service is listed by selecting Identity Creator for the specific domain.

Note: For more details about Developing Components, see Developing Components.

Legal disclaimer

Any references to company names, company logos and user names in sample material or sample forms included in this documentation and/or software are for demonstration purposes only and are not intended to refer to any actual organization or persons.

LiveCycle ES2 Service Pack 2 SDK Sample - Just In Time Provisioning - 10/26/2010 11:30 AM
LiveCycle ES2 (9.0.0.2) - October 2010