Just in Time Provisioning is a concept of creating a user automatically in the LiveCycle system once it gets authenticated successfully from an Authentication Provider. With the Just in Time Provisioning feature disabled, then when a user is successfully authenticated but it is not found in the LiveCycle User Management database, the authentication fails. Just in Time Provisioning adds a step in the authentication to create the user and assign the roles and groups.
This sample includes two customized components:
SampleIdentityCreator is used to create user when a user is successfully authenticated but it is not found in LiveCycle User Management database
SampleAssignmentProvider is used to assign a role to the user
Prerequisites for the sample
Ensure LiveCycle ES2 Service Pack 2 (220.127.116.11) is installed.
Files needed for the sample
Jar file to deploy and source code
Jar file to deploy and source code
Deploying the sample
Before deploying the sample, extract the two zip files described above your local path. To deploy the sample:
Start Workbench ES2.
Log in to Workbench ES2.
Select Window>Show Views >Components. This action adds the Components view to Workbench ES2.
Right-click the Components icon and select Install Component.
Select the adobe-sample-ic.jar through the file browser and click Open.
Right-click the component named SampleIdentityCreator and select Start Component. A green arrow appears next to the name if it succeeds.
Repeat the step 4.
Select the adobe-sample-ap.jar through the file browser and click Open.
Right-click the component named SampleAssignmentProvider and select Start Component. A green arrow appears next to the name if it succeeds.
Configuring the sample
This sample provides details on using the Just in Time Provisioning feature in an LDAP environment. Before starting the configuration steps, ensure that there is an LDAP server is available for testing purposes. You can use other types of authentication providers if needed; reference the Just In Time Provisioning in the LiveCycle documentation.
Note: If the DSCs are not visible while creating an Enterprise/Hybrid Domain in Administration Console, navigate to Home > Settings > User Management > Configuration > Advanced System Attributes. Click Reload.
Create Enterprise Domain in LiveCycle
Log in to LiveCycle Administration Console (http://[hostname]:[port]/adminui) using administrator user.
Click Settings > User Management > Domain Management.
Click New Enterprise Domain and input ID and Name.
Select Enable Just In Time Provisioning.
Click Add Authentication. Navigate to the New Authentication panel displayed below. In the Identity Creator drop-down, select AdobeBasicLDAPIdentityCreator. In the Assignment Provider drop-down, select CustomAssignmentProvider and in Authentication Provider drop-down, select LDAP. Leave the Custom LDAP Authentication check box blank. Click OK.
In the page New Enterprise Domain again, click Add Directory, input Profile Name, click Next.
In the page New Directory, configure the properties:
Server: Fully qualified domain name (FQDN) of the directory server. For example, for a computer named x on the corp.adobe.com network, the FQDN is x.corp.adobe.com. An IP address can be used in place of the FQDN server name.
Port: The port that the directory server uses. Typically 389, or 636 if the Secure Sockets Layer (SSL) protocol is used for sending authentication information over the network.
SSL: Specifies whether the directory server uses SSL when sending data over the network. The default is No. When set to Yes, the corresponding LDAP server certificate must be trusted by the Java runtime environment (JRE) of the application server.
Binding: Specifies how to access the LDAP server. If Anonymous is selected, no user name or password is required. If User is selected, then authentication is required, and the properties Name and Password are required.
Name: Name that can be used to connect to the LDAP database when anonymous access is not enabled. For Active Directory 2003, specify [domain name]\[userid]. For Sun One, eDirectory or IBM Tivoli Directory Server, specify the fully qualified name of the user, such as uid=lcuser,ou=it,o=company.com. Typically it is provided by LDAP administrator.
Password: Password that corresponds with the name specified when connecting to the LDAP database when anonymous access is not enabled.
Populate Page With: When selected, populates attributes on the User and Group settings pages with corresponding default LDAP values. Select this setting to save time configuring User and Group settings.
Click Test. If the configuration is correct, the message "The Server test was successful" displays. Otherwise, modify the configuration. See Directory settings if problems persist.
Click Next. If you selected Populate Page With in the previous step, then the properties are set as default values in User Settings. The exception is the Base DN, which needs manual entry. For details about configuring the properties, see Directory settings.
Click Next to input the Base DN manually. See Directory settings for additional information.
Return to the New Enterprise Domain panel and click OK.
Select the domain that you created, and click Sync Now.
Navigate to Settings > User Management > Users and Groups, in the drop-down list named "and domain". Select the domain that you created and click Find. See if the users have already been synced from LDAP to the specific domain.
Note: In step 5, the drop-down list Identity Creator contains at least two items. One is AdobeBasicLDAPIdentityCreator which is deployed when you configure your LiveCycle server, and it works for both Enterprise Domain and Hybrid Domain. The other, CustomIdentityCreator, is deployed by this sample and only works for Hybrid Domain.
Running the sample
Go to your LDAP server and use the proper client to create a user in your LDAP server that doesn't exist in your LC server.
Log in to LiveCycle Administrator Console (http://[hostname]:[port]/adminui) using the user credential that you created in LDAP server in the previous step. If you can log in successfully, then it means that the user has already been created in LiveCycle database. Since the user only has the Admin_Console role, they do not have other permissions to operate in the Administration Console.
To check to see if the user has been created, log in to Administration Console using administrator user. Click Settings > User Management > Users and Groups, in the drop-down list named "and domain", select the domain that you created, then click Find.
Note: Using the configuration specified above, the user was created in LiveCycle using the Identity Creator named "AdobeBasicLDAPIdentityCreator". The role assigned by the Assignment Provider is named "CustomAssignmentProvider".
In LiveCycle Administration Console again, click Settings > User Management > Domain Management.
Click the domain that you created in the Configuring the sample.
Click Convert to Hybrid Domain to confirm, click OK.
Then go back to page Edit Hybrid Domain, click LDAP.
In Identity Creator, select CustomIdentiyCreator, in Assignment Provider, select CustomAssignmentProvider, and then click OK.
Click OK to save the change.
Repeat the steps 1 and 2 to result in successful logging and the user created in the LiveCycle database.
Note: Using the configuration specified above, the user was created in LiveCycle using the Identity Creator named "CustomIdentityCreator". The role assigned by the Assignment Provider is named "CustomAssignmentProvider".
To customize your IdentityCreator and AssignmentProvider as component:
Setting up your development environment
Creating an Eclipse Java project. The version of Eclipse that is supported is 3.2.1 or later.
As in other Java projects, add the necessary JAR files. The Java business logic is dependent on the project class path. To customize the Identity Creator and Assignment Provider, add the adobe-livecycle-client.jar, adobe-usermanager-client.jar, um-spi.jar and um-client.jar files to the project class path.
Develop your own component that implements the interface of Just In Time Provisioning
Define the service implementation, which implements the interface that is exposed in User Manager. Create a user and assign role to the user as needed. For example:
UserProvisioningBO contains the authentication data and keeps in credential map.
AuthResponse extracts the User from the credential Map and passes it to AssignmentProvider if registered.
Create a component XML file to deploy the component to LiveCycle.
Package the component into a JAR file.
After deploying the component to your LiveCycle server, the service is listed by selecting Identity Creator for the specific domain.
Any references to company names, company logos and user names in sample material or sample forms included in this documentation and/or software are for demonstration purposes only and are not intended to refer to any actual organization or persons.
LiveCycle ES2 Service Pack 2 SDK Sample - Just In Time Provisioning -
10/26/2010 11:30 AM
LiveCycle ES2 (18.104.22.168) - October 2010