LiveCycle supports just-in-time provisioning of users that
don’t yet exist in User Management. With just-in-time provisioning,
users are automatically added to User Management after their credentials
are successfully authenticated. In addition, relevant roles and
groups are assigned dynamically to the new user.
Need for just-in-time user provisioningThis is how traditional authentication works:
When a user tries to log in to LiveCycle, User Management
passes the user’s credentials sequentially to all available authentication
providers. (Login credentials include a username/password combination,
Kerberos ticket, PKCS7 signature, and so on.)
The authentication provider validates the credentials.
The authentication provider then checks whether the user
exists in the User Management database. The following results are
possible:
- Exists:
- If the user is current and unlocked, User Management returns
authentication success. However, if the user is not current or is
locked, User Management returns authentication failure.
- Does not exist:
- User Management returns authentication failure.
- Invalid:
- User Management returns authentication failure.
The result returned by the authentication provider is evaluated.
If the authentication provider returned authentication success,
the user is allowed to log in. Otherwise, User Management checks
with the next authentication provider (steps 2-3).
Authentication failure is returned if no available authentication
provider validates the user credentials.
When just-in-time provisioning is implemented, a new user is
created dynamically in User Management if one of the authentication
providers validates the user’s credentials. (After step 3 in the
traditional authentication procedure, above.)
Implement just-in-time user provisioningAPIs for just-in-time provisioningLiveCycle provides the following APIs for just-in-time
provisioning:
package com.adobe.idp.um.spi.authentication ;
publ ic interface IdentityCreator {
/**
* Tries to create a user with the in formation provided in the <code>UserProvisioningBO</code> object.
* If the user is successfully created, a valid AuthResponse is returned along with the information using which the user was created.
* It is the responsibility of the IdentityCreator to set the User obje ct in the cre dential map with th e ke y <code>UMA u thenticationUtil.authenticatedUserKey</code>
* The credentials are available in the <code>UserProvisioningBO</code> object in the 'credentials' property.
* If the IdentityCreator is unable to create a user due to any reason, it returns <code>null</code>
* @param userBO An object of <code>com.adobe. i dp.um . spi.authenti c ationUserProvisioningBO</code>
* @return */public AuthResponse create(UserProvisioningBO userBO);
/**
* Returns the name of the IdentityCreator which will be registered in preferences.
* This name is used to associate the IdentityProvider with the Auth Provider Configuration in the domain.
* @return The name of the Identity Creator which is recognized in Configuration.
*/
public String getName();
}
package com.adobe.idp.um.spi.authentication;
import com.adobe.idp.um.api.infomodel.User;
public interface AssignmentProvider {
/**
* Tries to assign roles or permissions or group memberships to users created via Just-in-time provisioning.
* @param user The User created via the Just-in-time provisioning process.
* @return a Boolean flag indicating whether the assignment was successful or not.
*/
public Boolean assign(User user);
/**
* Returns the name of the AssignmentProvider through which it is registered under preferences.
* This name is used to associate the AssignmentProvider with the Auth Provider Configuration in the domain.
* @return The name of the AssignmentProvider which is recognized in Configuration.
*/public String getName();
}
Considerations while creating a just-in-time-enabled domainWhile creating a custom IdentityCreator for
a hybrid domain, ensure that a dummy password is specified for the
local user. Do not leave this password field empty.
Recommendation: Use DomainSpecificAuthentication to
validate user credentials against a specific domain.
Create a just-in-time-enabled domainWrite a DSC implementing the APIs in the “APIs
for just-in-time provisioning” section.
Deploy the DSC to the LiveCycle server.
Create a just-in-time-enabled domain:
In Administration
Console, click Settings > User Management > Domain Management
> New Enterprise Domain.
Configure the domain and select Enable Just In Time Provisioning.
(See Setting up and managing domains.
Add authentication providers. While adding authentication
providers, on the New Authentication screen, select a registered
Identity Creator and Assignment Provider.
Save the new domain.
Behind the scenesAssume that a user is trying to log in to LiveCycle and
an authentication provider accepts their user credentials. If the
user doesn’t yet exist in the User Management database, the identity
check for the user fails. LiveCycle now performs the following actions:
Create a UserProvisioningBO object with
the authentication data and place it in a credential map.
Based on domain information returned by UserProvisioningBO,
fetch and invoke the registered IdentityCreator and AssignmentProvider for
the domain.
Invoke IdentityCreator. If it returns a
successful AuthResponse, extract UserInfo from
the credential map. Pass it to the AssignmentProvider for
group/role assignment and any other post-processing after the user
is created.
If the user is created successfully, return the login attempt
by the user as successful.
For hybrid domains, pull user information from the authentication
data provided to the authentication provider. If this information
is fetched successfully, create the user on-the-fly.
Note: The just-in-time provisioning feature ships with a default
implementation of IdentityCreator that you can
use to dynamically create users. Users are created with the information
associated with the directories in the domain.
|
|
|