[midPoint] Authentication in resource
Radovan Semancik
radovan.semancik at evolveum.com
Mon May 2 10:54:35 CEST 2016
On 05/02/2016 08:25 AM, Aivo Kuhlberg wrote:
>
> Does midPoint support authentication in resource (eg AD). I mean that
> when user tries to log on to midPoint then his/her credentials are
> sent to Active Directory and if they match with AD credentials then
> user can log on to midPoint.
>
Not directly. We do not (yet) have pass-through authentication as Sun
IDM used to have. But there are two ways how to do this:
1: Use SSO system (such as CAS) and let that authenticate against AD.
Then configure spring security in midPoint to use "pre-auth" module. We
have done that several times and it works well. See
https://wiki.evolveum.com/display/midPoint/MidPoint+and+SSO+HOWTO
2: Theoretically you can configure spring security AD authentication
module directly in midPoint (instead of the "pre-auth" module). This
should work. Theoretically. But we have never tried that. There may be
some issues with username/DN mapping, though.
And there is always the option to sponsor the pass-through
authentication feature. The ConnId supports it. So it is just a matter
of implementing it in midPoint. There was some work done in that
direction in midPoint 3.4 code base. So this feature should not be that
difficult to implement in midPoint 3.5. It is just a matter of
priorities and motivation.
--
Radovan Semancik
Software Architect
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20160502/4a4bea54/attachment.htm>
More information about the midPoint
mailing list