Thx Radovan,<br><br> Thx for the reference to the SSO HowTo; sooner or later I will try enabling SSO. Would be nice, if in future,<br> enabling SSO could be a configuration option.<br><br> I agree that midpoint should not be an authentication server. For reference and as contribution, I'll describe<br> the feature.<br><br>#-----------<br><br> In a tightly regulated environment and as part of security best practise, clear case credentials should not be<br> stored on a device or in application. The application may also be run from an environment where trust may<br> be questionable. In this context, having an authentication mechanism for REST based calls that does not rely<br> on passwords - such as mutual authentication with X509 certificates solves the issue of storing the password<br> and enhance the overall trust between client and server (midPoint).<br><br> I expect that proper CA issued certificates would be used, but there may be a case for self-signed certificates<br> for some implementations or customer.<br><br>#-----------<br><br> Unfortunately I do not have the bandwidth to contribute code at this time.<br><br>Regards,<br> Anton<br><br><br><blockquote style="margin-right: 0px; margin-left:15px;">----Original message----<br>From : radovan.semancik@evolveum.com<br>Date : 11/08/2015 - 09:58 (BST)<br>To : midpoint@lists.evolveum.com<br>Subject : Re: [midPoint] REST Authentication<br><br>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">Hi Anton,<br>
<br>
There is a way how to "plug" midPoint into a SSO system. We had
success with CAS and OpenAM:<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/MidPoint+and+SSO+HOWTO">https://wiki.evolveum.com/display/midPoint/MidPoint+and+SSO+HOWTO</a><br>
<br>
I believe that similar approach might be used to support
OAuth2-based mechanisms with the help of an OAuth server or an API
gateway. I think that this is the way forward: midPoint is not an
authentication server. MidPoint's responsibility is management of
identities, not directly authorization or authentication. There
are great products that already do auth/autz and we have no plans
to duplicate their functionality. We rather have plans to
integrate with them.<br>
<br>
Therefore we do not have any specific plans about extended
authentication mechanisms for REST or SOAP. <br>
<br>
But that does not mean we cannot implement something simple such
as the X509-based auth (if you are thinking about SSL mutual
authentication). We can do it if there is a demand. You are the
first to mention it, therefore I have create a Jira issue:<br>
<a class="moz-txt-link-freetext" href="https://jira.evolveum.com/browse/MID-2505">https://jira.evolveum.com/browse/MID-2505</a><br>
<br>
Please see the ususal options here:<br>
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature">https://wiki.evolveum.com/display/midPoint/I+Need+New+Feature</a><br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
<br>
<br>
On 08/07/2015 12:38 PM, <a class="moz-txt-link-abbreviated" href="mailto:midpoint@mybtinternet.com">midpoint@mybtinternet.com</a> wrote:<br>
</div>
<blockquote cite="mid:32088443.19289.1438943887734.JavaMail.defaultUser@defaultHost" type="cite">Hi,<br>
<br>
Are there plans to support authentication mechanisms other than
userid & password?<br>
I would like to see certificate authentication.<br>
<br>
Regards,<br>
Anton<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
midPoint mailing list
<a class="moz-txt-link-abbreviated" href="mailto:midPoint@lists.evolveum.com">midPoint@lists.evolveum.com</a>
<a class="moz-txt-link-freetext" href="http://lists.evolveum.com/mailman/listinfo/midpoint">http://lists.evolveum.com/mailman/listinfo/midpoint</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72"></pre>
<br></blockquote><br><p></p>