<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 05/02/2016 08:25 AM, Aivo Kuhlberg
wrote:<br>
</div>
<blockquote cite="mid:1462170320728.6610@rmit.ee" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none"><!--P{margin-top:0;margin-bottom:0;} --></style>
<p>Does midPoint support authentication in resource (eg AD). I
mean that when user tries to log on to midPoint then his/her
credentials are sent to Active Directory and if they match with
AD credentials then user can log on to midPoint.<br>
</p>
</blockquote>
<br>
Not directly. We do not (yet) have pass-through authentication as
Sun IDM used to have. But there are two ways how to do this:<br>
<br>
1: Use SSO system (such as CAS) and let that authenticate against
AD. Then configure spring security in midPoint to use "pre-auth"
module. We have done that several times and it works well. See
<a class="moz-txt-link-freetext" href="https://wiki.evolveum.com/display/midPoint/MidPoint+and+SSO+HOWTO">https://wiki.evolveum.com/display/midPoint/MidPoint+and+SSO+HOWTO</a><br>
<br>
2: Theoretically you can configure spring security AD authentication
module directly in midPoint (instead of the "pre-auth" module). This
should work. Theoretically. But we have never tried that. There may
be some issues with username/DN mapping, though.<br>
<br>
And there is always the option to sponsor the pass-through
authentication feature. The ConnId supports it. So it is just a
matter of implementing it in midPoint. There was some work done in
that direction in midPoint 3.4 code base. So this feature should not
be that difficult to implement in midPoint 3.5. It is just a matter
of priorities and motivation.<br>
<br>
<pre class="moz-signature" cols="72">--
Radovan Semancik
Software Architect
evolveum.com
</pre>
</body>
</html>