Skip to first unread message
Hristo Iliev
Nov 6, 2014, 6:33:24 AM11/6/14
to vcap...@cloudfoundry.org
Hi,
Currently we are using an UAA with postgresql. We also have an external system that holds user profile information such as user id, password and user attributes like names, mail, profile.
We would like to use this external system to authenticate Cloud Foundry users to avoid replicating thousands of records. The data relevant for Cloud Foundry such as organizations and mapping to users should remain in the postgre db.
The problem we have is that the external system does not currently support LDAP or SCIM. So we came up with some ideas to solve this:
Regards,
Hristo Iliev
Currently we are using an UAA with postgresql. We also have an external system that holds user profile information such as user id, password and user attributes like names, mail, profile.
We would like to use this external system to authenticate Cloud Foundry users to avoid replicating thousands of records. The data relevant for Cloud Foundry such as organizations and mapping to users should remain in the postgre db.
The problem we have is that the external system does not currently support LDAP or SCIM. So we came up with some ideas to solve this:
- hack UAA code (AuthzAuthenticationManager.java) and add authentication with the external system
- pros: relatievely easy to do
- cons: requires fork of the UAA code
- implement LDAP adapter/proxy that connects the external system and UAA via LDAP
- pros: no forking
- cons: harder to implement; external system does not support all of the LDAP functionality (groups, search/filtering)
Regards,
Hristo Iliev
Filip Hanik
Nov 6, 2014, 9:25:30 AM11/6/14
to vcap...@cloudfoundry.org
What type of protocol does your external system support?
thanks
Filip
--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/911b4017-784e-42b8-9238-22ad152febe5%40cloudfoundry.org.
To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.
Hristo Iliev
Nov 7, 2014, 2:15:21 AM11/7/14
to vcap...@cloudfoundry.org, fha...@pivotal.io
The external system uses a proprietary protocol. That's why we need to do external authentication without LDAP or SCIM.
Regards,
Hristo Iliev
Regards,
Hristo Iliev
Sree Tummidi
Nov 7, 2014, 11:42:35 AM11/7/14
to vcap...@cloudfoundry.org, Filip Hanik
Hi Hristo,
If you don't plan on exposing this external system as a standards based Identity Provider(SAML/SCIM), there are potentially two paths you could take
1> If this external system is storing users in a Database , you could write a JDBC extension with some kind of user mapping so that the relevant user attributes can be retrieved and utilized in UAA
2> If this external system is exposing a Web Service (REST or SOAP) you could look at writing a web service extension instead.
Both of these are not currently on the UAA roadmap but I can see the JDBC extension with custom user mapping being a lot of value to the UAA user base.
Thanks,
Sree Tummidi
Sr. Product Manager
Cloud Foundry
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/6707dae6-8858-4bc5-a7ac-9c9ef3391879%40cloudfoundry.org.
Reply all
Reply to author
Forward
0 new messages