UAA with external authentication

122 views
Skip to first unread message

Hristo Iliev

unread,
Nov 6, 2014, 6:33:24 AM11/6/14
to vcap...@cloudfoundry.org
Hi,

Currently we are using an UAA with postgresql. We also have an external system that holds user profile information such as user id, password and user attributes like names, mail, profile.

We would like to use this external system to authenticate Cloud Foundry users to avoid replicating thousands of records. The data relevant for Cloud Foundry such as organizations and mapping to users should remain in the postgre db.

The problem we have is that the external system does not currently support LDAP or SCIM. So we came up with some ideas to solve this:
  • hack UAA code (AuthzAuthenticationManager.java) and add authentication with the external system
    • pros: relatievely easy to do
    • cons: requires fork of the UAA code
  • implement LDAP adapter/proxy that connects the external system and UAA via LDAP
    • pros: no forking
    • cons: harder to implement; external system does not support all of the LDAP functionality (groups, search/filtering)
Is there another (recommended) way to plug external authentication in UAA?

Regards,
Hristo Iliev

Filip Hanik

unread,
Nov 6, 2014, 9:25:30 AM11/6/14
to vcap...@cloudfoundry.org
What type of protocol does your external system support?


thanks
Filip


--
You received this message because you are subscribed to the Google Groups "Cloud Foundry Developers" group.
To view this discussion on the web visit https://groups.google.com/a/cloudfoundry.org/d/msgid/vcap-dev/911b4017-784e-42b8-9238-22ad152febe5%40cloudfoundry.org.

To unsubscribe from this group and stop receiving emails from it, send an email to vcap-dev+u...@cloudfoundry.org.

Hristo Iliev

unread,
Nov 7, 2014, 2:15:21 AM11/7/14
to vcap...@cloudfoundry.org, fha...@pivotal.io
The external system uses a proprietary protocol. That's why we need to do external authentication without LDAP or SCIM.

Regards,
Hristo Iliev

Sree Tummidi

unread,
Nov 7, 2014, 11:42:35 AM11/7/14
to vcap...@cloudfoundry.org, Filip Hanik
Hi Hristo,
If you don't plan on exposing this external system as a standards based Identity Provider(SAML/SCIM), there are potentially two paths you could take

1> If this external system is storing users in a Database , you could write a JDBC extension with some kind of user mapping so that the relevant user attributes can be retrieved and utilized in UAA
2> If this external system is exposing a Web Service (REST or SOAP) you could look at writing a web service extension instead.

Both of these are not currently on the UAA roadmap but I can see the JDBC extension with custom user mapping being a lot of value to the UAA user base.


Thanks,
Sree Tummidi
Sr. Product Manager
Cloud Foundry


Reply all
Reply to author
Forward
0 new messages