Information Technology Reference
In-Depth Information
The BAU of IAM - A “Cookie-Cutter” Implementation
You've almost arrived. You have implemented every feature of IAM your
organisation needs, but there are still some applications out there that need
to be brought under the umbrella of IAM. How easily can you mop them up?
Well, while IAM integration at this stage is still not a no-cost operation, it's
almost certainly a “known cost” one.
Here are some of the things you typically need to do:
Development tasks
1. Implement a CAS interceptor for the application using an appropriate
technology 50 . Disable the application's native authentication mechanism.
Modify it to operate in a trusted mode and accept user attributes passed
into it by the interceptor instead.
2. Disable local user management functions (the parts dealing with user
creation, deletion and the update of common user attributes) and only
retain the fine-grained role mapping and access control rules specific to the
application.
3. Implement a listener to provision and de -provision users, and to update
common user attributes in an automated fashio
n based on user events
received over the User Event Bus.
4. If required, create a hyperlink on the IAM administration module to
enable an administrator to jump to this application's fine -grained role
mapping screen as soon as a user is provisioned through IAM 51 .
50
Some examples of interceptors for CAS are a CAS servlet filter, a container
mechanism like WebSphere's Trust Association Interceptor, the Apache web server's
mod_auth_cas module, Spring security or a global authenticating reverse proxy.
51 Although the user event from IAM is propagated to the application's event listener
through a store -and-forward mechanism (i.e., the User Event Bus), in practice, this
happens extremely fast and the user would most probably have been created within
the application by the time the administrator clicks on the link and opens the
application's fine -grained role assignment screen. IAM's SSO ensures tha t the
hyperlink navigation will be seamless and the administrator will not have to log into
the application.
 
 
Search WWH ::




Custom Search