ldap-bind-store | An implementation of an Identity and Credential Store which obtains credential, user and
role information from an LDAP server using JNDI, based on the configuration properties.
It allows to set whatever options your LDAP JNDI provider supports your Gateway
configuration file.
Examples of standard property names are:
initialContextFactory = "java.naming.factory.initial"
securityProtocol = "java.naming.security.protocol"
providerUrl = "java.naming.provider.url"
securityAuthentication = "java.naming.security.authentication"
This store implementation is both an Identity Store and Credential Store.
Since in JOSSO the authentication of the user is left to the configured Authentication Scheme,
this store implementation cannot delegate user identity assertion by binding to the
LDAP server. For that reason it retrieves the required credentials from the directory
leaving the authentication procedure to the configured Authentication Scheme.
The store must be supplied with the configuratoin parameters so that it can retrieve user
identity information.
Additional component properties include:
- securityPrincipal: the DN of the user to be used to bind to the LDAP Server
- securityCredential: the securityPrincipal password to be used for binding to the
LDAP Server.
- securityAuthentication: the security level to be used with the LDAP Server session.
Its value is one of the following strings:
"none", "simple", "strong".
If not set, "simple" will be used.
- usersCtxDN : the fixed distinguished name to the context to search for user accounts.
- principalUidAttributeID: the name of the attribute that contains the user login name.
This is used to locate the user.
- rolesCtxDN : The fixed distinguished name to the context to search for user roles.
- uidAttributeID: the name of the attribute that, in the object containing the user roles,
references role members. The attribute value should be the DN of the user associated with the
role. This is used to locate the user roles.
- roleAttributeID : The name of the attribute that contains the role name
- credentialQueryString : The query string to obtain user credentials. It should have the
following format : user_attribute_name=credential_attribute_name,...
For example :
uid=username,userPassword=password
- userPropertiesQueryString : The query string to obtain user properties. It should have
the following format : ldap_attribute_name=user_attribute_name,...
For example :
mail=mail,cn=description
A sample LDAP Identity Store configuration :
<sso-identity-store>
<class>org.josso.gateway.identity.service.store.ldap.LDAPBindIdentityStore</class>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://localhost</providerUrl>
<securityPrincipal>cn=Manager\,dc=my-domain\,dc=com</securityPrincipal>
<securityCredential>secret</securityCredential>
<securityAuthentication>simple</securityAuthentication>
<usersCtxDN>ou=People\,dc=my-domain\,dc=com</usersCtxDN>
<principalUidAttributeID>uid</principalUidAttributeID>
<rolesCtxDN>ou=Roles\,dc=my-domain\,dc=com</rolesCtxDN>
<uidAttributeID>uniquemember</uidAttributeID>
<roleAttributeID>cn</roleAttributeID>
<credentialQueryString>uid=username\,userPassword=password</credentialQueryString>
<userPropertiesQueryString>mail=mail\,cn=description</userPropertiesQueryString>
</sso-identity-store>
A sample LDAP Credential Store configuration :
<credential-store>
<class>org.josso.gateway.identity.service.store.ldap.LDAPBindIdentityStore</class>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://localhost</providerUrl>
<securityPrincipal>cn=Manager\,dc=my-domain\,dc=com</securityPrincipal>
<securityCredential>secret</securityCredential>
<securityAuthentication>simple</securityAuthentication>
<usersCtxDN>ou=People\,dc=my-domain\,dc=com</usersCtxDN>
<principalUidAttributeID>uid</principalUidAttributeID>
<rolesCtxDN>ou=Roles\,dc=my-domain\,dc=com</rolesCtxDN>
<uidAttributeID>uniquemember</uidAttributeID>
<roleAttributeID>cn</roleAttributeID>
<credentialQueryString>uid=username\,userPassword=password</credentialQueryString>
<userPropertiesQueryString>mail=mail\,cn=description</userPropertiesQueryString>
</credential-store>
| org.josso.gateway.identity.service.store.ldap.LDAPBindIdentityStore |
ldap-store | An implementation of an Identity and Credential Store which obtains credential, user and
role information from an LDAP server using JNDI, based on the configuration properties.
It allows to set whatever options your LDAP JNDI provider supports your Gateway
configuration file.
Examples of standard property names are:
initialContextFactory = "java.naming.factory.initial"
securityProtocol = "java.naming.security.protocol"
providerUrl = "java.naming.provider.url"
securityAuthentication = "java.naming.security.authentication"
This store implementation is both an Identity Store and Credential Store.
Since in JOSSO the authentication of the user is left to the configured Authentication Scheme,
this store implementation cannot delegate user identity assertion by binding to the
LDAP server. For that reason it retrieves the required credentials from the directory
leaving the authentication procedure to the configured Authentication Scheme.
The store must be supplied with the configuratoin parameters so that it can retrieve user
identity information.
Additional component properties include:
- securityPrincipal: the DN of the user to be used to bind to the LDAP Server
- securityCredential: the securityPrincipal password to be used for binding to the
LDAP Server.
- securityAuthentication: the security level to be used with the LDAP Server session.
Its value is one of the following strings:
"none", "simple", "strong".
If not set, "simple" will be used.
- ldapSearchScope : alows control over LDAP search scope : valid values are ONELEVEL, SUBTREE
- usersCtxDN : the fixed distinguished name to the context to search for user accounts.
- principalUidAttributeID: the name of the attribute that contains the user login name.
This is used to locate the user.
- rolesCtxDN : The fixed distinguished name to the context to search for user roles.
- uidAttributeID: the name of the attribute that, in the object containing the user roles,
references role members. The attribute value should be the DN of the user associated with the
role. This is used to locate the user roles.
- roleAttributeID : The name of the attribute that contains the role name
- roleMatchingMOde : The way JOSSO gets users roles, values UDN (default) and UID.
- credentialQueryString : The query string to obtain user credentials. It should have the
following format : user_attribute_name=credential_attribute_name,...
For example :
uid=username,userPassword=password
- userPropertiesQueryString : The query string to obtain user properties. It should have
the following format : ldap_attribute_name=user_attribute_name,...
For example :
mail=mail,cn=description
A sample LDAP Identity Store configuration :
<sso-identity-store>
<class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://localhost</providerUrl>
<securityPrincipal>cn=Manager\,dc=my-domain\,dc=com</securityPrincipal>
<securityCredential>secret</securityCredential>
<securityAuthentication>simple</securityAuthentication>
<usersCtxDN>ou=People\,dc=my-domain\,dc=com</usersCtxDN>
<principalUidAttributeID>uid</principalUidAttributeID>
<rolesCtxDN>ou=Roles\,dc=my-domain\,dc=com</rolesCtxDN>
<uidAttributeID>uniquemember</uidAttributeID>
<roleMatchingMode>UDN</roleMatchingMode>
<roleAttributeID>cn</roleAttributeID>
<credentialQueryString>uid=username\,userPassword=password</credentialQueryString>
<userPropertiesQueryString>mail=mail\,cn=description</userPropertiesQueryString>
<ldapSearchScope>SUBTREE</ldapSearchScope>
</sso-identity-store>
A sample LDAP Credential Store configuration :
<credential-store>
<class>org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore</class>
<initialContextFactory>com.sun.jndi.ldap.LdapCtxFactory</initialContextFactory>
<providerUrl>ldap://localhost</providerUrl>
<securityPrincipal>cn=Manager\,dc=my-domain\,dc=com</securityPrincipal>
<securityCredential>secret</securityCredential>
<securityAuthentication>simple</securityAuthentication>
<usersCtxDN>ou=People\,dc=my-domain\,dc=com</usersCtxDN>
<principalUidAttributeID>uid</principalUidAttributeID>
<rolesCtxDN>ou=Roles\,dc=my-domain\,dc=com</rolesCtxDN>
<uidAttributeID>uniquemember</uidAttributeID>
<roleAttributeID>cn</roleAttributeID>
<credentialQueryString>uid=username\,userPassword=password</credentialQueryString>
<userPropertiesQueryString>mail=mail\,cn=description</userPropertiesQueryString>
</credential-store>
| org.josso.gateway.identity.service.store.ldap.LDAPIdentityStore |