Managed System Authentication

This section describes how to configure delegated authentication with an external Managed System.

Delegated authentication means that login and password for login into OpenIAM are not stored in OpenIAM database. Here, OpenIAM doesn't perform authentication itself, but passes login and password and then gets an approval/disapproval for authentication. Frequently used to authentication again Active Directory or LDAP systems.

Configuring Managed System authentication:

To configure delegated authentication make the following steps:

  • Define an authentication policy
  • Create an Authentication provider (or used out-of-the-box configuration called 'Managed System Auth Provider', just select appropriate linked managed system. see screenshot below)
  • Link Authentication provider to a content provider

Out of the box configuration

Create an Authentication Provider

To create a new authentication provider follow the steps below.

  • Login to the Webconsole
  • Go to Access Control -> Authentication providers -> Create new provider
  • From the dropdown shown in the image below, select Authentication policy.

Select authentication provider

For Managed System Authentication provider type, it is vital for Managed System to be successfully connected to target system. Otherwise, authentication will fail. To check the Managed System connection go to Webconsole -> Provisioning -> Managed Systems dashboard. The status for Managed System shall be active as shown below, also make sure field 'Search Filter for User' is set, and it contains '?' in it. During authentication '?' will be replaced by user's identity to perform search and auth in target system.

Managed System Connection Status

There are three fields in Authentication policy dashboard that are important for delegated authentication to work.

NameRequired value
Linked to Managed systemIn this field, choose a respective Managed System that provides login and password for authentication
Login Provider that will be used when logging a userTo log in using specific Managed System, choose Managed System login provider
Authentication policyChoose the authentication policy created specifically for this Managed System

The required fields filling example is shown below.

Auth Policy Filed for Delegated

Linking Authentication provider to a Content provider

After creating the Authentication provider, the next step is to associate it with a content provider. Follow the steps described below.

  • Go to Access Control -> Content providers
  • Select the Content Provider that you want to update. In case there is only one, select the Default content provider
  • Select the authentication provider that you created earlier from the Authentication provider dropdown as shown in the example below.
  • Save the configuration after making changes

Configure authentication provider

Note

In case you want to switch to Managed System authentication type, it is important to create two Content providers, at least for the trial run. It is of utmost importance since provided the Content provider doesn't work for any reason, having only Content provider for authentication, the system will not authenticate the user.

Whenever you want to configure authentication via other Managed System, create another Content provider, test the authentication type created, while being logged in via old Content provider to be able to log in and out as needed.

As soon as new Content provider works, switch to it and use it for authentication. But we won't recommend delete old Content Provider, as it cause some damage to the system.