Author: angela
Date: Wed Jul 20 10:32:35 2016
New Revision: 1753480
URL: http://svn.apache.org/viewvc?rev=1753480&view=rev
Log:
OAK-3211 : Document External Identity Management
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md?rev=1753480&r1=1753479&r2=1753480&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/identitymanagement.md
Wed Jul 20 10:32:35 2016
@@ -26,24 +26,55 @@ of the external authentication with opti
### Identity Management API
- [ExternalIdentityProviderManager]: factory for the `ExternalIdentityProvider`
-- [ExternalIdentityProvider]: provides user/group information from a third
party system.
+- [ExternalIdentityProvider]: used to authenticate against the third party
system.
+Additionally provides method to obtain information about external user/group
+accounts such as needed for the [synchronization](usersync.html) into the
repository.
- [ExternalIdentity]: base interface for an external user/group
- [ExternalUser]
- [ExternalGroup]
-- [ExternalIdentityRef]: reference to an external user/group
+- [ExternalIdentityRef]: reference to an external user/group consisting of id
and provider name.
### Default Implementation
-The default implementation present with Oak 1.0 allows for third party
authentication
-against LDAP.
+The `oak-auth-external` module come with a default implementation of the
+`ExternalIdentityProviderManager` and OSGi component that tracks all
+external IDPs that are registered via OSGi. While OSGi setup is recommended
+way, it can equally be used in non-OSGi environments by manually adding
+and removing the providers.
+
+There exists not default implementation for the other interfaces related
+to external identity management. However, Oak 1.0 provides support for third
+party authentication and identity management against LDAP covered by
+a separate module `oak-auth-ldap`. This is covered by section [LDAP
Integration](ldap.html).
-_todo_
+### Pluggability
-The configuration details are described in section [LDAP
Integration](ldap.html).
+#### Custom External Identity Management
-### Pluggability
+In order to plug a custom implementation of the external identity management
+the following steps are required:
+
+- Write your own implementation [ExternalIdentityProvider] including your
implementations of the external identities.
+ _Note:_ If you are running Oak in an OSGi based setup, make sure the
provider gets registered as OSGi service in which case it will be automatically
tracked by the default [ExternalIdentityProviderManager].
+- Deploy the bundle containing your implementation such that the IDP gets
+ tracked by the [ExternalIdentityProviderManager]. In an non-OSGi environment
+ you have to register it manually
+- Link your identity provider to the `ExternalLoginModule` by configuring the
IDP name accordingly (see section
[Configuration](externalloginmodule.html#configuration))
+
+##### Examples
+
+See [CustomExternalIdentityProvider] in the `oak-exercise` module for a
+very simplistic implementation for an OSGi-based Oak setup.
+
+#### Custom ExternalIdentityProviderManager
+
+Since `oak-auth-external` provides a default [ExternalIdentityProviderManager]
+a custom identity management doesn't need provide a separate implementation
+of this interface.
-_todo_
+If you wish to provider your own [ExternalIdentityProviderManager] in an
+OSGi environment, please make sure it gets properly referenced by the
+`ExternalLoginModuleFactory`.
<!-- references -->
[ExternalIdentityProviderManager]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityProviderManager.html
@@ -51,4 +82,5 @@ _todo_
[ExternalIdentity]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentity.html
[ExternalUser]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalUser.html
[ExternalGroup]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalGroup.html
-[ExternalIdentityRef]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html
\ No newline at end of file
+[ExternalIdentityRef]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authentication/external/ExternalIdentityRef.html
+[CustomExternalIdentityProvider]:
http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-exercise/src/main/java/org/apache/jackrabbit/oak/security/authentication/external/CustomExternalIdentityProvider.java
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md?rev=1753480&r1=1753479&r2=1753480&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/ldap.md
Wed Jul 20 10:32:35 2016
@@ -43,7 +43,7 @@ The [LdapIdentityProvider] is a service
In an OSGi-base setup the configuration options required in order to establish
connections to the LDAP are obtained form the properties associated with the
service.
-Otherwise the identity provider must be instanciated with the corresponding
+Otherwise the identity provider must be instantiated with the corresponding
`LdapProviderConfig` object revealing the mandatory config options. The details
of the LDAP configuration are listed below in section Configuration.
@@ -51,7 +51,7 @@ of the LDAP configuration are listed bel
Currently the only way to combine multiple LDAP sources is to have multiple
entries of the `ExternalLoginModule` configured in the JAAS setup each coming
-with it's own identity provider implementation.
+with it's own identity provider implementation and sync handler.
See [OAK-1839] for an improvement request that allows to have multiple identity
provider implementations configured with the `ExternalLoginModule`.
