[prev in list] [next in list] [prev in thread] [next in thread]
List: forgerock-openam
Subject: [Openam] Fwd: OpenAM Identity Services
From: kalinchih () gmail ! com (=?Big5?B?psCzzbVZL0thbGluIENoaWg=?=)
Date: 2010-11-20 17:10:43
Message-ID: AANLkTimP-RZazjWuoqxmf4K31MNQJF2ur_FBc29Bw_h0 () mail ! gmail ! com
[Download RAW message or body]
Hi Peter,
Many thanks for your reply.
My company has numerous customer data which are stored in 2 account
databases by region.
We?re planning to merge the accounts in the feature.
Before the account migration, I think the multi-realms might be a solution.
My use case: (please see the attached image, SSO.jpg)
- The customers in ?Account DB1? can *only* access the ?SP 1? and ?SP 2?.
- The customers in ?Account DB2? can *only* access the SP 3 and ?SP 4?.
- However, the ?SP 5? provides service for some accounts in ?DB 1? or ?DB
2?, and we build an account mapping DB for the SP5?s customers.
- If the account both in ?DB 1? and ?Account mapping DB?, the account can
access ?SP 1?, ?SP 2?, and ?SP 5?.
- If the account both in ?DB 2? and ?Account mapping DB?, the account can
access ?SP 3?, ?SP 4?, and ?SP 5?.
So I think after the user passes the authentication, the SP side has to get
the realm information to determine whether provide the service or not.
Do you think is the multi-realms (multi-authentication modules) in one IdP a
solution for this situation?
Thanks again,
Kalin
2010/11/20 Major P?ter <majorpetya at sch.bme.hu>
> Hi,
>
> > I can get the identity attributes from the
> > http://[openam]/opensso/identity/attributes.
> > However, I cannot get any realm information from this service.
> > Because my OpenAM has 2 realms, both have their own authentication
> module.
> > I would like to get the information to know the user is authenticated by
> > which realm.
>
> What's your usecase? I mean, if your application can be used by both
> realms, then why aren't the users in one realm? Anyways, you can't get
> realm information from the REST API, you're probably going to need to
> use the ClientSDK instead.
>
> > Another question is that if the identity store is database and the "User
> > Profile" setting is "Ignore" on the "Realm Attribute".
> > How can I use the SP cookie token (iPlanetDirectoryPro) to get the
> > identity information?
>
> you could use the read command of the REST API to get profile
> informations, but since you've setted the User Profile config to ignore,
> you could easily end up having empty response for a given user...
>
> Regards,
> Peter
> _______________________________________________
> Openam mailing list
> Openam at forgerock.org
> https://lists.forgerock.org/mailman/listinfo/openam
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.forgerock.org/pipermail/openam/attachments/20101121/d201c23e/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SSO.jpg
Type: image/jpeg
Size: 34221 bytes
Desc: not available
Url : http://lists.forgerock.org/pipermail/openam/attachments/20101121/d201c23e/attachment-0001.jpg
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic