Identity Components: LDAP and Single Sign-On
The Geoportal extension implements a standard Java container-based authentication pattern. The Java container is configured to authenticate against an identity store. Inbound requests are processed by the container and credentials are requested for and authenticated as required. Information about the authenticated user is then supplied, per request, to each participating web application running within the container. This information is supplied as a UserPrincipal object, which typically holds a "username" credential, the "password" credential is not provided to the underlying applications. The primary components associated with authentication, authorization, identification and self-care are identified in the figure below.
At a minimum, the Geoportal extension requires read access to an external LDAP (Lightweight Directory Access Protocol) identity store. The identity store holds information about users and groups. A set of functions query the identity store (read only) to determine the attributes associated with a user (e.g. E-Mail address), the groups to which a user belongs, and the groups within the store. Authorized access to specific functionality is based upon group membership (i.e. role), defined below:
- Geoportal extension Administrator : group members have full access, including the ability to approve metadata documents
- Geoportal extension Publisher: group members can publish metadata documents and register remote sites for harvesting
- Geoportal extension RegisteredUser : group members can save searches and maps for later use
A set of functions edit the content of the identity store. These functions are related to self-care and include: the ability to register as a member, user profile management (edit LDAP user attributes such as E-Mail address), change password, forgot password. These functions can be disabled (gpt.xml configuration file) in cases where a writable connection to LDAP is not available or desired. The Geoportal extension implements LDAP communication through an extensible class:
com.esri.Geoportal Extension.framework.security.identity.ldap.LdapIdentityAdapter. If required, this class can be overridden to provide custom behavior. However, in most cases integration wtih an organization's LDAP can be configured through the <identity> section of the gpt.xml file, without changing the classes.
8/6/2012