By: hyunwoo kim user 15 Nov 2019 at 11:02 p.m. CST

8 Responses
hyunwoo kim gravatar
Hi. I'm doing some testing to use gluu. Two clients were registered with OIDC and one client was registered with SAML. And I want to control user access to these Clients. For example, I'll call Client that I registered with OIDC as ClientA and ClientB. And I will call Client registered with SAML as ClientC. User 'hwkim' has access to ClientA and wants to restrict access to ClientB and ClientC. Is there a way? In the Local User Management section of the gluu Admin Guide (version 4.0), there are pairwise IDs. I understand that i can control access to OIDC registered clients with pairwise IDs. However, as shown in the screenshots in the Guide, i won't see any items related to pairwise IDs when i go to a page that modifies user information. The questions are summarized below. 1. Access control method for client configured with SAML or OIDC. 2. Uses of pairwise IDs 3. If the pairwise IDs are the ones that allow the user to control access to the client, how to use them. Thanks to read.

By Mohit Mali staff 18 Nov 2019 at 1:41 a.m. CST

Mohit Mali gravatar
Hi hyunwoo kim, Thanks you for reaching out gluu support , please have a look the following gluu look with regards to pairwise id with openid connect , this might help you with your query. please go through the pairwise section of the document. https://gluu.org/docs/ce/admin-guide/openid-connect/ please feel free to revert if any further support is required on this. Thanks and Regards Mohit Mali

By hyunwoo kim user 23 Nov 2019 at 12:26 a.m. CST

hyunwoo kim gravatar
Hi. Mohit Mali. I have read the 4.0 version of gluu doc you presented. And I set it up according to the documentation. The setting details are as follows. 1. Configuration > JSON Configuration > oxAuth Configuration - subjectTypeSupported : Select 'public' and 'pairwise' - defaultSubjectType : Select 'pairwise' - openidSubAttribute : inum (default) - pairwiseIdType : algorithmic 2. Add OIDC Client - Subject Type : pairwise - Set 'Sector Identifier' Why do I not see the contents of the guide document when adding user or changing existing user information? The document I'm talking about is the Gluu 4.0 document, which is part of 'Administration Guild-> User Management-> Local User Management-> Managing associated Pairwise IDs'. And is it true that these 'pairwise IDs' control user access to the OIDC Client? please answer about my question. Thanks to read.

By Mohib Zico staff 25 Nov 2019 at 6:54 a.m. CST

Mohib Zico gravatar
Hello hyunwoo, For SAML, you don't need OpenID client entries. You need [Trust Relationship](https://www.gluu.org/docs/ce/4.0/admin-guide/saml/#trust-relationship-requirements) for SAML connectivity.

By hyunwoo kim user 25 Nov 2019 at 6:05 p.m. CST

hyunwoo kim gravatar
I know what you talked about. But that doesn't seem to answer the question I asked. Please give me a definite answer.

By Mohib Zico staff 25 Nov 2019 at 11:43 p.m. CST

Mohib Zico gravatar
What question?

By hyunwoo kim user 26 Nov 2019 at 12:46 a.m. CST

hyunwoo kim gravatar
First, I want to control access when users access my registered clients. For example, suppose I have three OpenID Connect Clients. Each is referred to as ClientA, ClientB, and ClientC. When user K attempts to access the client, I want to restrict the user to access A and B, but not to C. How should I proceed? Second, I checked the Gluu 4.0 version of Docs. There was an item called Pairwise IDs, and I think it is an item that can control access to OIDC Client. Am I right? Third, if I am right, how can I check Pairwise IDs on the Add or Edit User screen? I did the setup as described in the guide. However, it does not appear on the user management screen. For reference, my settings are as follows. 1. Configuration > JSON Configuration > oxAuth Configuration - subjectTypeSupported : Select 'public' and 'pairwise' - defaultSubjectType : Select 'pairwise' - openidSubAttribute : inum (default) - pairwiseIdType : algorithmic 2. Add OIDC Client - Subject Type : pairwise - Set 'Sector Identifier' What did I miss? please answer about my question.

By Mohib Zico staff 26 Nov 2019 at 12:52 a.m. CST

Mohib Zico gravatar
Thanks. Open separate ticket for separate questions please, that will help community to search and find out specific answer on specific question. Let's concentrate on Authorization here. Gluu has different protocol for Authorization ( AS ) which is UMA. A good starting point will be to start reading from [here](https://www.gluu.org/docs/ce/4.0/admin-guide/uma/).

By hyunwoo kim user 26 Nov 2019 at 1:07 a.m. CST

hyunwoo kim gravatar
Okay. I will post my question on a different ticket. First I will read about UMA. Thank you for your answer.