Authentication and authorization in Gluu server with existing OAuth solution

By: Mikhail Kuznetsov user 10 Feb 2016 at 4:33 p.m. CST

5 Responses
Mikhail Kuznetsov gravatar
Hello, My team has been tasked with using Gluu Server Community Edition to provide SCIM support for our product. As part of our product, we already have our own OAuth2 solution and our own LDAP. One of our use cases is that we may have a use case where a customer's third-party SCIM client is non-interactive, meaning that it is a some server making SCIM requests to our SCIM server on behalf of users without a human actually logging in. In light of this, I have some questions regarding how authentication and authorization of SCIM requests should work: 1. If we want to secure the SCIM APIs through OAuth2, how does the third party SCIM client initially get the token from oxAuth? Is it through interactive login (such as Authorization Code grant type) or is it non-interactive login (such as resource password credentials) grant type? 2. I understand that Gluu Server supports SAML and OpenId as methods for authenticating against our OAuth2 provider. Can this be used in a case where the third-party SCIM client is non-interactive? Which grant types does oxAuth support? 3. Is it the responsibility of the third-party client to provide functionality to authenticate with oxAuth? Does oxAuth provide an adapter? 4. How is authorization of SCIM requests done in Gluu server? Thank You, Mikhail Kuznetsov Software Engineer Hewlett Packard Enterprise
None
closed

Answers

By William Lowe user 10 Feb 2016 at 4:39 p.m. CST

Copy
William Lowe gravatar
Mikhail, Can you please [schedule a meeting](http://gluu.org/booking) with us? Thank you, Will

By Mikhail Kuznetsov user 12 Feb 2016 at 3:54 p.m. CST

Copy
Mikhail Kuznetsov gravatar
Hello, Thank you for having the call with us the other day! It was very helpful. We are impressed with the functionality in oxTrust to pull user data from an Active Directory or LDAP server over LDAPS. We have some questions about this feature: 1. What is the security scheme that is used in integration to allow the pull operations from LDAP besides LDAP over SSL? 2. Is the SSL a two way certificate verification between the LDAP server and Gluu Server? 3. Does the customer make their LDAP read-only for this integration? 4. Do most customers accept that Gluu server will be pulling information from their LDAP (Gluu server is the one that initiates this operation) and do they place any restrictions on this? Thank You, Mikhail Kuznetsov Software Engineer Hewlett Packard Enterprise

By Michael Schwartz Account Admin 12 Feb 2016 at 4:12 p.m. CST

Copy
Michael Schwartz gravatar
We use LDAPS, but not client certificate authetication in the Gluu Server. You can import the SSL certificate in the truststore, or use "Trust-All" (not recommended, but not uncommon). Normally the LDAP server we are synchronizing is on the same network, or at least not traversing the Internet. We could support mutual client cert authentication in LDAP (the underlying UnboundID SDK supports it) but the demand hasn't been there. Its up to the customer to provide the DN of an entry with the appropriate permissions, and it would be wise to limit that user to read access.

By Mohib Zico Account Admin 21 Feb 2016 at 11:31 a.m. CST

Copy
Mohib Zico gravatar
Hi Mikhail, Do we want to keep this ticket open for anything else?

By Mohib Zico Account Admin 29 Feb 2016 at 4:31 a.m. CST

Copy
Mohib Zico gravatar
Closing this ticket for now. Please feel free to open a new one if you have any question or confusion.

Post an answer