By: valsaraj viswanathan user 07 Feb 2018 at 10:58 p.m. CST

2 Responses
valsaraj viswanathan gravatar
I have 2 applications which need to be integrated with Gluu for identity management & SSO. User data is in LDAP and added 2 ldap sources under cache refresh to sync users from both applications. But how to control user access to the applications? For eg: Application A users should not have access to Application B & vice versa.

By Mohib Zico staff 07 Feb 2018 at 11:07 p.m. CST

Mohib Zico gravatar
For OpenID connect protocols, you can use UMA. For SAML / CAS, you can use different attributes to control this access; however it has to called from SP side.

By Michael Schwartz staff 07 Feb 2018 at 11:22 p.m. CST

Michael Schwartz gravatar
The IDP (Gluu Server) sends an identity assertion to the application: an XML or JSON object that tells the application who the person is, how and when they were authenticated. If you want to use this information to control access to your application, you can use a web proxy. The Shibboleth SAML SP apache filter uses the `require` keyword (i.e. role=manager); mod_auth_openidc also offers `require` claim syntax. If you are not using a web server as the relying party, your application will need to be smart enough to read and validate the identity assertion, and enact the respective security rules.