By: valsaraj viswanathan user 07 Feb 2018 at 10:58 p.m. CST

2 Responses
valsaraj viswanathan gravatar

I have 2 applications which need to be integrated with Gluu for identity management & SSO. User data is in LDAP and added 2 ldap sources under cache refresh to sync users from both applications. But how to control user access to the applications? For eg: Application A users should not have access to Application B & vice versa.

By mohib zico staff 07 Feb 2018 at 11:07 p.m. CST

mohib zico gravatar

For OpenID connect protocols, you can use UMA.

For SAML / CAS, you can use different attributes to control this access; however it has to called from SP side.

By Michael Schwartz staff 07 Feb 2018 at 11:22 p.m. CST

Michael Schwartz gravatar

The IDP (Gluu Server) sends an identity assertion to the application: an XML or JSON object that tells the application who the person is, how and when they were authenticated.

If you want to use this information to control access to your application, you can use a web proxy. The Shibboleth SAML SP apache filter uses the require keyword (i.e. role=manager); mod_auth_openidc also offers require claim syntax.

If you are not using a web server as the relying party, your application will need to be smart enough to read and validate the identity assertion, and enact the respective security rules.