By: Abhinay B. user 30 Oct 2018 at 2:24 a.m. CDT

4 Responses
Abhinay B. gravatar
I've seen that Gluu supports external authentication and enables connecting to an external REST API through the custom authentication scripts (as also mentioned in [this ticket](https://support.gluu.org/authentication/3781/custom-authentication-with-external-web-service/)). I've the following query: If authentication is done by an external service, what is the role of Gluu server in it? One immediate answer that comes to my mind is that we can use the custom authentication scripts to club the external authentication service with other authentication services like 2FA, context-based authentication,etc. Is this correct? And is this the only advantage? Does it also provide other features like secure storage and maintenance of credentials generated by the external authenticator?

By William Lowe staff 30 Oct 2018 at 7 a.m. CDT

William Lowe gravatar
> If authentication is done by an external service, what is the role of Gluu server in it? The Gluu Server is an identity provider. The user authenticates using whatever mechanism(s) you have configured -- password, biometrics, OTP, etc. etc. -- and then Gluu redirects the user back to the app with identity information so the app can identify that user. Gluu will store any credentials specifically enrolled into the Gluu Server.

By Abhinay B. user 30 Oct 2018 at 7:08 a.m. CDT

Abhinay B. gravatar
Thank you for the reply! I understand that Gluu server is an identity provider. But if I connect to an external authentication service using the custom authentication script, is the enrollment happening in Gluu server? Or is the Gluu server only acting as a way to connect to an external point?

By William Lowe staff 30 Oct 2018 at 7:13 a.m. CDT

William Lowe gravatar
Some identifier gets enrolled into the Gluu LDAP whenever a credential is enrolled. For example, if you enable and use the U2F custom script, a public key will be enrolled into the server. If you use the script for an external authentication service like Duo Security, a device ID will be enrolled into the Gluu Server. The exception is passwords. If you use a backend AD / LDAP server with existing passwords, those would **not** be stored in Gluu. However, if you enroll new users and passwords directly into Gluu, then the passwords would get stored.

By Abhinay B. user 30 Oct 2018 at 7:19 a.m. CDT

Abhinay B. gravatar
Thank you! That clarifies my doubt! I wish to enroll new users and passwords into Gluu server. Further, I wish to pass these credentials to an external server that returns a X.509 certificate. I then pass both the token from Gluu server and the X.509 certificate as the identity information using the redirection to the app. Is my understanding right?