[security-dev] IDM Realms and Applications - The Nitty Gritty
sbryzak at redhat.com
Wed Nov 14 15:50:33 EST 2012
On 11/14/2012 11:41 PM, Pedro Igor Silva wrote:
> Hi Shane,
> I think the realm concept is quite similar what we got with identity stores. Usually the realm is used to define the store for users, groups, roles, permissions and also to define authentication policies like supported credential types or authentication methods/mechanisms.
> Each application may have its own realm, using a specific store (eg.: ldap, jdbc, file, etc), and have its own authentication policies like which credential types are supported (consequently which authentication mechanisms are supported).
This won't address the use case where a corporation has a number of
applications authenticating against the same realm.
> I agree with David that applications should be decoupled from realms. I think realms should be used by applications. That way each application can use its own realm that defines where the identity state is (identity store) and what are the authentication policies to be considered. We can have also some global realms that can be reused by multiple applications or a specific realm for a specific application.
I agree with this (decoupling of application from realm) in principle
also. We can't enforce one realm per application though, because we
also have to take into account the multi-tenant use case where a single
application might serve multiple corporations (realms).
> Another thing regarding realms/stores. Is quite common to store user/authentication data (personal info, credentials, etc) separated from authorization data (roles, groups, permissions, etc). usually people use LDAP to store the first type of data and databases (given the flexibility) for the other type. How we solve that with the current implementation ? As far as i know, the IdentityManager is tied with a specific store.
We already support this with the introduction of the partitioning
feature - each IdentityManager configuration may consist of one or more
IdentityStores, each supporting a certain feature set.
> I tried to illustrate that in the attached image. It is just a scratch.
> Pedro Igor
More information about the security-dev