1:57 a.m.
Author: bdaw
Date: 2010-02-15 02:57:06 -0500 (Mon, 15 Feb 2010)
New Revision: 1679
Modified:
portal/trunk/docs/reference-guide/en/modules/configuration/IDM_Configuration.xml
Log:
- Update docs for PL IDM integration
Modified:
portal/trunk/docs/reference-guide/en/modules/configuration/IDM_Configuration.xml
===================================================================
---
portal/trunk/docs/reference-guide/en/modules/configuration/IDM_Configuration.xml 2010-02-15
07:04:08 UTC (rev 1678)
+++
portal/trunk/docs/reference-guide/en/modules/configuration/IDM_Configuration.xml 2010-02-15
07:57:06 UTC (rev 1679)
@@ -1,5 +1,7 @@
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
+<!ENTITY % BOOK_ENTITIES SYSTEM "../../Reference_Guide.ent">
+%BOOK_ENTITIES;
]>
<section id="sect-Reference_Guide-PicketLink_IDM_integration">
<title>PicketLink IDM integration</title>
@@ -15,13 +17,13 @@
</para>
</note>
<para>
- The identity model represented in '<emphasis
role="bold">org.exoplatform.services.organization</emphasis>'
interfaces and the one used in <emphasis role="bold">JBoss Identity
IDM</emphasis> have some major differences.
+ The identity model represented in '<emphasis
role="bold">org.exoplatform.services.organization</emphasis>'
interfaces and the one used in <emphasis role="bold">PicketLink
IDM</emphasis> have some major differences.
</para>
<para>
- For example: the <emphasis role="bold">JBoss Identity
IDM</emphasis> provides greater abstraction. It is possible for groups in the
<emphasis role="bold">IDM</emphasis> framework to form memberships
with many parents (which requires recursive ID translation) while the GateIn model allows
only pure tree like membership structures.
+ For example: the <emphasis role="bold">PicketLink IDM</emphasis>
provides greater abstraction. It is possible for groups in the <emphasis
role="bold">IDM</emphasis> framework to form memberships with many
parents (which requires recursive ID translation) while the GateIn model allows only pure
tree like membership structures.
</para>
<para>
- Additionally the GateIn <emphasis>membership</emphasis> concept needs to be
translated into the IDM <emphasis>Role</emphasis> concept. Therefore
<emphasis role="bold">JBoss Identity IDM</emphasis> model is used in
a limited way. All these translations are applied by the integration layer.
+ Additionally the GateIn <emphasis>membership</emphasis> concept needs to be
translated into the IDM <emphasis>Role</emphasis> concept. Therefore
<emphasis role="bold">PicketLink IDM</emphasis> model is used in a
limited way. All these translations are applied by the integration layer.
</para>
<section
id="sect-Reference_Guide-PicketLink_IDM_integration-Configuration_files">
<title>Configuration files</title>
@@ -30,8 +32,8 @@
</para>
<programlistingco>
<areaspec>
- <area coords="7"
id="area-Reference_Guide-PicketLink_IDM_integration-Configuration_files-JBossIDMServiceImpl"
/>
- <area coords="52"
id="area-Reference_Guide-PicketLink_IDM_integration-Configuration_files-JBossIDMOrganizationServiceImpl"
/>
+ <area coords="5"
id="area-Reference_Guide-PicketLink_IDM_integration-Configuration_files-JBossIDMServiceImpl"
/>
+ <area coords="22"
id="area-Reference_Guide-PicketLink_IDM_integration-Configuration_files-JBossIDMOrganizationServiceImpl"
/>
</areaspec>
<programlisting role="XML"><configuration
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -39,53 +41,78 @@
xmlns="http://www.exoplaform.org/xml/ns/kernel_1_0.xsd"&a...;
<component>
-
<key>org.exoplatform.services.organization.jbidm.JBossIDMService</key>
-
<type>org.exoplatform.services.organization.jbidm.JBossIDMServiceImpl</type>
+
<key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key>
+
<type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type>
<init-params>
<value-param>
<name>config</name>
<value>war:/conf/organization/idm-config.xml</value>
</value-param>
- <values-param>
- <name>hibernate.annotations</name>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObject</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectAttribute</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectBinaryAttribute</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectBinaryAttributeValue</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectCredential</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectCredentialType</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectRelationship</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectRelationshipName</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectRelationshipType</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectTextAttribute</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateIdentityObjectType</value>
-
<value>org.jboss.identity.idm.impl.model.hibernate.HibernateRealm</value>
- </values-param>
- <properties-param>
- <name>hibernate.properties</name>
- <property name="hibernate.hbm2ddl.auto"
value="update"/>
- <property
name="hibernate.current_session_context_class"
value="thread"/>
- <property name="hibernate.show_sql"
value="false"/>
- <property
name="hibernate.cglib.use_reflection_optimizer"
value="true"/>
- <property name="hibernate.connection.url"
value="jdbc:hsqldb:file:../temp/data/exodb${container.name.suffix}"/>
- <property name="hibernate.connection.driver_class"
value="org.hsqldb.jdbcDriver"/>
- <property name="hibernate.connection.autocommit"
value="true"/>
- <property name="hibernate.connection.username"
value="sa"/>
- <property name="hibernate.connection.password"
value=""/>
- <property name="hibernate.dialect"
value="org.hibernate.dialect.HSQLDialect"/>
- <property name="hibernate.c3p0.min_size"
value="5"/>
- <property name="hibernate.c3p0.max_size"
value="20"/>
- <property name="hibernate.c3p0.timeout"
value="1800"/>
- <property name="hibernate.c3p0.max_statements"
value="50"/>
- <property name="hibernate.connection.provider_class"
value="org.hibernate.connection.C3P0ConnectionProvider" />
- </properties-param>
-
- </init-params>
+ <value-param>
+ <name>portalRealm</name>
+ <value>realm${container.name.suffix}</value>
+ </value-param>
+ </init-params>
</component>
+
<component>
<key>org.exoplatform.services.organization.OrganizationService</key>
-
<type>org.exoplatform.services.organization.jbidm.JBossIDMOrganizationServiceImpl</type>
+
<type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type>
+ <init-params>
+ <object-param>
+ <name>configuration</name>
+ <object
type="org.exoplatform.services.organization.idm.Config">
+ <field name="useParentIdAsGroupType">
+ <boolean>true</boolean>
+ </field>
+
+ <field name="forceMembershipOfMappedTypes">
+ <boolean>true</boolean>
+ </field>
+
+ <field name="pathSeparator">
+ <string>.</string>
+ </field>
+
+ <field name="rootGroupName">
+ <string>GTN_ROOT_GROUP</string>
+ </field>
+
+ <field name="groupTypeMappings">
+ <map type="java.util.HashMap">
+ <entry>
+
<key><string>/</string></key>
+
<value><string>root_type</string></value>
+ </entry>
+
+ <!-- Sample mapping -->
+ <!--
+ <entry>
+
<key><string>/platform/*</string></key>
+
<value><string>platform_type</string></value>
+ </entry>
+ <entry>
+
<key><string>/organization/*</string></key>
+
<value><string>organization_type</string></value>
+ </entry>
+ -->
+
+ </map>
+ </field>
+
+ <field name="associationMembershipType">
+ <string>member</string>
+ </field>
+
+ <field name="ignoreMappedMembershipType">
+ <boolean>false</boolean>
+ </field>
+ </object>
+ </object-param>
+ </init-params>
+
+
</component>
</configuration>
@@ -93,76 +120,112 @@
<calloutlist>
<callout
arearefs="area-Reference_Guide-PicketLink_IDM_integration-Configuration_files-JBossIDMServiceImpl">
<para>
- The <emphasis
role="bold">org.exoplatform.services.organization.jbidm.JBossIDMServiceImpl</emphasis>
service has following options:
+ The <emphasis
role="bold">org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</emphasis>
service has following options:
</para>
- <!-- Included in calloutlist <para>
- The <emphasis
role="bold">org.exoplatform.services.organization.jbidm.JBossIDMOrganizationServiceImpl</emphasis>
is a main entrypoint implementing <emphasis
role="bold">org.exoplatform.services.organization.OrganizationService</emphasis>
and is dependant on <emphasis
role="bold">org.exoplatform.services.organization.jbidm.JBossIDMService</emphasis>
- </para>
- <para>
- The <emphasis
role="bold">org.exoplatform.services.organization.jbidm.JBossIDMServiceImpl</emphasis>
service has following options:
- </para> -->
<itemizedlist>
<listitem>
<para>
- <emphasis role="bold">hibernate.properties</emphasis> -
(properties-para) - a list of hibernate properties used to create SessionFactory that will
be injected to JBoss Identity IDM configuration registry
+ <emphasis role="bold">config</emphasis> - (value-param) -
PicketLink IDM configuration file
</para>
</listitem>
<listitem>
<para>
- <emphasis role="bold">hibernate.annotations</emphasis> -
(values-param) - list of annotated classes that will be added to hibernate configuration
+ <emphasis role="bold">jndiName</emphasis> - (value-param) -
in case 'config' parameter is not
+ provided this will be used to perform JNDI lookup for
IdentitySessionFactory
</para>
</listitem>
<listitem>
<para>
- <emphasis role="bold">hibernate.mappings</emphasis> -
(values-param) - list of xml files that will be added to hibernate configuration as
mapping files
+ <emphasis role="bold">portalRealm</emphasis> -
(value-param) - name of a realm that should be used to
+ obtain proper IdentitySession - default is
'PortalRealm'.
</para>
</listitem>
+ </itemizedlist>
+ </callout>
+ <callout
arearefs="area-Reference_Guide-PicketLink_IDM_integration-Configuration_files-JBossIDMOrganizationServiceImpl">
+ <para>
+ The <emphasis
role="bold">org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</emphasis>
+ key is a main entrypoint implementing <emphasis
role="bold">org.exoplatform.services.organization.OrganizationService</emphasis>
+ and is dependant on <emphasis
role="bold">org.exoplatform.services.organization.idm.PicketLinkIDMService</emphasis>
+ </para>
+ <para>
+ <emphasis
role="bold">org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</emphasis>
+ service has following options defined as fields of object-param type
+ <emphasis
role="bold">org.exoplatform.services.organization.idm.Config</emphasis>:
+ </para>
+
+ <itemizedlist>
<listitem>
<para>
- <emphasis role="bold">config</emphasis> - (value-param) -
JBoss Identity IDM configuration file
+ <emphasis role="bold">defaultGroupType</emphasis> - Name of
PicketLink IDM GroupType that will be used to store groups.
+ Default is 'GTN_GROUP_TYPE'
</para>
</listitem>
<listitem>
<para>
- <emphasis role="bold">jndiName</emphasis> - (value-param) -
in case 'config' parameter is not provided this will be used to perform
JNDI lookup for IdentitySessionFactory
+ <emphasis role="bold">rootGroupName</emphasis> - Name of
PicketLink IDM Group that will be used as a root parent.
+ Default is 'GTN_ROOT_GROUP'
</para>
</listitem>
- <listitem>
+ <listitem>
<para>
- <emphasis role="bold">PortalRealm</emphasis> -
(value-param) - name of a realm that should be used to obtain proper IdentitySession -
default is 'PortalRealm'.
+ <emphasis role="bold">passwordAsAttribute</emphasis> -
(default false) - Specifies if password should be stored using
+ PicketLink IDM Credential object or as a plain attribute
</para>
</listitem>
- </itemizedlist>
- </callout>
- <callout
arearefs="area-Reference_Guide-PicketLink_IDM_integration-Configuration_files-JBossIDMOrganizationServiceImpl">
- <para>
- The <emphasis
role="bold">org.exoplatform.services.organization.jbidm.JBossIDMOrganizationServiceImpl</emphasis>
key is a main entrypoint implementing <emphasis
role="bold">org.exoplatform.services.organization.OrganizationService</emphasis>
and is dependant on <emphasis
role="bold">org.exoplatform.services.organization.jbidm.JBossIDMService</emphasis>
- </para>
- <para>
- <emphasis
role="bold">org.exoplatform.services.organization.jbidm.JBossIDMOrganizationServiceImpl</emphasis>
service has following options:
- </para>
- <itemizedlist>
<listitem>
<para>
- <emphasis role="bold">exoGroupTypeName</emphasis> -
(value-param) - Name of JBoss Identity IDM GroupType that will be used to store groups.
Default is 'EXO_GROUP_TYPE'
+ <emphasis role="bold">useParentIdAsGroupType</emphasis> -
For all ids not mapped with type in 'groupTypeMappings'
+ option use parent id path
+ as a group type to store group in PicketLink IDM. The effect of setting
+ this option to false and not providing any mappings under
'groupTypeMappings' option
+ is that there can be only one group with a given name in whole GateIn
group tree
</para>
</listitem>
- <listitem>
+ <listitem>
<para>
- <emphasis role="bold">exoRootGroupName</emphasis> -
(value-param) - Name of JBoss Identity IDM Group that will be used as a root parent.
Default is 'EXO_ROOT_GROUP'
+ <emphasis role="bold">pathSeparator</emphasis> - When
'userParentIdAsGroupType is set to true this value will be used to
+ replace all "/" chars in id. This is because "/" is
not allowed to be
+ used in group type name in PicketLink IDM
</para>
</listitem>
- <listitem>
+ <listitem>
<para>
- <emphasis role="bold">exoRootGroupTypeName</emphasis> -
(value-param) - Name of JBoss Identity IDM GroupType of a Group used as a parent root.
Default is 'EXO_GROUP_TYPE'
+ <emphasis role="bold">associationMembershipType</emphasis>
- If this option is used then each Membership created with
+ MembrshipType that is equal to value specified here will be stored in
PicketLink IDM as simple
+ Group-User association
</para>
</listitem>
- <listitem>
+ <listitem>
<para>
- <emphasis role="bold">passwordAsAttribute</emphasis> -
(value-param) - (default false) - Specifies if password should be stored using JBoss
Identity IDM Credential object or as a plain attribute
+ <emphasis role="bold">groupTypeMappings</emphasis> - Map
groups added with GateIn API as a childs of a given group ID to be stored with a given
+ group type name in PicketLink IDM. If parent ID ends with "/*"
then all child groups will
+ have the mapped group type. Otherwise only direct (first level) children
will use this type.
+
+ This can be leveraged by LDAP setup. Given LDAP DN configured in
PicketLink IDM to
+ store specific group type will then store one given branch in GateIn group
tree while
+ all other groups will remain in DB.
</para>
</listitem>
+ <listitem>
+ <para>
+ <emphasis
role="bold">forceMembershipOfMappedTypes</emphasis> - Group stored in
PicketLink IDM with a type mapped in 'groupTypeMappings' will
+ automatically be member under mapped parent. Normally groups are linked
by
+ PicketLink IDM group association - such relationship won't be needed
then. It can
+ be set to false if all groups are added via GateIn APIs
+ This option may be useful with LDAP config as it will make (if set to
true) every entry
+ added to LDAP (not via GateIn management UI) appear in GateIn
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <emphasis role="bold">ignoreMappedMembershipType</emphasis>
- if "associationMembershipType" option is used and this option is set to true
+ then Membership with MembershipType configured to be stored as PicketLink
IDM association
+ will not be stored as PicketLink IDM Role
+ </para>
+ </listitem>
</itemizedlist>
+
<para>
Additionally <emphasis
role="bold">JBossIDMOrganizationServiceImpl</emphasis> uses those
defaults to perform identity management operations
</para>
@@ -187,54 +250,10 @@
</calloutlist>
</programlistingco>
- <!-- In calloutlist above <para>
- <emphasis
role="bold">org.exoplatform.services.organization.jbidm.JBossIDMOrganizationServiceImpl</emphasis>
service has following options:
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <emphasis role="bold">exoGroupTypeName</emphasis> -
(value-param) - Name of JBoss Identity IDM GroupType that will be used to store groups.
Default is 'EXO_GROUP_TYPE'
- </para>
- </listitem>
- <listitem>
- <para>
- <emphasis role="bold">exoRootGroupName</emphasis> -
(value-param) - Name of JBoss Identity IDM Group that will be used as a root parent.
Default is 'EXO_ROOT_GROUP'
- </para>
- </listitem>
- <listitem>
- <para>
- <emphasis role="bold">exoRootGroupTypeName</emphasis> -
(value-param) - Name of JBoss Identity IDM GroupType of a Group used as a parent root.
Default is 'EXO_GROUP_TYPE'
- </para>
- </listitem>
- <listitem>
- <para>
- <emphasis role="bold">passwordAsAttribute</emphasis> -
(value-param) - (default false) - Specifies if password should be stored using JBoss
Identity IDM Credential object or as a plain attribute
- </para>
- </listitem>
- </itemizedlist>
+
<para>
- Additionally <emphasis
role="bold">JBossIDMOrganizationServiceImpl</emphasis> uses those
defaults to perform identity management operations
+ A sample <emphasis role="bold">PicketLink IDM</emphasis>
configuration file is shown below. To understand all the options present in it please
refer to the PicketLink IDM Reference Guide
</para>
- <itemizedlist>
- <listitem>
- <para>
- GateIn User interface properties fields are persisted in JBoss Identity IDM using
those attributes names: firstName, lastName, email, createdDate, lastLoginTime,
organizationId, password (if password is configured to be stored as attribute)
- </para>
- </listitem>
- <listitem>
- <para>
- GateIn Group interface properties fields are persisted in JBoss Identity IDM using
those attributes names: label, description
- </para>
- </listitem>
- <listitem>
- <para>
- GateIn MembershipType interface properties fields are persisted in JBoss Identity
IDM using those RoleType properties: description, owner, create_date, modified_date
- </para>
- </listitem>
- </itemizedlist> -->
- <para>
- A sample <emphasis role="bold">JBoss Identity IDM</emphasis>
configuration file is shown below. To understand all the options present in it please
refer to the JBoss Identity IDM Reference Guide
- </para>
<programlisting><jboss-identity
xmlns="urn:jboss:identity:idm:config:v1_0_beta"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"