About
Importing and Authenticating Users with Authentication
Sources
Authentication
sources enable you to import users, groups, and group memberships
that are already defined in your enterprise in existing user repositories,
such as Active Directory or LDAP servers. After users are imported,
you can authenticate them with the credentials from those user repositories.
Authentication Providers
An authentication
provider is a piece of software that tells the portal how to use the
information in the external user repository. BEA provides authentication
providers as part of the AquaLogic Interaction Identity Services.
The AquaLogic Interaction Identity Service - LDAP is used to import
and authenticate users and group from LDAP servers. The AquaLogic
Interaction Identity Service - Active Directory is used to import
and authenticate users and groups from Active Directory servers. If
your users and groups reside in a custom system, such as a custom
database, you can import and authenticate them by writing your own
authentication provider using the IDK.
Note: - Your portal administrator
must install the authentication provider
before you can create the associated authentication web service. For
information on obtaining authentication providers, contact ALUIsupport@bea.com. For information on installing authentication providers, refer to
the Installation Guide for AquaLogic Interaction (available
on http://www.oracle.com/technology/documentation/index.html) or the documentation that comes with your authentication
provider, or contact your portal administrator.
- To learn about
developing your own authentication provider, refer
to the BEA AquaLogic User Interaction Development Center.
Authentication Web Services
Authentication
web services enable you to specify general settings for your external
user repository, leaving the more detailed settings (like domain specification)
to be set in the associated remote authentication sources. This allows
you to create different authentication sources to import each domain
without having to repeatedly specify all the settings.
Authentication Sources
Authentication sources
can import users and/or groups, authenticate imported users, or both
import and authenticate. Your security needs determine how many authentication
sources to create and what functionality they need. You might be able
to create just one authentication source that imports and authenticates
all users and groups, but here are a couple examples of when that
would not suffice:
- If you want to use single sign-on (SSO),
create a synchronization-only
authentication source.
If you want to distinguish users
and groups from different
domains, create separate synchronization-only authentication sources
for each domain, and create an authentication-only authentication
source to authenticate users from all domains (assuming they are from
the same user repository).
This enables you to store users and
groups imported from different domains in different portal folders
or to create separate users or groups with the same name but from
different domains.
If you are importing users
and groups into the portal,
you run a job for the initial import and then continue to run the
job periodically to keep the users and groups in the portal synchronized
with those in the source user repository.
Note: When you run the job
to import users and groups, the portal also creates a group that includes
all users imported through the authentication source. This group is
named after the authentication source; for example, if your authentication
source is called mySource, the group would be called Everyone
in mySource.
How Authentication
Works
When you use authentication
sources to authenticate portal users, the user credentials are left
in the external repository; they are not stored in the portal database.
When someone attempts to log in to your portal through an imported
user account, the portal confirms the password with the external repository.
This means that the user's portal password always matches the password
in the external repository. For example, if a user with a portal account
imported from Active Directory changes the Active Directory password,
the user can immediately log in to the portal with that password.
If the user is already logged in to the portal, the user must log
in again with the new password, because the portal will no longer
be able to recognize the old password.
AquaLogic Interaction Authentication Source
The AquaLogic
Interaction Authentication Source is automatically
created upon installation. It is the authentication source used for
users stored in the portal database (users created upon install, users
created manually through the portal, and self-registered users). This
authentication source cannot be modified or deleted.
- Creating an Authentication Web ServiceAuthentication web services enable you to specify general settings for your external user repository, leaving the more detailed settings (like domain specification) to be set in the associated remote authentication sources. This allows you to create different authentication sources to import each domain without having to repeatedly specify all the settings.
- Mapping External Document Security to Imported Portal Users with the Global ACL Sync MapUsers imported through an authentication source can automatically be granted access to the content imported by some remote content crawlers. The Global ACL Sync Map shows these content crawlers how to import source document security.
- Creating an Authentication Source to Import and Authenticate UsersYou can create a remote authentication source to import and authenticate users and groups from external user repositories.
- Importing Users with a Synchronization-Only Authentication SourceYou can import users with an authentication source and have them authenticated through an associated authentication partner.
- Authenticating Users with an Authentication-Only Authentication SourceIf you have more than one authentication source importing users from the same user repository, create an authentication-only authentication source to authenticate your users.
- Importing Users for Single Sign-On (SSO)You can import users with an authentication source and have them authenticated transparently through single sign-on (SSO).
- Setting an Authentication Source Category to Distinguish Users and Groups Imported from a Particular DomainOn the Main Settings page of the Authentication Source Editor, you set the prefix you want to add to user and group names to distinguish the domain from which they were imported. For example, if you enter myDomain, each user name and each group name will be prefixed by the string myDomain; myUser becomes myDomain\myUser and myGroup becomes myDomain\myGroup.
- Setting Default Profiles and Target Folders for Imported UsersSpecify which default profiles to apply to users imported by an authentication source. A default profile includes portlets, portlet preferences, My Pages, and personalization settings. By assigning a default profile to the imported users, you can control what users see when they first log in to your portal. After that, users can further personalize their views of the portal.
- Setting a Target Folder for Imported GroupsBy default, groups imported by an authentication source are stored in the same folder that stores the authentication source, but you can select a different folder if you want.
- Specifying Which Users and Groups to SynchronizeWhen you set an authentication source to synchronize users and/or groups from a source user repository, you can specify which users and groups to synchronize.
- Selecting Groups from Which to Import UsersThe Fully Synchronized Groups page of the Authentication Source Editor enables you to choose groups from which you want to import users. The groups that you list on this page are synchronized with the corresponding groups on the source server.
- Specifying What to Do with Users and Groups Deleted from the Source User RepositoryThe Fully Synchronized Groups page of the Authentication Source Editor enables you to specify what to do with users and groups deleted from the source user repository. By default the portal users are disabled and groups are moved to a folder for future deletion, but you can change this behavior.
- Editing an Authentication Source