Authentication and Authorization

Service Provider does not require authentication or authorization when performing provisioning actions through the LighthouseContext API. A portal or an access management application can perform these services. Communications between the portal and Service Provider (if using SPML) must be secured by using SSL or similar technology.

Authentication and authorization are performed by Identity Manager. Service Provider administrators can be Identity Manager or Service Provider users that are assigned Service Provider-specific capabilities and are able to control organizations. The organizations are created in Identity Manager, but the administrators that belong in each organization are defined by the customers. These administrators can be determined by searching for specific values on LDAP attributes, or by enabling external authorization. External authorization on Service Provider Users can be enabled for the Service Provider End User interface or Identity Manager Administrator interface.

When enabled, viewing, creating, updating, and deleting can be controlled by one or more Service Provider User AdminRoles assigned to the user (Service Provider or Identity Manager) making the request. Whether the user is allowed to do the action is controlled the evaluation of Rules assigned one or more AdminRoles assigned to the user, which use external resource data to determine whether to grant access or not.