Page History
...
- Identity Services implement authentication methods and access to Identity Providers, for example credentials such as account/password are used as an authentication method to access an LDAP Directory Service as the Identity Provider, see JS7 - Identity and Access Management.
- JOC Cockpit implements a pluggable architecture that allows to add Identity Service products with future JS7 releases.
- For compatibility reasons early releases of JS7 include the Shiro Identity Service, see
Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JOC-1145 Display feature availability EndingWithRelease 2.3.0
Matrix of Identity Services
Identity Services can be used in a number of flavors depending on the fact
- which application manages user accounts/passwords:
- a specific application of the Identity Service,
- JOC Cockpit that propagates user accounts/passwords to the Identity Service but does not store such credentials with its database.
- where assignments of roles to user accounts are stored
- with the Identity Service
- with the JS7 database
Identity Service | Identity Service Configuration Items | JOC Cockpit Configuration | ||||
---|---|---|---|---|---|---|
Service ID | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Assignment Roles->User Accounts stored with | Roles Mapping |
JOC | yes | Database | JOC | Database | Database | n/a |
LDAP-JOC | yes | LDAP Server | LDAP | Database | Database | n/a |
LDAP | yes | LDAP Server | LDAP | Database | LDAP Server | Mapping of LDAP Security Groups to JOC Cockpit Roles |
Vault-JOC | no | Vault Server | Vault | Database | Database | n/a |
Vault-JOC-ACTIVE | no | Vault Server | Vault, JOC | Database | Database | n/a |
Vault | no | Vault Server | Vault | Database | Vault Server | Mapping of Vault Policies to JOC Cockpit Roles |
Keycloak-JOC | no | Keycloak Server | Vault | Database | Database | n/a |
Keycloak-JOC-ACTIVE | no | Keycloak Server | Keycloak, JOC | Database | Database | n/a |
Keycloak | no | Keycloak Server | Keycloak | Database | Keycloak Server | Mapping of Keycloak Policies to JOC Cockpit Roles |
Shiro (deprecated) | yes | shiro.ini | shiro.ini | shiro.ini | shiro.ini | n/a |
Manage Identity Services
The operation to manage Identity Services is available from the user menu in the right upper corner of any JOC Cockpit page:
...
- The
Name
of the Identity Service can be freely chosen. - The Identity Service
Type
is one of JOC
: the built-in Identity Service stores user accounts and role mappings with the JS7 database.- The
Ordering
specifies the sequence in which a login is performed with available Identity Services. - The
Required
attribute specifies if a login with the respective Identity Service is required to be successful.
VAULT
: can be selected as available from the above matrix.Manage Settings
Settings are available at a global level and per Identity Service.
...
Vault Identity Service Settings
x
For use of the HashiCorp® Vault Identity Service
- the Vault product has to be installed and accessible for JOC Cockpit,
- the following settings have to be specified:
Explanation:
Vault URL
: the base URL for which the Vault REST API is availableVault Keystore Path
: Should the Vault REST API be configured for HTTPS Mutual Authentication then the indicated keystore has to include the private key specified for the extended key usage ofClient Authentication
.Vault Keystore Password
: Should the Vault REST API be configured for HTTPS Mutual Authentication and the indicated keystore be protected by a password then the password has to be specified.Vault Key Password
: Should the Vault REST API be configured for HTTPS Mutual Authentication and the indicated private key be protected by a password then the password has to be specified.Vault Keystore Type
: Should the Vault REST API be configured for HTTPS Mutual Authentication then the type of the indicated keystore has to be specified being eitherPKCS12
orJKS
.Vault Truststore Path
: Should the Vault REST API be configured for HTTPS then the indicated truststore has to include an X.509 certificate specified for the extended key usage ofServer Authentication
. This can be a self-signed server certificate or a CA-signed certificate (typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the server certificate has to be available with the truststore).Vault Truststore Password
: Should the Vault REST API be configured for HTTPS and the indicated truststore be protected by a password then the password has to be specified.Vault Truststore Type
: Should the Vault REST API be configured for HTTPS then the type of the indicated truststore has to be specified being eitherPKCS12
orJKS
.Vault Application Token
: The application token has to be created by Vault for JOC Cockpit. It allows to access the Vault REST API and e.g. to renew tokens for user sessions.
...
JOC Identity Service Settings
...
Overview
Content Tools