Page History
...
- Identity Services implement authentication methods Authentication Methods and access to Identity Providers, for example, credentials such as user account/password , are used as an authentication method Authentication Method to access an LDAP Directory Service acting as the Identity Provider, see JS7 - Identity and Access Management.
- JOC Cockpit implements a pluggable architecture that allows to add Identity Service products with future JS7 releases.
- For compatibility reasons early releases of JS7 include the Shiro Identity Service, see
Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JOC-1145 Display feature availability EndingWithRelease 2.3.0
...
- which application manages user accounts/passwords:
- a specific application of the the Identity Provider that is specific to an Identity Service,
- JOC Cockpit that propagates user accounts/passwords to the Identity Service but does not store such credentials with its the JS7 database.
- where assignments of roles to user accounts are stored
- with the Identity Provider of the Identity Service,
- with the JS7 database.
Identity Service | Identity Service Configuration Items | JOC Cockpit Configuration | ||||
---|---|---|---|---|---|---|
Service Type | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Roles->User Accounts Mapping managed with | Roles Mapping |
JOC | yes | Database | JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
LDAP | yes | LDAP Server | LDAP Server | JS7 Database | LDAP Server | Mapping of LDAP Security Groups to JOC Cockpit Roles performed with the LDAP Server |
LDAP-JOC | yes | LDAP Server | LDAP Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
VAULT | no | Vault Server | Vault Server | JS7 Database | Vault Server | Mapping of Vault Policies to JOC Cockpit Roles |
VAULT-JOC | no | Vault Server | Vault Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
VAULT-JOC-ACTIVE | no | Vault Server | Vault Server / JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
KEYCLOAK | no | Keycloak Server | Keycloak Server | JS7 Database | Keycloak Server | Mapping of Keycloak Policies to JOC Cockpit Roles |
KEYCLOAK-JOC | no | Keycloak Server | Keycloak Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
KEYCLOAK-JOC-ACTIVE | no | Keycloak Server | Keycloak Server / JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
Shiro (deprecated) | yes | shiro.ini | shiro.ini | shiro.ini | shiro.ini | n/a |
...
The operation to manage Identity Services is available from the user menu of an administrative user account in the right upper corner of any JOC Cockpit page:
...
To add an Identity Service use the respective button Add Identity Service from the above list of Identity Services:
Explanation:
- The
Name
of theIdentity Service
canName
can be freely chosen. - The
Identity Service Type
can be selected as available from the above matrix. - The
Ordering
specifies the sequence in which a login is performed with available Identity Services. - The
Required
the attribute specifies if login with the respective Identity Service is required to be successful, for example if a number of Identity Services are triggered on login of a user account.
Manage Settings
Settings are available at a global level and per Identity Service.
...
- At the time of writing a single setting for the max. idle timeout of user sessions is applied.
- Should the lifetime of a token provided by an external Identity Service be different from the max. idle-timeout then JOC Cockpit will try to renew the token with the Identity Service. Renewal of a token does not require the user to repeatedly specify credentials for login.
- Identity Services can restrict the lifetime of tokens and they can deny renewal of tokens. If a token cannot be renewed then the user session is terminated and the user is required to perform a login.
Vault Identity Service Settings
For use of the HashiCorp® Vault Identity Service
...
Explanation:
Session Idle Timeout
- Should the lifetime of a token provided by an external Identity Service be different from the max. idle-timeout then JOC Cockpit will try to renew the token with the Identity Service. Renewal of a token does not require the user to repeatedly specify credentials for login.
- Identity Services can restrict the lifetime of tokens and they can deny renewal of tokens. If a token cannot be renewed then the user session is terminated and the user is required to perform a login.
Initial Password
- If an administrator adds user accounts with JOC Cockpit and does not specify a password then the
Initial Password
will be used. As a general rule JOC Cockpit does not allow to use empty passwords but populates them from theInitial Password
if no password is specified by the user that adds or modifies an account. - In addition, the operation to reset a user account's password is available that will replace an existing password with the
Initial Password
.
- If an administrator adds user accounts with JOC Cockpit and does not specify a password then the
Minimum Password Length
- For any passwords specified - including the
Initial Password
- a minimum length is specified. - Consider that the number and arbitrariness of characters are key factors for secure passwords. Password complexity requiring e.g. digits and special characters to be used do not add to password security except in case of short passwords.
- For any passwords specified - including the
Setting specific for Identity Services
Manage Accounts, Roles and Permissions
...
Explanation:
Vault URL
: the base URL for which the Vault REST API is availableVault Keystore Path
: Should the Vault REST API be configured for HTTPS Mutual Authentication then the indicated keystore has to include the private key specified for the extended key usage ofClient Authentication
.Vault Keystore Password
: Should the Vault REST API be configured for HTTPS Mutual Authentication and the indicated keystore be protected by a password then the password has to be specified.Vault Key Password
: Should the Vault REST API be configured for HTTPS Mutual Authentication and the indicated private key be protected by a password then the password has to be specified.Vault Keystore Type
: Should the Vault REST API be configured for HTTPS Mutual Authentication then the type of the indicated keystore has to be specified being eitherPKCS12
orJKS
.Vault Truststore Path
: Should the Vault REST API be configured for HTTPS then the indicated truststore has to include an X.509 certificate specified for the extended key usage ofServer Authentication
. This can be a self-signed server certificate or a CA-signed certificate (typically the Root CA certificate is used as otherwise the complete certificate chain involved in signing the server certificate has to be available with the truststore).Vault Truststore Password
: Should the Vault REST API be configured for HTTPS and the indicated truststore be protected by a password then the password has to be specified.Vault Truststore Type
: Should the Vault REST API be configured for HTTPS then the type of the indicated truststore has to be specified being eitherPKCS12
orJKS
.Vault Application Token
: The application token has to be created by Vault for JOC Cockpit. It allows to access the Vault REST API and e.g. to renew tokens for user sessions.
JOC Identity Service Settings
The built-in Identity Service does not require any settings.
...
After installing the JOC Cockpit, log in with the default root:root user name and password which comes under the Shiro identity service.
...