Page History
...
- Identity Services implement Authentication Methods and access to Identity Providers. For example, credentials such as user account/password are used as an Authentication Method to access an LDAP Directory Service acting as the Identity Provider. See JS7 - Identity and Access Management.
- JOC Cockpit implements a flexible architecture that allows external Identity Service products to be added with future JS7 releases.
- By default JS7 ships with two built-in Identity Services:
- The JS7 - JOC Identity Service which includes management of user accounts with the JOC Cockpit and uses the JS7 database for persistence.
- The JS7 - LDAP Identity Service includes authentication of users with an LDAP Directory Service.
Display feature availability StartingFromRelease 2.2.0
- For compatibility reasons, early releases of JS7 include the JS7 - Shiro Identity Service, see:
Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JOC-1145 Display feature availability EndingWithRelease 2.34.0
Matrix of Identity Services
...
| Identity Service | Identity Service Configuration Items | JOC Cockpit Configuration | ||||
|---|---|---|---|---|---|---|
| Service Type | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Roles->User Accounts Mapping managed with | Roles Mapping |
| JOC | yes | JS7 Database | JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
| LDAP | yes | LDAP Server | LDAP Server | JS7 Database | LDAP Server | Mapping of LDAP Security Groups to JOC Cockpit Roles performed with the LDAP Server |
| LDAP-JOC | yes | LDAP Server | LDAP Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
| VAULT | no | Vault Server | Vault Server | JS7 Database | Vault Server | Mapping of Vault Policies to JOC Cockpit Roles |
| VAULT-JOC | no | Vault Server | Vault Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
| VAULT-JOC-ACTIVE | no | Vault Server | Vault Server / JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
| KEYCLOAK | no | Keycloak Server | Keycloak Server | JS7 Database | Keycloak Server | Mapping of Keycloak Policies to JOC Cockpit Roles |
| KEYCLOAK-JOC | no | Keycloak Server | Keycloak Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
| KEYCLOAK-JOC-ACTIVE | no | Keycloak Server | Keycloak Server / JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
| SHIRO | yes | JS7 Database / shiro.ini | JOC Cockpit | JS7 Database / shiro.ini | JOC Cockpit | The SHIRO Identity Service Type is:
|
...
Management of Identity Services is accessed from the user menu of an the 
administration menu icon that is available for administrative user account accounts in the right hand upper corner of any JOC Cockpit page:
This operation brings forward the list of available Identity Services.
- By default a number of built-in Identity Services are available:
- In addition, connectors are available for external Identity Service products:
- The following Identity Services are considered to be deprecated and removed from future JS7 releases:
- The JS7 - Shiro Identity Service
Display feature availability EndingWithRelease 2.4.0
- The JS7 - Shiro Identity Service
By default users find the JOC-INITIAL Identity Service that is added during initial installation.
- This Identity Service holds the single user account
rootwith passwordroot. - Users should modify the root user account's password.
- Users can modify the existing Identity Service or add new Identity Services.
Addition of an Identity Service
...
Session Idle Timeout(Default: 900 seconds15 minutes)- If users are inactive for the given number of seconds then the user session expires and is terminated. Users can specify credentials and login to create a new user session.
- Should the lifetime of an access token provided by an external Identity Service be different from the maximum idle-timeout, then the JOC Cockpit will try to renew the access token with the Identity Service. Renewal of an access token does not require the user to re-specify their login credentials.
- Identity Services can restrict the lifetime of access tokens (time to live) and they can limit renewal of access tokens (maximum time to live). If an access token cannot be renewed then the user session is terminated and the user is required to perform a login.
Initial Password(Default: initial)- If an administrator adds user accounts with the JOC Cockpit and does not specify a password then the
Initial Passwordwill be used. As a general rule the JOC Cockpit does not allow the use of empty passwords but populates them with theInitial Passwordif a password is not specified by the user adding or modifying the account. - In addition, the operation to reset a user account's password is available. This replaces an existing password with the
Initial Password. - If the
Initial Passwordis assigned, then a flag is set for the user account to indicate that the password has to be changed with the next login. This behavior ensures that users cannot use theInitial Passwordexcept for an initial login.
- If an administrator adds user accounts with the JOC Cockpit and does not specify a password then the
Minimum Password Length(Default 0)- For any passwords specified - including the
Initial Password- a minimum length is specified. - Note that the number of characters and arbitrariness of character selection are key factors for secure passwords. Password complexity requiring e.g. digits and special characters to be used do not substantially add to password security except in case of short passwords.
- For any passwords specified - including the
...
Overview
Content Tools