Page History
...
- Identity Services implement Authentication Methods and access to Identity Providers. For example, credentials such as user account/password are used as an Authentication Method to access an LDAP Directory Service acting as the Identity Provider. See JS7 - Identity and Access Management.
- JOC Cockpit implements a flexible architecture that allows external Identity Service products to be added with JS7 releases.
- By default JS7 ships with the following built-in Identity Services:
Display feature availability StartingFromRelease 2.2.0 - The JS7 - JOC Identity Service which includes management of user accounts with the JOC Cockpit and uses the JS7 database for persistence.
- The JS7 - LDAP Identity Service includes authentication of users with an LDAP Directory Service.
Display feature availability StartingFromRelease 2.5.0 - The JS7 - OIDC Identity Service
Jira server SOS JIRA columnIds issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JOC-1370
- The JS7 - OIDC Identity Service
Display feature availability StartingFromRelease 2.6.0 - The JS7 - Certificate Identity Service
Jira server SOS JIRA columnIds issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JOC-1547 - The JS7 - FIDO2 FIDO Identity Service
Jira server SOS JIRA columnIds issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JOC-1546
- The JS7 - Certificate Identity Service
- For compatibility reasons, early releases of JS7 include the JS7 - Shiro Identity Service
Jira server SOS JIRA columns key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution serverId 6dc67751-9d67-34cd-985b-194a8cdc9602 key JOC-1145 Display feature availability EndingWithRelease 2.4.0
...
Identity Service | Identity Service Configuration Items | JOC Cockpit Configuration | ||||
---|---|---|---|---|---|---|
Service Type | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Roles->User Accounts Mapping managed with | Roles Mapping |
JOC | yes | JS7 Database | JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
LDAP | yes | LDAP Server | LDAP Server | JS7 Database | LDAP Server | Mapping of LDAP Security Groups to JOC Cockpit Roles performed with the LDAP Server |
LDAP-JOC | yes | LDAP Server | LDAP Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
OIDC | yes | OIDC Identity Provider | OIDC Identity Provider | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
CERTIFICATE | yes | CA / User Private Key | CA / User | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
FIDO2FIDO | yes | FIDO2 AuthenticatorFIDO2 | Authenticator | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
VAULT | no | Vault Server | Vault Server | JS7 Database | Vault Server | Mapping of Vault Policies to JOC Cockpit Roles |
VAULT-JOC | no | Vault Server | Vault Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
VAULT-JOC-ACTIVE | no | Vault Server | Vault Server / JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
KEYCLOAK | no | Keycloak Server | Keycloak Server | JS7 Database | Keycloak Server | Mapping of Keycloak Policies to JOC Cockpit Roles |
KEYCLOAK-JOC | no | Keycloak Server | Keycloak Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
SHIRO | yes | JS7 Database / shiro.ini | JOC Cockpit | JS7 Database / shiro.ini | JOC Cockpit | The SHIRO Identity Service Type is:
|
...
- By default a number of built-in Identity Services are available:
- In addition, connectors are available for external Identity Service products:
- The following Identity Services are considered to be deprecated and removed from current JS7 releases:
- The JS7 - Shiro Identity Service
Display feature availability EndingWithRelease 2.4.0
- The JS7 - Shiro Identity Service
...
- The
Identity Service Name
can be freely chosen. - The
Identity Service Type
can be selected as available from the matrix shown above. - The
Ordering
specifies the sequence in which a login is performed with the available Identity Services. - The
Required
attribute specifies if login with an Identity Service is required to be successful, for example, if a number of Identity Services are triggered on login with a user account. - The
Identity Service Authentication Scheme
allows selection of:single-factor
authentication - a single factor is sufficient for login with the Identity Service. This can be configured to use:- an optional user account and password
- an optional Client Authentication Certificate, see JS7 - Certificate based Authentication
two-factor
authentication - two factors are required for login with the Identity Service using:- a user account and password and
- a Client Authentication Certificate or FIDO2 Authentication FIDO Authentication Credentials.
Manage User Accounts and Roles
...
- JS7 - JOC Identity Service (no settings required)
- JS7 - LDAP Identity Service
- JS7 - OIDC Identity Service
- JS7 - Certificate Identity Service
- JS7 - FIDO2 FIDO Identity Service
- JS7 - HashiCorp® Vault Identity Service
- JS7 - Keycloak Identity Service
- JS7 - Shiro Identity Service (no settings required)
...
Note that a number of Identity Providers, for example LDAP being used for Active Directory access, might not accept repeatedly failed login attempts and might block the relevant user account.
Multi-factor Authentication
Identity Services can be used with Multi-factor Authentication (MFA). This includes to use two separate factors for authentication that are located in different media:
- User/password credentials are what a user remembers and manually types in the JOC Cockpit GUI.
- Certificates are located on the machine from which the user operates the browser to access the JOC Cockpit GUI.
- FIDO can be used for a variety of authentication methods, including use of roaming authenticators, for example a USB stick, and platform authenticators, for example from the OS or from a smart phone.
Find the following matrix of Identity Services for use as a first factor and a second factor:
First Factory | Second Factor | |
---|---|---|
JOC | CERTIFICATE | FIDO |
CERTIFICATE | FIDO | |
FIDO | CERTIFICATE | |
LDAP | CERTIFICATE | FIDO |
LDAP-JOC | CERTIFICATE | FIDO |
OIDC | CERTIFICATE | FIDO |
OIDC-JOC | CERTIFICATE | FIDO |
KEYCLOAK | CERTIFICATE | FIDO |
KEYCLOAK-JOC | CERTIFICATE | FIDO |
Single Sign-On
The JS7 - OIDC Identity Service allows single sign-on for the underlying Identity Provider:
...