Page History
...
Identity Service | Identity Service Configuration Items | JOC Cockpit Configuration | ||||
---|---|---|---|---|---|---|
Service Type | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Roles->User Accounts Mapping managed with | Roles Mapping |
JOC | yes | JS7 Database | JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
LDAP | yes | LDAP Server | LDAP Server | JS7 Database | LDAP Server | Mapping of LDAP Security Groups to JOC Cockpit Roles performed with the LDAP Server |
LDAP-JOC | yes | LDAP Server | LDAP Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
OIDC | yes | OIDC Identity Provider | OIDC Identity Provider | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
CERTIFICATE | yes | CA / User Private Key | CA / User | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
FIDO2FIDO | yes | Authenticator | Authenticator | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
VAULT | no | Vault Server | Vault Server | JS7 Database | Vault Server | Mapping of Vault Policies to JOC Cockpit Roles |
VAULT-JOC | no | Vault Server | Vault Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
VAULT-JOC-ACTIVE | no | Vault Server | Vault Server / JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
KEYCLOAK | no | Keycloak Server | Keycloak Server | JS7 Database | Keycloak Server | Mapping of Keycloak Policies to JOC Cockpit Roles |
KEYCLOAK-JOC | no | Keycloak Server | Keycloak Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit |
SHIRO | yes | JS7 Database / shiro.ini | JOC Cockpit | JS7 Database / shiro.ini | JOC Cockpit | The SHIRO Identity Service Type is:
|
...
- The
Identity Service Name
can be freely chosen. - The
Identity Service Type
can be selected as available from the matrix shown above. - The
Ordering
specifies the sequence in which a login is performed with the available Identity Services. - The
Required
attribute specifies if login with an Identity Service is required to be successful, for example, if a number of Identity Services are triggered on login with a user account. - The
Identity Service Authentication Scheme
allows selection of:single-factor
authentication - a single factor is sufficient for login with the Identity Service. This can be configured to use:- an optional user account and password
- an optional Client Authentication Certificate, see JS7 - Certificate based Authentication
two-factor
authentication - two factors are required for login with the Identity Service using:- a user account and password and
- a Client Authentication Certificate or FIDO2 Authentication FIDO Authentication Credentials.
Manage User Accounts and Roles
...
Note that a number of Identity Providers, for example LDAP being used for Active Directory access, might not accept repeatedly failed login attempts and might block the relevant user account.
Multi-factor Authentication
Identity Services can be used with Multi-factor Authentication (MFA). This includes to use two separate factors for authentication that are located in different media:
- User/password credentials are what a user remembers and manually types in the JOC Cockpit GUI.
- Certificates are located on the machine from which the user operates the browser to access the JOC Cockpit GUI.
- FIDO can be used for a variety of authentication methods, including use of roaming authenticators, for example a USB stick, and platform authenticators, for example from the OS or from a smart phone.
Find the following matrix of Identity Services for use as a first factor and a second factor:
First Factory | Second Factor | |
---|---|---|
JOC | CERTIFICATE | FIDO |
CERTIFICATE | FIDO | |
FIDO | CERTIFICATE | |
LDAP | CERTIFICATE | FIDO |
LDAP-JOC | CERTIFICATE | FIDO |
OIDC | CERTIFICATE | FIDO |
OIDC-JOC | CERTIFICATE | FIDO |
KEYCLOAK | CERTIFICATE | FIDO |
KEYCLOAK-JOC | CERTIFICATE | FIDO |
Single Sign-On
The JS7 - OIDC Identity Service allows single sign-on for the underlying Identity Provider:
...
Overview
Content Tools