User-repository-less Deployment

This article describes the possibility of DirX Access lightweight deployment without integration with an extra user/corporate LDAP repository. The deployment might be useful when:

  • Simple PoC is necessary

  • Federation scenarios where persistence principal is not necessary

  • Systems with few users

History

In the past, DirX Access Server was not able to run without User Repository configuration object. Even the administration accounts had to be created in the LDAP user repository as a prerequisite for deployment.

The DirX Access Server deployment with User Repository is still possible and should behave exactly the same as it has been used to.
DDXA-520 history.png
Figure 1. DirX Access Server Deployment with User Repository

Embedded User-Repository within Application Repository

As mentioned, DirX Access has been lightweighted, so it can live without an extra user/corporate LDAP repository. In this case, the part of DirX Access Application Repository is used to store user-specific data. Please see the User Data Management via SCIM 2.0 and the Application Repository Service article for more information about user-specific data.

DDXA-520 new.png
Figure 2. DirX Access Server Deployment without User Repository

Deployment

Fresh installation

In case of a fresh installation, the recommended approach is to not populate the Running the Installer.

In this case the dxaConfigUserRepository.json and dxaConfigSubjectTemplate.json templates will not be applied and the respective configuration objects will be missing in the DirX Access Application Repository.

Administration Account

If the User-repository-less deployment is chosen, the only way how to administer the system is via the new DirX Access Administrator account in Application Repository. The account is created via the dxaUserDirXAccessAdministrator.json template and RBAC administration role resolution is turned on via the dxaConfigRbacAdministration.json.

Affected Features

The following list contains affected features by the User-repository-less deployment.

  • User account correlation

    • If user correlation is mandatory and the User-repository-less deployment is enabled, this is considered as a misconfiguration that results in authentication failure.

  • Request injections, SAML attributes, OAuth claims

    • If User-repository-less deployment is enabled, the attribute template values cannot be found via the user repository source and mandatory attribute templates cannot be tolerated and the external representation fails.

  • User Attribute Risk Conditions

    • If User-repository-less deployment is enabled, the user attribute risk conditions are resolved to an undetermined state and “Do assign risk level if condition can’t be evaluated” configuration is applied.