Attribute Finder Plug-in for Authentication

DirX Access supports an attribute finder for authentication and allows deploying attribute finders through a plug-in interface. This plug-in allows for looking up supplementary attributes for authenticated subjects during authentication and augmenting the internal representation of authenticated subjects.

About the Attribute Finder for Authentication

The authentication subsystem creates (upon successful user authentication) an internal representation of authenticated subjects. This internal representation contains a variety of information, some of it from the account of the authenticated user in persistence and some of it produced by the authentication process. The primary source for information that originates in persistence is the DirX Access user service, which provides information from the account of the authenticated user on the directory server. To address use cases where supplementary information for authenticated users are stored in additional repositories (for example, supplementary attributes in DBMS), this information can be integrated by the considered attribute finder. The retrieval of the supplementary information is supported by all authentication methods provided by DirX Access.

The configuration allows mounting a single attribute finder plug-in for authentication. This mechanism does not limit the number of data stores that can be consulted in fetching supplementary information from third-party repositories. It is the responsibility of the attribute finder plug-in to consult a variety of data stores at its own discretion and provide a joined object as a return parameter to the DirX Access authentication subsystem.

Developing an Attribute Finder

This section describes the tasks necessary for developing a custom attribute finder.

Externalizing Attribute Finding from the DirX Access Server

The DirX Access Server allows externalizing attribute finding during authentication through a plug-in interface. This method requires creating an attribute finder that implements the AttributeFinderCallout interface (net.atos.dirx.access.authn.api.callout.AttributeFinderCallout). The implementing class must be contained within an exported package of an OSGi bundle.

Employing the Attribute Finder

The steps needed to employ the custom callout handler are outlined in the section Employing External Plug-in Modules.

Using the Attribute Finder

The following tasks need to be performed to use an attribute finder. Before starting to configure the DirX Access Server, make sure to run through all the steps in the section Employing External Plug-in Modules.

Prerequisites

To successfully employ the custom attribute finder, the OSGi bundle exporting the package containing the callout implementation must be installed on the DirX Access Server. To accomplish this task, make sure you have performed all of the steps described in the section Employing External Plug-in Modules.

Configuring the Custom Attribute Finder at the DirX Access Server

To configure the custom attribute finder at the DirX Access Server:

  • In DirX Access Manager, go to Configuration | Extension modules.

    • Create the callout handler <CalloutIdentifier>:

    • Go to Callout handlers and click the “add” icon to create a new callout handler.

    • Identifier: <CalloutIdentifier>.

    • Description: arbitrary.

    • Type: select AttributeFinderEvents.

    • Class name: enter the fully-qualified Java class name of the callout implementation.

    • Click Save.

  • In DirX Access Manager, go to Servers | Cluster.

    • Select a server identifier for which the custom attribute finder handler shall be added.

    • In Attribute finder callout handler identifiers in the Authentication Service section, select <CalloutIdentifier>.

    • Click Save.

  • In DirX Access Manager, go to Configuration | Authentication| Authentication methods.

    • Select an authentication method identifier for which the custom attribute finder handler shall be used.

    • Check Do use attribute finder.

    • Click Update.