Name Mapping Plug-in

DirX Access supports a custom domain name resolution process (see Name Resolution) and allows deploying the name mapping plug-in through a plug-in interface. This plug-in allows resolution of the domain names corresponding to the subject during a successful authentication.

About the Name Mapping for Authentication

Upon successful user authentication, DirX Access starts the domain name resolution process. This ability is independent on the authentication method used. The process consists of two phases – a resolution of domain names corresponding to the currently used authentication method (containing a resolution of the unique name) and a merging of this set with any sets already existing for the original authenticated session.

The former task is represented by the

Map.Entry<DomainName, Set<DomainName>> getDomainNames(DomainName domainName, AuthnMethod authnMethod, Collection<Principal> principals);

method, while the latter by the

Map<DomainName, Set<DomainName>> mergeDomainNames(DomainName uniqueName, Set<DomainName> freshDomainNames, Map<DomainName, Set<DomainName>> originalDomainNames, AuthnMethod authnMethod);

method.

The customer may use these methods in any way suitable to its project. E.g., the former method may supply a domain name from an external repository, and the latter method may enable/disable the session to contain multiple different authentication identifier belonging to a single domain. The merge method can also change the unique name of the entity used in the session and in the application repository by returning a different key for the returned map (if there is only one key in the map).

The configuration allows mounting a single name mapping plug-in for authentication.

Developing a Name Mapping Callout

This section describes the tasks necessary for developing a custom authentication token finder.

Externalizing Name Mapping from the DirX Access Server

The DirX Access Server allows externalizing name mapping during authentication through a plug-in interface. This method requires creating a name mapping callout that implements the NameMappingCallout interface (net.atos.dirx.access.authn.api.callout.NameMappingCallout). The implementing class has to be contained within an exported package of an OSGi bundle.

Employing the Name Mapping Callout

The steps needed to employ the custom callout handler are outlined in the section Employing External Plug-in Modules.

Using the Name Mapping Callout

The following tasks need to be performed to use a name mapping callout. Before starting to configure the DirX Access Server, make sure to run through all the steps in the section Employing External Plug-in Modules.

Prerequisites

To successfully employ the custom name mapping callout, it is assumed that all the steps covered by the section Employing External Plug-in Modules are performed. Namely, the OSGi bundle exporting the package containing the callout implementation has to be installed on the DirX Access Server.

Configuring the Name Mapping Callout at the DirX Access Server

  • In DirX Access Manager, go to Configuration | Extension modules.

  • Create the callout handler <CalloutIdentifier>:

    • Go to Callout handlers and click the “add” icon to create a new callout handler.

    • Identifier: <CalloutIdentifier>.

    • Description: arbitrary.

    • Type: select NameMappingEvents.

    • Class name: enter the fully qualified Java class name of the callout implementation.

    • Click Save.

  • In DirX Access Manager, go to Servers | Cluster.

    • Select a server identifier for which the custom name mapping callout handler shall be added.

    • In the Name mapping callout handler identifier drop-down-box in the Authentication Service section, select <CalloutIdentifier>.

    • Click Save.