Monday, October 8, 2007

How To - 10.1.3 OWSM: Console authentication against different user repository and delegated administration

OWSM Console(also known as Control) authentication uses a very flexible pluggable framework. Admin user authentication can be done through either

  • Native OWSM authentication - This provides a pluggable authentication provider that can authenticate users against any datastore (such as LDAP, database, etc). The out-of-box implementation defaults to OWSM database. Delegated administration (such as admins with view only access) of OWSM Console is enabled with this option.
  • JSSO (Java Single Sign On) - This provides a pluggable authentication provider for SSO to integrate with SSO solutions (such as OAM, Siteminder) as well as provides a default SSO implementation called JSSO. The default implementation of JSSO uses JAAS loginmodule for authentication which allows you to plug-in authentication against any user/role repository. Delegated administration (such as admins with view only access) of OWSM Console is not available with this option.

What you get with the install?
When you install OWSM, the default option you get for console authentication is based on the type of install. You get,

  • JSSO for Basic SOA suite installation
  • Native authentication for Advanced SOA suite installation, and standalone OWSM installs.

How to manage user/roles for native authentication?
Native authentication defaults to OWSM database for user/role repository where user/roles are stored in a table. These users/roles can be managed through the wsmadmin tool by running the command
wsmadmin manageUserGroups
The default user is admin that has super user privileges to access all parts of the console. This default user can be changed by following this post.

You can use the same command to add/modify other admin users with different privileges(such as view only access provided to users with service support role ss1-grp). See OWSM documentation for details on how to assign roles.

How to change authentication provider to point to LDAP?
You can change the user/role repository to point to LDAP(incl. AD) instead of database by following the steps listed in OWSM documentation.

How to enable JSSO for authentication?
Follow instructions listed here in OWSM documentation to switch from native authentication to JSSO.