Chapter 9. PicketLink IDM Integration
9.1. Introduction to PicketLink IDM
The portal uses the
PicketLink IDM component to store necessary identity information about users, groups and memberships. While legacy interfaces are still used (org.exoplatform.services.organization) for identity management, there is a wrapper implementation that delegates to PicketLink IDM framework.
This section provides basic information about
PicketLink IDM and its configuration.
Note
It is important to fully understand the concepts behind this framework design before changing the default configuration.
The identity models represented in the
org.exoplatform.services.organization interfaces and the one used in PicketLink IDM have some major differences.
For example;
PicketLink IDM provides greater abstraction. It is possible for groups in the IDM framework to form memberships with many parents (which requires recursive ID translation), while the org.exoplatform.services.organization model allows only pure tree-like membership structures.
Additionally, the Membership concept must be translated into the IDM Role concept. Therefore
PicketLink IDM model is used in a limited way. All these translations are applied by the integration layer.
9.2. Configuring Picketlink IDM
The main configuration file is
JPP_HOME/gatein/gatein.ear/portal.war/WEB-INF/conf/organization/idm-configuration.xml :
<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd http://www.exoplaform.org/xml/ns/kernel_1_2.xsd" xmlns="http://www.exoplaform.org/xml/ns/kernel_1_2.xsd"> <component> <key>org.exoplatform.services.organization.idm.PicketLinkIDMService</key> <type>org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl</type> <init-params> <value-param> <name>config</name> <value>war:/conf/organization/idm-config.xml</value> </value-param> <value-param> <name>portalRealm</name> <value>realm${container.name.suffix}</value> </value-param> </init-params> </component> <component> <key>org.exoplatform.services.organization.OrganizationService</key> <type>org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl</type> <init-params> <object-param> <name>configuration</name> <object type="org.exoplatform.services.organization.idm.Config"> <field name="useParentIdAsGroupType"> <boolean>true</boolean> </field> <field name="forceMembershipOfMappedTypes"> <boolean>true</boolean> </field> <field name="pathSeparator"> <string>.</string> </field> <field name="rootGroupName"> <string>GTN_ROOT_GROUP</string> </field> <field name="groupTypeMappings"> <map type="java.util.HashMap"> <entry> <key><string>/</string></key> <value><string>root_type</string></value> </entry> <!-- Sample mapping --> <!-- <entry> <key><string>/platform/*</string></key> <value><string>platform_type</string></value> </entry> <entry> <key><string>/organization/*</string></key> <value><string>organization_type</string></value> </entry> --> </map> </field> <field name="associationMembershipType"> <string>member</string> </field> <field name="ignoreMappedMembershipType"> <boolean>false</boolean> </field> </object> </object-param> </init-params> </component> </configuration>
9.2.1. PicketlinkIDmServiceImpl Service
The
org.exoplatform.services.organization.idm.PicketLinkIDMServiceImpl service has the following options:
config(value-param) The PicketLink IDM configuration file.hibernate.properties(properties-param) A list of hibernate properties used to create SessionFactory that will be injected to JBoss Identity IDM configuration registry.hibernate.annotationsA list of annotated classes that will be added to Hibernate configuration.hibernate.mappingsA list of.xmlfiles that will be added to hibernate configuration as mapping files.jndiName(value-param) If the 'config' parameter is not provided, this parameter will be used to perform JNDI lookup forIdentitySessionFactory.portalRealm(value-param) The realm name that should be used to obtain properIdentitySession. The default is'PortalRealm'.apiCacheConfig(value-param) The Infinispan configuration file with cache configuration for PicketLink IDM API. It's different for cluster and non-cluster because Infinispan needs to be replicated in cluster environment.storeCacheConfig(value-param). The Infinispan configuration file with cache configuration for PicketLink IDM IdentityStore. Actually it's used only for LDAP store (not used with default DB configuration). It's different for cluster and non-cluster because Infinispan needs to be replicated in cluster environment.
9.2.2. PicketlinkIDMOrganizationServiceImpl Service
The
org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl key is a main entry point implementing org.exoplatform.services.organization.OrganizationService, and is dependent on org.exoplatform.services.organization.idm.PicketLinkIDMService.
The
org.exoplatform.services.organization.idm.PicketLinkIDMOrganizationServiceImpl service has the following options defined as fields of <object-param> of the org.exoplatform.services.organization.idm.Config type:
defaultGroupTypeThe name of the PicketLink IDM GroupType that will be used to store groups. The default isGTN_GROUP_TYPE.rootGroupNameThe name of the PicketLink IDM Group that will be used as a root parent. The default isGTN_ROOT_GROUP.passwordAsAttributeThis parameter specifies if a password is stored using PicketLink IDM Credential object or as a plain attribute. The default isfalse.useParentIdAsGroupTypeThis parameter stores the parent ID path as a group type in PicketLink IDM for any IDs not mapped with a specific type in 'groupTypeMappings'. If this option is set tofalse, and no mappings are provided under 'groupTypeMappings', then only one group with the given name can exist in the portal group tree.pathSeparatorWhen 'userParentIdAsGroupType is set totrue, this value will be used to replace all "/" characters in IDs. The "/" character is not allowed to be used in group type name in PicketLink IDM.associationMembershipTypeIf this option is used, then each Membership, created with MembrshipType that is equal to the value specified here, will be stored in PicketLink IDM as simple Group-User association.groupTypeMappingsThis parameter maps groups added with portal API as children of a given group ID, and stores them with a given group type name in PicketLink IDM. If the parent ID ends with "/*", then all child groups will have the mapped group type. Otherwise, only direct (first level) children will use this type. This can be leveraged by LDAP if LDAP DN is configured in PicketLink IDM to only store a specific group type. This will then store the given branch in portal group tree, while all other groups will remain in the database.forceMembershipOfMappedTypesGroups stored in PicketLink IDM with a type mapped in 'groupTypeMappings' will automatically be members under the mapped parent. Group relationships linked by PicketLink IDM group association will not be necessary. This parameter can be set to false if all groups are added via portal APIs. This may be useful with LDAP configuration as, when set to true, it will make every entry added to LDAP appear in portal. This, however, is not true for entries added through the portal management user interface.ignoreMappedMembershipTypeIf "associationMembershipType" option is used, and this option is set to true, then Membership with MembershipType configured to be stored as PicketLink IDM association will not be stored as PicketLink IDM Role.
Additionally, PicketlinkIDMOrganizationServiceImpl uses those defaults to perform identity management operations.
- The portal interface properties fields are persisted in PicketLink IDM using those attributes names: firstName, lastName, email, createdDate, lastLoginTime, organizationId, password (if password is configured to be stored as attribute).
- The portal interface properties fields are persisted in PicketLink IDM using those attributes names: label, description.
- The portal MembershipType interface properties fields are persisted in JBoss Identity IDM using those RoleType properties: description, owner, create_date, modified_date. A sample PicketLink IDM configuration file is shown below. To understand all the options it contains, see the PicketLink IDM Reference Guide.
<jboss-identity xmlns="urn:jboss:identity:idm:config:v1_0_beta" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:jboss:identity:idm:config:v1_0_alpha identity-config.xsd"> <realms> <realm> <id>PortalRealm</id> <repository-id-ref>PortalRepository</repository-id-ref> <identity-type-mappings> <user-mapping>USER</user-mapping> </identity-type-mappings> </realm> </realms> <repositories> <repository> <id>PortalRepository</id> <class>org.jboss.identity.idm.impl.repository.WrapperIdentityStoreRepository</class> <external-config/> <default-identity-store-id>HibernateStore</default-identity-store-id> <default-attribute-store-id>HibernateStore</default-attribute-store-id> </repository> </repositories> <stores> <attribute-stores/> <identity-stores> <identity-store> <id>HibernateStore</id> <class>org.jboss.identity.idm.impl.store.hibernate.HibernateIdentityStoreImpl</class> <external-config/> <supported-relationship-types> <relationship-type>JBOSS_IDENTITY_MEMBERSHIP</relationship-type> <relationship-type>JBOSS_IDENTITY_ROLE</relationship-type> </supported-relationship-types> <supported-identity-object-types> <identity-object-type> <name>USER</name> <relationships/> <credentials> <credential-type>PASSWORD</credential-type> </credentials> <attributes/> <options/> </identity-object-type> </supported-identity-object-types> <options> <option> <name>hibernateSessionFactoryRegistryName</name> <value>hibernateSessionFactory</value> </option> <option> <name>allowNotDefinedIdentityObjectTypes</name> <value>true</value> </option> <option> <name>populateRelationshipTypes</name> <value>true</value> </option> <option> <name>populateIdentityObjectTypes</name> <value>true</value> </option> <option> <name>allowNotDefinedAttributes</name> <value>true</value> </option> <option> <name>isRealmAware</name> <value>true</value> </option> </options> </identity-store> </identity-stores> </stores> </jboss-identity>