Authentication using external Identity Access Management(IAM)

Vote:
 

Hi,

We are planning to implement IAM (WSO2 Identity server) solution for User management and authentication in our CMS site which uses version 9.

I wanted information about how we can implement it in our project and how User Groups and Access rights(Authorization) works with these external user management system.

Could anyone please help me in having some information about this or reference where I can refer how to implement this in EPiServer?

Thanks in advance.

Sanket Mahimkar

#143278
Jan 19, 2016 10:18
Vote:
 

Hi, Sanket,

The approach I'd take for authentication is Owin - that you implement just the same as you'd implement it in any other solution. Documentation is here as well as in some peer documentation pages. You will need to figure out the actual steps for the specific IP.

The parts that are custom to EPiServer are:

  • user/role management from admin mode
  • access rights
  • override of log out button from edit/admin

Full integration of user/role management and access rights is done then through Owin membership/role provider. For some inspiration, you might take a look into this blogpost as well as this one. You can then choose what you want to implement, ex. you might not need user/role creation/update/deletion. You might not need some of the things, ex. EPi_ roles check, if you don't want to create/delete users at all, that will simplify the code of the providers. Next week I intend to update the github project with some performance improvements, one of them being from Svein's blogpost,  but this should get you kick started.

BR,

Marija

#143317
Jan 20, 2016 10:47
Vote:
 

Thanks for this quick reply.

Actually, we are not using OWIN part, instead we will use WSO2 api for authentication. I would like to know, as this is an external user management system, how the user roles(user groups) get connected to EPiserver, so that Access rights can be handled from there through episerver system. From the IAM server, when user logs in internally we get response from Identity server which will contain Token and user inofmration like user name and User role. So, How we can connect this user with the roles so that Access rights will get handled from EPiServer system as we do normally?

Thanks 

Sanket Mahimkar

#143330
Jan 20, 2016 13:52
Vote:
 

The approach would be the same - you write a membership/role provider that reads from wherever you want it to read. User/role management interface in admin mode, as well as set access rights essencially calls methods like ex. Roles.GetAllRoles or Users.GetAllUsers from whichever provider is set in web.config file.

#143335
Jan 20, 2016 14:55
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.