Custom Authentication Module

Greetings,

I have following use case:

* allow the employee authentication to api designer project

* do not allow employee authentication anywhere else

I am using Identity Manager version 8.1.4

With current configuration of the authentication modules I cannot really control where the employee authentication can be used - hiding the authentication module from the frontend listing is not solving the issue for me.

I would like to allow this authentication method only for the API pojects and use the permissions of linked system users to perform the database operations.

While API itself is pretty well set right now, I dont want to allow the possibility for this identity to login to AppServer for example as this might cause the accidental data exposure.

So in order to move forward with the requirement I did following steps:

  • I created a copy of the Employee authentication module and called it APIPerson
  • I enabled this new module
  • I allowed selection in the front-ends
  • I selected the programs where the module can be used (AppServer, API project, API Designer)
  • Saved everything, compiled database

While the method is listed on the possible authentication methods in the appserver login page, api designer and on the api admin UI

I am unable to use it due to following error:

AppServer:

VI.Base.ViException: Error loading authentication module APIPerson. ---> VI.Base.ViException: The authentication module APIPerson is not available or not activated.

While API says:

System.Exception: An error occurred while processing the request: http://***/ApiServer/imx/login/IAMAPI/APIPerson

---> System.AggregateException: One or more errors occurred.

---> VI.Base.ViException: Error loading authentication module Person.

---> VI.Base.ViException: The authentication module Person is not available or not activated.

For sure I am missing some part where the authentication method is being 'published' and allowed for general use.

Could you please help me find the missing part? It feels like I am missing something trivial (totally expecting 'there is configuration parameter for that' kind of thing)

In case some more background is needed:

API function is used for creating web portal requests -> that requires the permissions in the PWO table -> I dont want to allow any possibility for the identity to be able to query PWO table + request supporting information from 2-3 other tables in the appserver or any other possible way into the system.

I hope you can give me some idea where I can move this forward.

--

Best Regards

Tomasz Śmieja

  • Hi Tomasz,

    you do not need to create a custom authentifier for your use-case.

    You can control two things in regards to the authentication modules available in OneIM 8.1.4.

    You found the general settings for the authentication module itself (enabled, hide in UI). But the authentication modules are also assigned to the program definition stored in DialogProduct. This assignment table is called DialogProductHasAuthentifier. It controls if an authentication module can be used by a program.

    While you cannot remove ootb entries from this table, you are able to deactivate or disable an entry. You (currently) need an Object Browser to do this (see the screenshot) but this will be integrated into Designer in the next version of OneIM as well (2nd Screenshot).

    coming in vNext:

  • Thank you Markus!

    Works exactly like I need.

    --

    BR,

    Tomek