PicketLink Identity Management Fundamentals

PicketLink Identity Management is a fundamental module of PicketLink, with all other modules building on top of the IDM component to implement their extended features.

  • It provides API’s for managing the identities like users, groups and roles of your application and services.
  • Supports flexibility of partitioning of identity
  • Provides a code Identity Model API classes on which an applications identity classes are built to provide the application a robust security structure.

CORE Modules:

Partition Manager : It is used to manage the identity partitions, which are essential containers for a set a identity objects.

Identity Manager: It is used to manage the identity objects within the scope of a partition.

Relationship Manager: it is used to manage relationship; it is a typed association between two or more identities.

Identity Store: It provides the backend storage for the identity Persistency

  • JPAIdentityStore
  • LDAPIdentityStore
  • FileBaedIdentityStore

Below is the pictorial presentation of how the authentication happens followed by the IDM components work flow while authenticating a user.

PicketLink Authentication Process Flow

Below is the pictorial presentation of how all core modules are connected and work together while authentication process.

PicketLink Core Modules Flow

 

How credential validations happens:

 

PicketLink IDM provides an authentication subsystem that allows user credentials to be validated thereby confirming that an authenticating user is who they claim to be. The IdentityManager interface provides a single method for performing credential validation, as follows:

void validateCredentials(Credentials credentials);

Credentials interface has a method called Status which can be used to get the status of the credentials entered by the user.

Example:

public interface Credentials {

public enum Status {

UNVALIDATED, IN_PROGRESS, INVALID, VALID, EXPIRED

};

Account getValidatedAccount();

Status getStatus();
void invalidate();
}

 

This status will return any of the below statuses:

UNVALIDATED – The credential is yet to be validated.

IN_PROGRESS – The credential is in the process of being validated.

INVALID – The credential has been validated unsuccessfully

VALID – The credential has been validated successfully

EXPIRED – The credential has expired

 

How to manage users, groups and roles?

PicketLink IDM provides a number of basic implementations of the identity model interfaces for convenience, in the org.picketlink.idm.model.basic package.

Below is the example of creating a user:

Login Name: jdoe

Full Name: John Doe

First Name: John

Last Name: Doe

Email: jdoe[at]techpaste.com

 

User user = new User("jdoe");
user.setFirstName("John");
user.setLastName("Doe");
user.setEmail("jdoe[at]techpaste.com");
identityManager.add(user);

Once the User is created, it’s possible to look it up using its login name:

User user = BasicModel.getUser(identityManager, “jdoe”);

User properties can also be modified after the User has already been created.

The following example demonstrates how to change the e-mail address of the user we created above:

User user = BasicModel.getUser(identityManager, “jdoe”);

user.setEmail("jdoe[at]newavr.com");
identityManager.update(user);

 

The following example demonstrates how to create a new group called employees:

Group employees = new Group(“employees”);

It is also possible to assign a parent group when creating a group. The following example demonstrates how to create a new group called managers, using the employees group created in the previous example as the parent group:

Group managers = new Group(“managers”, employees);

To lookup an existing Group, the getGroup() method may be used. If the group name is unique, it can be passed as a single parameter:

Group employees = BasicModel.getGroup(identityManager, “employees”);

Same for relationships too in IDM

Relationships are used to model typed associations between two or more identities. All concrete relationship types must implement the marker interface

org.picketlink.idm.model.Relationship:

 

The RelationshipManager interface provides three standard methods for managing relationships:

 

void add(Relationship relationship);
void update(Relationship relationship);
void remove(Relationship relationship);

Here add(), update(), remove() methods add a new relationship, update and remove an existing relationship.

 

You can look into more about integration side from below link from Jboss:

 

https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Portal/5.1/html/Reference_Guide/sect-Reference_Guide-PicketLink_IDM_integration.html

 

If you want to test a sample app with IDM to get a flavor of how it is working you can go to below link and follow the steps to deploy and test on wildfly.

https://community.jboss.org/wiki/IDMdistributionInstallation

https://github.com/pedroigor/picketlink-quickstarts/tree/master/picketlink-authorization-idm-jpa

Note: Maven needs to be configured to deploy the sample application . this can be downloaded from here

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

Leave a Reply