Adobe
Sign in Privacy My Adobe

Just-in-time provisioning | LiveCycle ES2 (9.0.0.2)

Adobe Community Help


Products Affected

Contact support

LiveCycle ES2 Service Pack 2 (9.0.0.2) supports just-in-time provisioning of users that don’t yet exist in User Management. Just-in-time provisioning creates users dynamically in User Management once an authentication provider has successfully authenticated their credentials. Additionally, relevant roles and groups are assigned dynamically to the new user.

Need for just-in-time user provisioning

The following algorithm describes the traditional authentication mechanism:

  1. When a user tries to log in to LiveCycle ES2, User Management passes their credentials sequentially to all available authentication providers. (Login credentials include username/password combination, Kerberos ticket, PKCS7 signature, and so on.)
  2. The authentication provider validates the credentials. 
  3. The authentication provider then checks if the user exists in the User Management database. The following statuses are possible:
  • Exists: If the user is current and unlocked, User Management returns authentication success. However, if the user is not current or is locked, User Management returns authentication failure.
  • Does not exist: User Management returns authentication failure.
  • Invalid: User Management returns authentication failure.
  1. The result returned by the authentication provider is evaluated. If the authentication provider returned authentication success, the user is allowed to log in. Otherwise, User Management checks with the next authentication provider (steps 2-3). 
  2. Authentication failure is returned if no available authentication provider validates the user credentials.

Improvising the mechanism described above, just-in-time provisioning creates new users dynamically in User Management if one of the authentication providers validates their credentials. (After step 3 in the above algorithm.)

Implement just-in-time user provisioning

 New APIs

LiveCycle ES2 Service Pack 2 (9.0.0.2) provides the following new APIs for just-in-time provisioning: 

package com.adobe.idp.um.spi.authentication;
public interface IdentityCreator {
/** 
* Tries to create a user with the information provided in the <code>UserProvisioningBO</code> object. 
* If the user is successfully created, a valid AuthResponse is returned along with the information using which the user was created. 
* It is the responsibility of the IdentityCreator to set the User object in the credential map with the key <code>UMAuthenticationUtil.authenticatedUserKey</code> 
* The credentials are available in the <code>UserProvisioningBO</code> object in the 'credentials' property.
* If the IdentityCreator is unable to create a user due to any reason, it returns <code>null</code> 
* @param userBO An object of <code>com.adobe.idp.um.spi.authenticationUserProvisioningBO</code> 
* @return */public AuthResponse create(UserProvisioningBO userBO);

/** 
* Returns the name of the IdentityCreator which will be registered in preferences. 
* This name is used to associate the IdentityProvider with the Auth Provider Configuration in the domain. 
* @return The name of the Identity Creator which is recognized in Configuration. 
*/
public String getName();
}

 

package com.adobe.idp.um.spi.authentication;
import com.adobe.idp.um.api.infomodel.User;
public interface AssignmentProvider {

/** 
* Tries to assign roles or permissions or group memberships to users created via Just-in-time provisioning. 
* @param user The User created via the Just-in-time provisioning process. 
* @return a Boolean flag indicating whether the assignment was successful or not. 
*/
public Boolean assign(User user);

/** 
* Returns the name of the AssignmentProvider through which it is registered under preferences. 
* This name is used to associate the AssignmentProvider with the Auth Provider Configuration in the domain. 
* @return The name of the AssignmentProvider which is recognized in Configuration. 
*/public String getName();

} 

 

Considerations while creating a just-in-time-enabled domain 

  • While creating a custom IdentityCreator for a hybrid domain, ensure that a dummy password is specified for the local user. Do not leave this password field empty.
  • Recommendation: Use DomainSpecificAuthentication to validate user credentials against a specific domain.

Create a just-in-time-enabled domain 

  1. Write a DSC implementing the new APIs discussed in New APIs.
  2. Deploy the DSC to the LiveCycle ES2 server.
  3. Create a just-in-time-enabled domain:
  • In LiveCycle Administration Console, click Settings > User Management > Domain Management > New Enterprise Domain.
  • Specify the general domain parameters. See "Setting up and managing domains" in LiveCycle Administration Help.
  • Select Enable Just In Time Provisioning.
  • Add authentication providers. While adding authentication providers, on the New Authentication screen, select a registered Identity Creator and Assignment Provider.
  • Save the new domain.

Behind the scenes

Assume that a user is trying to log in to LiveCycle ES2 and an authentication provider accepts their user credentials. If the user doesn’t yet exist in the User Management database, the identity check for the user fails. LiveCycle ES2 now performs the following actions: 

  1. Create a UserProvisioningBO object with the authentication data and place it in a credential map.
  2. Based on domain information returned by UserProvisioningBO, fetch and invoke the registered IdentityCreator and AssignmentProvider for the domain.
  3. Invoke IdentityCreator. If it returns a successful AuthResponse, extract UserInfo from the credential map. Pass it to the AssignmentProvider for group/role assignment and any other post-processing after the user is created.
  4. If the user is created successfully, return the login attempt by the user as successful.
  5. For hybrid domains, pull user information from the authentication data provided to the authentication provider. If this information is fetched successfully, create the user on-the-fly.

Note: The just-in-time provisioning feature ships with a default implementation of IdentityCreator that you can use to dynamically create users. Users are created with the information associated with the directories in the domain.

Keywords: cpsid_87493

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License  Twitter™ and Facebook posts are not covered under the terms of Creative Commons.

Legal Notices   |   Online Privacy Policy

Products

Download

Support & Learning

Buy

Company

Choose your region

Copyright © 2013 Adobe Systems Incorporated. All rights reserved.

Terms of Use | Privacy | Cookies

Reviewed by TRUSTe: site privacy statement