Fork me on GitHub

External Identity Management

General

Jackrabbit Oak provides interfaces and some base classes to ease custom implementation of the external authentication with optional user/group synchronization to the repository.

Identity Management API

Default Implementation

The oak-auth-external module come with a default implementation of the ExternalIdentityProviderManager and OSGi component that tracks all external IDPs that are registered via OSGi. While OSGi setup is recommended way, it can equally be used in non-OSGi environments by manually adding and removing the providers.

There exists not default implementation for the other interfaces related to external identity management. However, Oak 1.0 provides support for third party authentication and identity management against LDAP covered by a separate module oak-auth-ldap. This is covered by section LDAP Integration.

Pluggability

Custom External Identity Management

In order to plug a custom implementation of the external identity management the following steps are required:

  • Write your own implementation ExternalIdentityProvider including your implementations of the external identities. Note: If you are running Oak in an OSGi based setup, make sure the provider gets registered as OSGi service in which case it will be automatically tracked by the default ExternalIdentityProviderManager.
  • Deploy the bundle containing your implementation such that the IDP gets tracked by the ExternalIdentityProviderManager. In an non-OSGi environment you have to register it manually
  • Link your identity provider to the ExternalLoginModule by configuring the IDP name accordingly (see section Configuration)
Examples

See CustomExternalIdentityProvider in the oak-exercise module for a very simplistic implementation for an OSGi-based Oak setup.

Custom ExternalIdentityProviderManager

Since oak-auth-external provides a default ExternalIdentityProviderManager a custom identity management doesn't need provide a separate implementation of this interface.

If you wish to provider your own ExternalIdentityProviderManager in an OSGi environment, please make sure it gets properly referenced by the ExternalLoginModuleFactory.