Hi, We are doing authentication and authorization against LDAP and also behind Open SSO connected to LDAP for fully MarkLogic web apps and services, but it is not a trivial matter. It requires external web services to access LDAP or in the case of Open SSO a significant amount of infrastructure there as well.
In addition, there is significant code written in XQuery to support stable / cross application sessions, user profile management, and user creation / management to make this possible within MarkLogic. We are caching the roles and other user information in MarkLogic, but only on a brief session basis. Users are even cleaned out of ML if not accessed for an extended period of time because we have multi-millions of users. If not done this way, then synchronization can become an issue. We are using a Java / Jetty based solution to access LDAP as a web service from within MarkLogic for getting the user profile and roles information when not fronted with Open SSO. For more information, we may want to take this offline, perhaps with some phone time. David J. Steiner Principal Engineer [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Jeroen Pulles Sent: Tuesday, October 06, 2009 9:17 AM To: General Mark Logic Developer Discussion Subject: Re: [MarkLogic Dev General] Integration with single sign on anddirectory services? Hi Geert and others, > It mainly depends on where you need access to the > permissions/privileges/users, and what artifacts are already in place. It is > not uncommon to have user administration in an LDAP server. In that case you > don't want to replicate all user info into MarkLogic database, as that would > involve continuous synchronisation. In this particular case, there are +1000 users that authenticate against a +10000 users identity provider, so there's a real benefit in using that existing infrastructure. > If you want to fully utilize the security layer of MarkLogic, then perform > all authentication and authorisation against the MarkLogic database. Should > be that very difficult, though there is no LDAP api for connecting to > MarkLogic. (Perhaps a nice to have? ;) No, I'd want it the other way round and have MarkLogic use an existing directory service and authentication provider. The MarkLogic users are only a subset of the complete user database. Am I right in believing that Mark Logic Server does not support application-external authentication and role mapping? regards, Jeroen 2009/10/5 Geert Josten <[email protected]>: > Hi Jeroen, > > It mainly depends on where you need access to the > permissions/privileges/users, and what artifacts are already in place. It is > not uncommon to have user administration in an LDAP server. In that case you > don't want to replicate all user info into MarkLogic database, as that would > involve continuous synchronisation. > > If you want to fully utilize the security layer of MarkLogic, then perform > all authentication and authorisation against the MarkLogic database. Should > be that very difficult, though there is no LDAP api for connecting to > MarkLogic. (Perhaps a nice to have? ;) > > Kind regards, > Geert > >> > > > Drs. G.P.H. Josten > Consultant > > > http://www.daidalos.nl/ > Daidalos BV > Source of Innovation > Hoekeindsehof 1-4 > 2665 JZ Bleiswijk > Tel.: +31 (0) 10 850 1200 > Fax: +31 (0) 10 850 1199 > http://www.daidalos.nl/ > KvK 27164984 > De informatie - verzonden in of met dit emailbericht - is afkomstig van > Daidalos BV en is uitsluitend bestemd voor de geadresseerde. Indien u dit > bericht onbedoeld hebt ontvangen, verzoeken wij u het te verwijderen. Aan dit > bericht kunnen geen rechten worden ontleend. > > >> From: [email protected] >> [mailto:[email protected]] On Behalf Of >> Jeroen Pulles >> Sent: maandag 5 oktober 2009 15:30 >> To: General Mark Logic Developer Discussion >> Subject: [MarkLogic Dev General] Integration with single sign >> on and directory services? >> >> Hi, >> >> What are the possibilities for Mark Logic Server to integrate >> with a single sign on (SSO) system for user authentication >> and directory services for mapping group membership to Mark >> Logic roles? I am specifically interested in integration with >> a SAML 2.0 environment. >> >> My application has a Java layer in place in front of Mark >> Logic. All access to Mark Logic Server is done over the XCC >> connector. I /could/ do all privilege and permission control >> in the Java layer. That seem to be a waste to me as ML >> newbie, however, since the permissions/privilege >> functionality is just what I want for my document management. >> And I don't want to end up duplicating existing document >> permissions/privilege functionality. >> >> Any advice? >> >> regards, >> Jeroen >> >> -- >> Jeroen Pulles >> Xopus B.V., The Netherlands >> >> Xopus: The web based WYSIWYG XML Editor _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
