Hi Daniel,
see my replies below.
Regards.
On 04/06/2014 20:07, Daniel Gay wrote:
I was looking to authenticate users in an existing database resource,
and during my research I came to the below conclusions. Can someone
confirm that these conclusions are correct?
1 - synchronizing passwords with the resource will not work unless the
passwords are in clear text
Without any further customization on your own deployment, this is true.
However, if you know in advance the cipher algorithm with which
passwords are stored in the external resource (and if such algorithm is
supported by Syncope), you can write a custom synchronization action [1]
that will go over the ordinary password set mechanism, which takes a
cleartext value and performs ciphering.
Similarly, if the cipher algorithm on the external resource is
invertible (say AES) and you know the key, you can barely decrypt the
password and set it to user using the standard procedure.
2 - Syncope does not support authentication through a ConnId
connector, even if I wrote a custom one specific to my existing
database (via the AuthenticateOp interface)
Correct.
3 - JIRA issue SYNCOPE-160 addresses this problem (so is targeted for
Sycope 3.0)
Correct: you can, however, write your own Spring Security authentication
provider - possibly extending [2] - which can delegate the
authentication on the external resource, configure it in
core/src/main/resources/securityContext.xml
HTH
[1] https://cwiki.apache.org/confluence/display/SYNCOPE/SyncActionsClass
[2]
http://svn.apache.org/repos/asf/syncope/branches/1_1_X/core/src/main/java/org/apache/syncope/core/security/SyncopeAuthenticationProvider.java
--
Francesco Chicchiriccò
Tirasa - Open Source Excellence
http://www.tirasa.net/
Involved at The Apache Software Foundation:
member, Syncope PMC chair, Cocoon PMC, Olingo PMC
http://people.apache.org/~ilgrosso/
