Difference between revisions of "How Registry Interfaces With Active Directory"

From FMR Knowledge Base
Jump to navigation Jump to search
(Succesfull Access)
(Succesfull Access)
Line 15: Line 15:
  
 
=Succesfull Access=
 
=Succesfull Access=
 +
 +
If the user provides the correct credentials to the Fusion Registry and a valid mapping has been defined to map the user's Active Directory groups to that of Fusion Registry, the following communication takes place:
  
 
[[File:AD-Successful.png]]
 
[[File:AD-Successful.png]]

Revision as of 08:21, 31 May 2022

Active Directory can be used as the security manager for Fusion Metadata Registry. Configuration of this is explained here.


Invalid Credentials

If the user provides incorrect credentials to the Fusion Registry, the following communication takes place:

AD-Unsuccessful.png

1) The Registry receives an HTTP (or HTTPS) Servlet Request from the browser. This request carries the username and password as supplied from the login page of the Registry.
2) From this request object, an Authentication token is created within the Registry and sent as an LDAP (or LDAPS) connection to the Active Directory server. This token only contains the userid and password as supplied in the previous stage. The Naming Manager apect of Active Directory attempts to resolve the supplied credentials.
3) Since the credentials were not authorised by the Naming Manager, Active Directory responds with an LDAP (or LDAPS) response informing of the incorrect credentials
4) Fusion Registry responds to the browser with an HTTP Servlet Response containing the information that the authentication request was unsuccesful, along with a status code for the reason.

Succesfull Access

If the user provides the correct credentials to the Fusion Registry and a valid mapping has been defined to map the user's Active Directory groups to that of Fusion Registry, the following communication takes place:

AD-Successful.png

1) The Registry receives an HTTP (or HTTPS) Servlet Request from the browser. This request carries the username and password as supplied from the login page of the Registry.
2) From this request object, an Authentication token is created within the Registry and sent as an LDAP (or LDAPS) connection to the Active Directory server. This token only contains the userid and password as supplied in the previous stage. The Naming Manager apect of Active Directory attempts to resolve the supplied credentials.
3) The credentials are authorised within Active Directory and it responds with an LDAP (or LDAPS) response stating the credentials are correct.
4) The Fusion Registry issues another request to Active Directory, specifying the search and filter criteria (along with the authenticated Principal).
5) Active Directory uses the search information, which was supplied when the Active Directory connection was definied in the Fusion Registry, to obtain information regarding the user. This is essentially which groups the user is a member of.
6) Fusion Registry constructs a UsernamePasswordAuthenticationToken which defines what organisations the user can access, and responds to the browser with an HTTP Servlet Response containing the information that the authentication request was succesful.

User has no Permissions within the Registry

In this scenario, the user provides valid credentials but as defined within Active Directory the user has no permissions in Fusion Registry.

This follows the sequence of events as if the user has succesfully accessed Active Directory up to stage 5. This is because the user has provided credentials that Active Directory has validated as correct. The groups for this user are supplied back to Fusion Registry and are checked within the "Fusion Granted Authority". Since there are no roles for this user to perform, a "NoRolesException" is thrown and a response is sent from the Fusion Registry to the web browser that this user has no permissions within Fusion Registry and is not granted access.