How Registry Interfaces With Active Directory

From FMR Knowledge Base
Revision as of 07:11, 31 May 2022 by Plazarou (talk | contribs)
Jump to navigation Jump to search

Active Directory can be used as the security manager for Fusion Metadata Registry. Configuration of this is explained here.


Invalid Credentials

If the user provides incorrect credentials to the Fusion Registry, the following communication takes place:

AD-Unsuccessful.png

1) The Registry receives an HTTP (or HTTPS) Servlet Request from the browser. This request carries the username and password as supplied from the login page of the Registry.
2) From this request object, an Authentication token is created within the Registry and sent as an LDAP (or LDAPS) connection to the Active Directory server. This token only contains the userid and password as supplied in the previous stage. The Naming Manager apect of Active Directory attempts to resolve the supplied credentials.
3) Since the credentials were not authorised by the Naming Manager, Active Directory responds with an LDAP (or LDAPS) response informing of the incorrect credentials
4) Fusion Registry responds to the browser with an HTTP Servlet Response containing the information that the authentication request was unsuccesful, along with a status code for the reason.

Succesfull Access

AD-Successful.png

1) The Registry receives an HTTP (or HTTPS) Servlet Request from the browser. This request carries the username and password as supplied from the login page of the Registry.
2) From this request object, an Authentication token is created within the Registry and sent as an LDAP (or LDAPS) connection to the Active Directory server. This token only contains the userid and password as supplied in the previous stage. The Naming Manager apect of Active Directory attempts to resolve the supplied credentials.
3) ........Since the credentials were not authorised by the Naming Manager, Active Directory responds with an LDAP (or LDAPS) response informing of the incorrect credentials
4) .......Fusion Registry responds to the browser with an HTTP Servlet Response containing the information that the authentication request was unsuccesful, along with a status code for the reason.
5)
6) Fusion Registry responds to the browser with an HTTP Servlet Response containing the information that the authentication request was succesful, along with the organisations that the user can access.



The Active Directory service is queried to obtain a DirContext object - This is a InitialLdapContext

Failure: With respect to bad credentials a Spring BadCredentialsException is thrown which is converted into a FusionAuthenticationException which returns a 404 for the response

HttpServletResponse

Success:

The InitialLdapContext object is created. This is used to search for an object

This object is a org.springframework.ldap.core.DirContextAdapter And contains information about the user, such as the "DN" : CN=SOAP_Adam,OU=users,OU=Registry,OU=fusion,DC=metatech,DC=external