How Registry Interfaces With Active Directory

From FMR Knowledge Base
Revision as of 07:39, 31 May 2022 by Plazarou (talk | contribs) (Invalid Credentials)
Jump to navigation Jump to search

Active Directory can be used as the security manager for Fusion Metadata Registry. Configuration of this is explained here.


Invalid Credentials

If the user provides incorrect credentials to the Fusion Registry, the following communication takes place:

AD-Unsuccessful.png

1) The Registry receives an HTTP (or HTTPS) Servlet Request from the browser. This request carries the username and password as supplied from the login page of the Registry.
2) From this request object, an Authentication token is created within the Registry and sent as an LDAP (or LDAPS) connection to the Active Directory server. This token only contains the userid and password as supplied in the previous stage. The Naming Manager apect of Active Directory attempts to resolve the supplied credentials.
3) Since the credentials were not authorised by the Naming Manager, Active Directory responds with an LDAP (or LDAPS) response informing of the incorrect credentials
4) Fusion Registry responds to the browser with an HTTP Servlet Response containing the information that the authentication request was unsuccesful, along with a status code for the reason.

Succesfull Access

AD-Successful.png

1) The Registry receives an HTTP (or HTTPS) Servlet Request from the browser. This request carries the username and password as supplied from the login page of the Registry.
2) From this request object, an Authentication token is created within the Registry and sent as an LDAP (or LDAPS) connection to the Active Directory server. This token only contains the userid and password as supplied in the previous stage. The Naming Manager apect of Active Directory attempts to resolve the supplied credentials.
3) The credentials are authorised within Active Directory and it responds with an LDAP (or LDAPS) response stating the credentials are correct.
4) The Fusion Registry issues another request to Active Directory, specifying the search and filter criteria (along with the authenticated Principal).
5) Active Directory uses the seach information to obtain information regarding the user, essentially which groups the user is a member of.
6) Fusion Registry constructs an XXX object stating what organisations the user can access, and responds to the browser with an HTTP Servlet Response containing the information that the authentication request was succesful