Getting Started

Normally the three resource types you will use the most are:

• Identity Providers: main resource, defines enabled protocols (OIDC, SAML, etc), authentication mechanisms, etc
• Identity Sources: these resources define where user information is located. IAM.tf can retrieve user information from multiple/existing repositories.
• Applications: these are applications that use IAM.tf services to authenticate and identify users.

Identity Provider

To define an indentity provider within IAM.tf you need to provide details about the protocols you want to enable. SAML is enabled by default, but you can add more. You also need to configure an authentication mechanism that defines how users identity is validated. Finally you must configure a user repository or identity source that tells the IdP how to get user information.

• iamtf_idp

Authentication Mechanism

• authn_basic : Username/password authentication
• authn_bind_ldap : Basic authentication that validates credentials by performing an LDAP/Directory bind.
• authn_client_cert : Authentication based on client SSL certificate.
• authn_wia : Windows Integrated authentication using a Domain Controller.

Keystore

You need to provide a PKCS#12 keystore with a key pair. You can use a self-signed certificate, or request one from your Certificate Authority.

• Generate a self signed key-pair using openssl

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes -subj /CN=MyIDP

openssl pkcs12 -export -in cert.pem -inkey key.pem -out idp.p12 -name "my-idp"

User Repository

IdPs require at least one user repository. You configure them by referring to an identity source resource.

Identity Sources

Identity sources are repositories like directory servers (LDAP) or databases that store information about users. IAM.tf supports most of the

• iamtf_idsource_ldap : Directory server.
• iamtf_idsource_db : Relational DB with any schema.
• iamtf_idvault : Built-in user repository

Applications

Applications are refered also as service providers. IAM.tf provides a wide variety of mechanisms to integrate SPs, for example OpenID Connect (OIDC), SAML, Oauth, Native agents and even your own custom protocol.

It is possible to configure your IdP to use different configuration settings for each application, in particular protocol options and the set of user attributes that will be provided as claims.

Tips

Native agents are provided for JEE, Apache, MS Internet information Server and PHP.

• iamtf_app_oidc
• iamtf_app_saml
• iamtf_app_agent

Keystore

Some applications will also require a keystore file, like SAML or Native Agents.

Native Agents

IAM.tf provides a set of SSO/IAM agents that can be installed in the SP's execution environment (i.e. a web container) and handle protocol interactions for the application. Agents are really powerful when integrating legacy applications (JEE, .Net, PHP, Apache)

• iamtf_execenv_iis
• iamtf_execenv_tomcat
• iamtf_execenv_weblogic
• iamtf_execenv_php