Configure an Identifier First Adapter instance using the sample use case provided to determine user populations based on user identifiers, usernames, and an authentication policy to route sign-on requests to authentication sources tailored for their respective user populations.
This task and sample use case involves the following configurations using the administrative console:
- An expression-enabled environment. See step 1.
- An authentication policy contract to carry the email address from your organization to your partners. See step 2.
- A Java Database Connectivity (JDBC) datastore connecting to the database that hosts username, email, and domain information. See step 4.
- An Identifier First Adapter instance with an attribute source lookup configuration
and a contract fulfillment through expressions for the
domain
adapter attribute. See step 7. - An authentication policy to route user requests to different authentication sources based on user populations. See step 9.
To configure a policy for multiple user populations:
-
Enable expressions in .
For configuration steps, see Enabling and disabling expressions.
- Go to Authentication > Policies > Policy Contracts.
- To create an authentication policy contract without any additional attributes, click Create New Contract.
- Go to System > Data & Credential Stores > Data Stores and click Add New Data Store.
- In the Data Stores page, click Add New Data Store.
-
On the Data Store Type tab:
- In the Name field, enter a name.
- To create a JDBC datastore connection to the database that hosts username and domain information, in the Type list, select Database (JDBC).
-
Create an instance of the Identifier First Adapter instance:
-
Follow steps 1 through 6 in Configuring an Identifier First Adapter instance.
For this sample use case, name the adapter instance ID 1st.
-
Follow steps 1 through 6 in Configuring an Identifier First Adapter instance.
-
Go to Applications > Integration > Adapter-to-Adapter Mappings.
- In the Source Instance and Target Instance lists, select appropriate adapters and click Add Mapping.
-
On the Attribute Sources & User Lookup tab, click
Add Attribute Source.
Note:
For more information about configuring the following steps, see Datastore query configuration.
- On the Data Store tab, enter an ID in the Attribute Source ID field and a name in Attribute Source Description, such as domainInfo and Domain Info, respectively.
- In the Active Data Store list, select the JDBC datastore that you created previously. Click Next.
- On the Database Table and Columns tab, select the applicable options in the Schema and Table lists.
- In the Columns to return from Select list, select dsDomain, and click Add Attribute. Click Next.
- On the Database Filter tab, in the Where field, specify a filter to search by an identifier that can handle identifiers in the format of an email address or a username, such as dsUid='${subject}' OR dsMail='${subject}'. Click Next.
- On the Summary tab, click Done.
-
Go to the Adapter Contract Fulfillment tab and
configure the following.
SP Adapter Contract Source Value domain
Expression
#this.get("domain").toString().matches("(?i).+") ? #this.get("domain") : #this.get("ds.domainInfo.dsDomain")
Note:Line breaks are inserted for readability only.
subject
Adapter
Not applicable. No selection is required.
The expression checks the
domain
attribute value returned by the Identifier First Adapter. If the value contains one or more characters, uses that as the value for thedomain
attribute. Otherwise, it uses thedsDomain
column value returned from the JDBC datastore. In other words, this expression handles identifiers in the format of an email address or a username.Note:This sample expression is intended to demonstrate the capability of the Identifier First Adapter. Depending on the actual use cases, expressions might vary.
For more information about expressions, see Construct OGNL expressions.
- Click Next.
-
On the Issuance Criteria tab, click
Next.
Note:
Depending on the actual use case, you can add issuance criteria as needed.
- On the Adapter-to-Adapter Summary tab, review your configuration instance and click Save to save your changes and exit the adapter instance configuration.
-
Create an authentication policy with rules to form policy paths based on results
from domain attribute values returned by the Identifier First
Adapter:
- Go to Authentication > Policies > Policies.
- On the Policies tab, click Add Policy.
- In the Policy page, enter a Name, and optionally a Description for the policy.
- In the Policy section list, select the Identifier First Adapter instance created in step 7.
-
Click Rules to open the Rules
modal.
- Add three policy rules as follows.
Attribute Name Condition Value Result domain
equal to
example.com
Example COM
domain
equal to
example.org
Example ORG
domain
equal to
example.info
Example INFO
Note:Add one rule for each expected domain attribute value.
- Clear the Default to Success check box to disable
the option to specify a policy path for the scenario where the
domain
attribute value from the Identifier First Adapter instance doesn't match any configured value on the Rules modal.If you want to enable an authentication policy path for unexpected
domain
attribute values, leave the Default to Success check box selected.For more information about rules, see Configuring rules in authentication policies.
- Click Done to close the
Rules modal.
By adding three policy rules and disabling the Default to Success option, the Identifier First Adapter instance policy configuration should contain four policy paths: Fail, Example COM, Example ORG, and Example INFO.
- Add three policy rules as follows.
-
Click Options to open the Incoming User
ID modal.
- In the Source list, select Adapter (ID 1st).
- In the Attribute list, select subject.
- Click Done to close the Incoming User ID modal.
For more information, see Specifying incoming user IDs.
-
Configure the four policy paths as follows:
- Fail
- Click Done, which terminates the request in an error condition.
- Example COM
- Select the HTML Form Adapter instance, which contains two paths: Fail and Success.
- Configure each policy path as follows:
- Fail
- Click Done, which terminates the request in an error condition.
- Success
- In the list, select the policy contract created in step 2.
- Example ORG (and then Example INFO)
- Select the OpenToken IdP Adapter instance, which contains two paths: Fail and Success.
- Configure each policy path by using the same steps documented for the Example COM policy path.
-
In the Success section, click Contract
Mapping to open the Authentication Policy Contract
Mapping window.
- Go to the Contract Fulfillment tab to configure the contract fulfillment for each authentication policy contract as follows.
Result from rules Adapter Contract Source Value Example COM
subject
Adapter (htmlForm)
mail
Example ORG
subject
Adapter (openTokenIdp)
mail
Example INFO
subject
Adapter (openTokenIdp)
mail
For more information, see Configuring contract mapping.
- Click Done. Click Save.
You have successfully configured an Identifier First Adapter instance and an authentication policy to prompt the user for their identifier first, determine their user population, and route the request to the desired authentication policy path.