Page History
...
Identity Service | Identity Service Configuration Items | JOC Cockpit Configuration | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Service Type | Built-in | User Accounts/Passwords stored with | User Accounts/Passwords managed by | Roles/Permissions stored with | Roles->User Accounts Mapping managed with | Roles Mapping | ||||
JOC | yes | JS7 Database | JOC Cockpit | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit | ||||
LDAP | yes | LDAP Server | LDAP Server | JS7 Database | LDAP Service | Mapping of LDAP Security Groups to JOC Cockpit Roles performed with the LDAP Server | ||||
LDAP-JOC | yes | LDAP Server | LDAP Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit | ||||
OIDC | yes | OIDC Identity Provider | OIDC Identity Provider | JS7 Database | OIDC Service | Mapping of OIDC claims to roles with JOC Cockpit | ||||
OIDC-JOC | yes | OIDC Identity Provider | OIDC Identity Provider | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit | ||||
CERTIFICATE | yes | CA / User Private Key | CA / User | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit | ||||
FIDO | yes | Authenticator | Authenticator | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit | ||||
VAULTKEYCLOAK | no | Vault Keycloak ServerVault | Keycloak Server | JS7 Database | Vault Keycloak Server | Mapping of Vault Keycloak Policies to JOC Cockpit Roles | ||||
VAULTKEYCLOAK-JOC | no | Vault Keycloak ServerVault | Keycloak Server | JS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit | ||||
VAULT | -JOC-ACTIVEno | Vault Server | Vault Server | / JOC CockpitJS7 Database | JOC CockpitVault Server | Mapping of | user accounts and roles with Vault Policies to JOC Cockpit | Roles
| ||
VAULT-JOC | KEYCLOAKno | KeycloakVault Server | KeycloakVault Server | JS7 Database | Keycloak ServerJOC Cockpit | Mapping of | Keycloak Policies to JOC Cockpit Rolesuser accounts and roles with JOC Cockpit.
| |||
VAULT-JOC-ACTIVE | no | Vault Server | Vault Server / JOC Cockpit | KEYCLOAK-JOC | no | Keycloak Server | Keycloak ServerJS7 Database | JOC Cockpit | Mapping of user accounts and roles with JOC Cockpit
| |
SHIRO | yes | JS7 Database / shiro.ini | JOC Cockpit | JS7 Database / shiro.ini | JOC Cockpit | The SHIRO Identity Service Type is:
|
...
- This Identity Service holds the single user account
root
with passwordroot
. - Users should modify the root user account's password.
- Users can modify the existing Identity Service or add new Identity Services.
...
Adding an Identity Service
To add an Identity Service use the Add Identity Service button from the list of Identity Services shown above:
...
- The
Identity Service Name
can be freely chosen. - The
Identity Service Type
can be selected as available from the matrix shown above. - The
Ordering
specifies the sequence in which a login is performed with the available Identity Services. - The
Required
attribute specifies if login with an Identity Service is required to be successful, for example, if a number of Identity Services are triggered on login with a user account. - The
Identity Service Authentication Scheme
allows selection of:single-factor
authentication - a single factor is sufficient for login with the Identity Service. This can be configured to use:- an optional user account and password
- an optional Client Authentication Certificate, see JS7 - Certificate based Authentication
two-factor
authentication - two factors are required for login with the Identity Service using:- a user account and password and
- a Client Authentication Certificate or FIDO Authentication Credentials.
...
Managing User Accounts and Roles
...
Managing Settings
Settings are available at global and individual Identity Service levels.
...
Global settings are applied to all Identity Services.
- Before m Release 2.7.0 global settings are available from the Manage Identity Services page.
- Starting from Release 2.7.0 global settings are available from the JS7 - Settings page.
Explanation:
Session Idle Timeout
(Default: 15 minutes)- If users are inactive for the given number of seconds then the user session expires and is terminated. Users can specify credentials and login to create a new user session.
- Should the lifetime of an access token provided by an external Identity Service be different from the maximum idle-timeout, then the JOC Cockpit will try to renew the access token with the Identity Service. Renewal of an access token does not require the user to re-specify their login credentials.
- Identity Services can restrict the lifetime of access tokens (time to live) and they can limit renewal of access tokens (maximum time to live). If an access token cannot be renewed then the user session is terminated and the user is required to perform a login.
Initial Password
(Default: initial)- If an administrator adds user accounts with the JOC Cockpit and does not specify a password then the
Initial Password
will be used. As a general rule the JOC Cockpit does not allow the use of empty passwords but populates them with theInitial Password
if a password is not specified by the user adding or modifying the account. - In addition, the operation to reset a user account's password is available. This replaces an existing password with the
Initial Password
. - If the
Initial Password
is assigned, then a flag is set for the user account to indicate that the password has to be changed with the next login. This behavior ensures that users cannot use theInitial Password
except for an initial login.
- If an administrator adds user accounts with the JOC Cockpit and does not specify a password then the
Minimum Password Length
(Default 0 1)- For any passwords specified - including the
Initial Password
- a minimum length is indicated. - Note that the number of characters and arbitrariness of character selection are key factors for secure passwords. Password complexity requiring e.g. digits and special characters to be used do not substantially add to password security except in case of short passwords.
- For any passwords specified - including the
...
- Users who have been previously authenticated with the same Identity Provider as used by the OIDC Identity Service can access JOC Cockpit from their browser without specifying credentials.
- Users who initially authenticate with an Identity Provider by use of JOC Cockpit can open additional tabs in their browser without specifying credentials.
...
Resources
...
Overview
Content Tools