Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

-JOC-ACTIVE / JOC CockpitJOC Cockpit user accounts and roles with KEYCLOAKKeycloak Keycloak Keycloak Server Keycloak Policies to JOC Cockpit RolesKeycloak Server
Identity ServiceIdentity Service Configuration ItemsJOC Cockpit Configuration
Service TypeBuilt-inUser Accounts/Passwords
stored with
User Accounts/Passwords
managed by
Roles/Permissions
stored with
Roles->User Accounts Mapping
managed with
Roles Mapping
JOCyesJS7 DatabaseJOC CockpitJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC Cockpit
LDAPyesLDAP ServerLDAP ServerJS7 DatabaseLDAP ServiceMapping of LDAP Security Groups to JOC Cockpit Roles performed with the LDAP Server
LDAP-JOCyesLDAP ServerLDAP ServerJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC Cockpit
OIDCyesOIDC Identity ProviderOIDC Identity ProviderJS7 DatabaseOIDC ServiceMapping of OIDC claims to roles with JOC Cockpit
OIDC-JOCyesOIDC Identity ProviderOIDC Identity ProviderJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC Cockpit
CERTIFICATEyesCA / User Private KeyCA / UserJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC Cockpit
FIDOyesAuthenticatorAuthenticatorJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC Cockpit
VAULTKEYCLOAKnoVault Keycloak ServerVault Keycloak ServerJS7 DatabaseVault Keycloak ServerMapping of Vault Keycloak Policies to JOC Cockpit Roles
VAULTKEYCLOAK-JOCnoVault Keycloak ServerVault Keycloak ServerJS7 DatabaseJOC CockpitMapping of user accounts and roles with JOC Cockpit
VAULTnoVault ServerVault ServerJS7 DatabaseVault Server

Mapping of

Vault Policies to JOC Cockpit

Roles

  • Removed with releases 2.5.5, 2.6.2, 2.7.0
VAULT-JOCnoVault ServerVault ServerJS7 DatabaseJOC Cockpit

Mapping of

user accounts and roles with JOC Cockpit.

  • Removed with releases 2.5.5, 2.6.2, 2.7.0
VAULT-JOC-ACTIVEnoVault ServerVault Server / JOC CockpitKEYCLOAK-JOCnoKeycloak ServerJS7 DatabaseJOC Cockpit

Mapping of user accounts and roles with JOC Cockpit

  • Removed with releases 2.5.5, 2.6.2, 2.7.0
SHIROyesJS7 Database / shiro.iniJOC CockpitJS7 Database / shiro.iniJOC Cockpit

The SHIRO Identity Service Type is:

  • deprecated with release 2.2.0
  • unsupported with release 2.3.0
  • removed with release 2.4.0

...

  • This Identity Service holds the single user account root with password root.
  • Users should modify the root user account's password.
  • Users can modify the existing Identity Service or add new Identity Services.

...

Adding an Identity Service

To add an Identity Service use the Add Identity Service button from the list of Identity Services shown above:

...

  • The Identity Service Name can be freely chosen.
  • The Identity Service Type can be selected as available from the matrix shown above.
  • The Ordering specifies the sequence in which a login is performed with the available Identity Services.
  • The Required attribute specifies if login with an Identity Service is required to be successful, for example, if a number of Identity Services are triggered on login with a user account.
  • The Identity Service Authentication Scheme allows selection of:
    • single-factor authentication - a single factor is sufficient for login with the Identity Service. This can be configured to use:
    • two-factor authentication - two factors are required for login with the Identity Service using:
      • a user account and password and
      • a Client Authentication Certificate or FIDO Authentication Credentials.

...

Managing User Accounts and Roles

...

Managing Settings

Settings are available at global and individual Identity Service levels.

...

Global settings are applied to all Identity Services.


Explanation:

  • Session Idle Timeout (Default: 15 minutes)
    • If users are inactive for the given number of seconds then the user session expires and is terminated. Users can specify credentials and login to create a new user session.
    • Should the lifetime of an access token provided by an external Identity Service be different from the maximum idle-timeout, then the JOC Cockpit will try to renew the access token with the Identity Service. Renewal of an access token does not require the user to re-specify their login credentials.
    • Identity Services can restrict the lifetime of access tokens (time to live) and they can limit renewal of access tokens (maximum time to live). If an access token cannot be renewed then the user session is terminated and the user is required to perform a login.
  • Initial Password (Default: initial)
    • If an administrator adds user accounts with the JOC Cockpit and does not specify a password then the Initial Password will be used. As a general rule the JOC Cockpit does not allow the use of empty passwords but populates them with the Initial Password if a password is not specified by the user adding or modifying the account.
    • In addition, the operation to reset a user account's password is available. This replaces an existing password with the Initial Password.
    • If the Initial Password is assigned, then a flag is set for the user account to indicate that the password has to be changed with the next login. This behavior ensures that users cannot use the Initial Password except for an initial login.
  • Minimum Password Length (Default 0 1)
    • For any passwords specified - including the Initial Password - a minimum length is indicated.
    • Note that the number of characters and arbitrariness of character selection are key factors for secure passwords. Password complexity requiring e.g. digits and special characters to be used do not substantially add to password security except in case of short passwords.

...

  • Users who have been previously authenticated with the same Identity Provider as used by the OIDC Identity Service can access JOC Cockpit from their browser without specifying credentials.
  • Users who initially authenticate with an Identity Provider by use of JOC Cockpit can open additional tabs in their browser without specifying credentials.

...

Resources

...