JS7 JobScheduler

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Introduction

The JS7 - Security Architecture includes use of Identity Services for authentication and authorization.

  • Identity Services implement authentication methods and access to Identity Providers, for example credentials such as account/password are used as an authentication method to access an LDAP Directory Service as the Identity Provider.
  • The JS7 supports a number of Identity Services:
    • Build-in Identity Services
      • Local User Management with JOC Cockpit, see  JOC-1148 - Getting issue details... STATUS
      • LDAP Directory Service Access, see  JOC-1147 - Getting issue details... STATUS
    • External Identity Services
      • HashiCorp® Vault, see  JOC-1146 - Getting issue details... STATUS
      • Keycloak®, see  JOC-1193 - Getting issue details... STATUS

Identity and Access Management

The JOC Cockpit implements an access layer to integrate a number of Identity Services for Identity and Access Management (IAM). 

Built-in Identity Services

  • Built-in Identity Services ship with JOC Cockpit and can be used out-of-the-box.
  • The Identity Service for Local User Management does not include elaborated features such as password recovery, password complexity constraints, password rotation etc. and is not intended for such purposes. Instead, this Identity Service is a starting point for users who operate JS7 for testing purposes. Such features typically are available from an LDAP Directory Service and from external Identity Services.

External Identity Services

  • Use of external Identity Services requires that users install and operate the respective Identity Service product.
  • Depending on the nature of the Identity Service security tokens are used that limit the scope (roles) and lifetime of access to JOC Cockpit.

User Account and Role Management

Permissions are available at a fine-grained level for access to the JOC Cockpit functionality, see JS7 - Permissions

Permissions and roles are managed with JOC Cockpit. User accounts and role assignments can be managed with JOC Cockpit or with external Identity Services:


Use of Identity Services

A number of Identity Services can be used at the same time:

  • Required Identity Services: the user login is performed with all required Identity Services.
  • Optional Identity Services: with the first successful login to an Identity Service the user is considered being logged in and no further Identity Service is consulted.

Identity Services can be ordered to specify a sequence of preferred services for authentication.

Certificate Based Authentication

Certificates can be used for mutual authentication:

  • The client (Browser Client, REST API Client) challenges the JOC Cockpit server to present its server authentication certificate that will be verified by the client.
  • The JOC Cockpit server challenges the client to present its client authentication certificate that is verified by JOC Cockpit.

With JOC Cockpit being set up for mutual authentication certificates can be used

  • to enforce two-factor authentication with clients having to provide a certificate and a password,
  • to allow single-factor authentication using a certificate instead of a password.

Further Resources

Pages

 
 

Navigation


  • No labels