The Identity and Access Management (IAM) component provides ready-to-use and easy-to-configure functionality related to user or service authentication and authorization. The IAM component may be integrated into existing web-based applications and services to provide typical services related to the identification of the user and the authentication of the user. The IAM component also allows for authorization in a fine-grained level (per service and service item). All IAM – related actions can be logged and be used as input to other services (e.g. charging services). The IAM component comes with administration functionality for account and profile editing as well as editing the relationship and association among users.
How it works
The core functionality of the IAM component is based on the open source ForgeRock OpenAM tool. OAuth2 and the OpenID are some well known protocols that are used in IAM. IAM solution supports:
- User registration and account management
- User authentication
- User authorization
- Resource server registration
- Role registration per resource server
- Logging of authentication, authorization, session and other types of activities
IAM provides Graphical User Interface and two types of web services: OpenAM and IAM specific. In the Prosperity4all project, two types of roles / users have been identified: the resource owner and the end-user. The direct user of the IAM is the resource owner (or the developer) of a given platform/service/application (for example Assistance on Demand platform, crowd funding application, etc.). The resource owner allows integration of their /service/application with the IAM component in order to exploit the IAM functionality. The end-users of each platform/service/application that has been integrated with the IAM component use the IAM component to authenticate themselves and use the platform/service or application
Any resource owner is able to define the way that their resource (resource server, web application or service) is used with the IAM component. To achieve this, the resource owner has to follow the flow below:
- Create a new account in IAM
- Register the resource in IAM and retrieve its credentials (CLIENT_ID & CLIENT_SECRET)
- Configure the roles that allow and define the usage of the resource (if any)
- Integrate the resource server with IAM (using web services)
- Authenticate the user
- Authorize the user
- Retrieve the access token
- Retrieve the basic or extended user profile
- Retrieve the roles of user
- Manage the access token
- Validate the access token
- Update the access token
Please find more details and guidelines for integrating the IAM component with an application or service here.
The user can access the resources (web applications/services) that have been integrated with the IAM. Initially the user has to register with the IAM and with the resource of interest (assuming a role) via the IAM Graphical User Interface. In order to access a resource integrated with IAM resource server, the user has to login and authenticate in the IAM and be authorized to access the resource.
Please find more details and guidelines on how user authentication can take place for accessing an application or service here.