Jiri’s Notepad

Let’s say you want to let your partners to manage their users that access your extranet. Sounds like identity management … and everybody is doing this identity management thing today, isn’t it?  So to make it a bit more interesting, let’s say you have a portal in place that is already taking care of security, personalisation and session management. And yes, the portal is custom-made, developed couple of years ago and you have no access to its source code and of course, no documentation. What do you do?

Option 1. Put an access management system in front of the portal to authenticate users and then rewrite headers of the request with userid of authenticated user and send the request further to the portal servlets. Hmm, but this requires modification of portal code to extract the userid, which we don’t want to do…

Option 2. Put an access proxy in front of the portal that would authenticate users and them impersonate them to the Portal. I.e it challenges a user to log-in, intercepts his or her username and password, authenticates him/her against directory, connects to the portal, sends in the username and password and then relay all the communication between user and the portal. Smart, isn’t it… or is it? In fact, since the proxy and the portal have their own LDAP schemas this wouldn’t work. Attempts to merge the schemas would likely fail because this would break the functioning of either the proxy or the portal. And because directory replication is not able to handle the translation of the schema, you have to use metadirectory. Which means additional product, additional costs and performance and synchronisation issues. No straightforward, simple and cheap option.