Hi Marie,
My idea is that user privileges are maintained in custom SSO and by custom SSO. However there is one weak point. Custom SSO server has to maintain two parallel user info datastores in this case. Its own and additional one in OpenLDAP. This is done by interfacing to OpenLDAP some basic information regarding users related to Delphix. If OpenLDAP contains basic information about user it can expose it to Delphix via standard protocol and enable user authentication and authorization.
The process is external from Delphix but the drawback is that we are doubling user information and make SSO server responsible for maintaining parallel user "database".
Example 1:
We want to allow user Tom login to Delphix console.
1. Custom SSO operator defines user Tom in standard way.
2. Custom SSO server has to connect to Open LDAP and create there necessary information about user Tom (additional interface functionality in custom SSO server.... Is it possible to implement?).
3. We have to configure user Tom in Delphix in standard way. We point that it will be authenticated by LDAP (our OpenLDAP server). We don't store user's password in Delphix.
4. User Tom is able to login to Delphix console. During login process Delphix engine connects OpenLDAP and authenticates it in standard way.
Example 2.
We want to disable user Tom. Make its account inactive.
1. Custom SSO operator disables the user in standard way.
2. Custom SSO server interfaces this information to OpenLDAP.
3. User Tom is not able to login to Delphix because it is not active in OpenLDAP.
The questions are:
1. Is SSO owner willing to maintain additional store with limited user information in OpenLDAP? Security concerns may play a role here.
2. Is it possible to create interface between custom SSO server and OpenLDAP server? Is custom SSO flexible enough to implement this?
What SSO solution is used currently?
Regards,
P