5.2.2 User management and user mapping using realms
This section describes the concepts used for integrated user management: Realms and user mapping.
- Organization of this subsection
(1) Realms
A realm is the extent to which the same authentication policies are applied. The business service application identifies the service users based on the service requirements. The process to identify users is generally called the authentication process. The authentication process is categorized by the authentication mechanism to identify service users and the user authentication database for the purpose intended (user authentication repository). System administrators are responsible to determine the authentication policies, such as which authentication mechanism(s) should be used and which users should registered in the user authentication database.
Unlike establishing the system providing a single service, it is essential to examine what authentication policies should applied to which extent to operate the system when establishing a system providing a number of services. In the Web system, the extent to which the same authentication policies are applied is called a realm, and the name used to identify a realm is called the realm name. The user authenticated in a realm has an identifier (user ID) that uniquely identifies him/her in that realm.
The applications that have the same user management requirements can be administered in a single realm. Ideally, all the newly established services should be integrated into a single realm so that they can be easily controlled based on the security attributes of the authenticated users. In reality, however, such systems are rare. There are many realms in the enterprise system, such as email IDs for the internal email, employee numbers for the human resources system, and department codes for the material ordering system, and they are separately managed.
When using Cosminexus to integrate these services, the administrators must consider the consolidation of realms by analyzing why they are necessary. Reducing the number of realms to as few as possible can simplify management. The following figure shows an example of realm management.
|
|
![[Figure]](GRAPHICS/ZU100200.GIF)
(2) User mapping between realms
The business service application asks the end user to enter the user ID and password that are used for authentication. The authentication is kept until the user logs out. The user is then asked to enter the user ID and password each time he or she tries to log into the application, which uses different user IDs and passwords for authentication. In short, users are required to be authenticated to access the application that is managed in a different realm from the application that has already authenticated them.
If all J2EE applications know how the user who has logged into a realm is handled by other realms, the user does not need to repeatedly enter the user ID and password. To address this matter, the integrated user management framework uses user mapping, which maps users who have logged into a realm to other realm users.
User mapping automatically authenticates the user who has been authenticated in a realm when the successful authentication status is shared with other realms. To use user mapping, the Cosminexus system administrators should map users to realms and store the mapping information in the system in advance.
In the following example of user mapping, the user who has been authenticated as USER3 in the working hour management service is pre-mapped to the dev_3 user of the material ordering service. As a result, the user who has been authenticated as USER3 in the working hour management service is automatically authenticated as dev_3 in the material ordering service without login operation.
|
|
![[Figure]](GRAPHICS/ZU100300.GIF)