How does Okera do identity management and where does it get its list of users?
Every request to an Okera service performs the following steps, regardless of which authorization tool is used:
- It authenticates the username.
- It looks up the set of groups to which the user belongs.
- Using those groups and the permissions database, it authorizes the request.
User and group management occurs outside of Okera, and that information is accessed via integrations with supported identity services such as Active Directory (AD) or LDAP.
A user is granted the permissions for all the groups in which they are included. Okera supports multiple methods for authenticating users and for resolving the set of groups to which a user belongs. Details about these methods, as well as any limitations on the methods that can be used together, are provided below.
Okera can authenticate users using:
- Microsoft Active Directory (AD)/LDAP username and password
- JSON Web Tokens (JWT)
- OAuth Authentication
Okera accepts that multiple methods may be enabled in a typical configuration. For example, batch applications may prefer JWTs but end users may prefer AD/LDAP or OAuth.
Two-factor authentication is also supported if you use OAuth or SAML to authenticate users and if your identity provider (IdP) is configured for two-factor authentication.
For more information, refer to the documentation found here.