External identity provider integration

To be consistent and keep the integrity of a user database and user permissions, in MOSK, IAM stores the user identity information internally. However in real deployments, the identity provider usually already exists.

Out of the box, in MOSK, IAM supports integration with LDAP and Google Open Authorization (OAuth). If LDAP is configured as an external identity provider, IAM performs one-way synchronization by mapping attributes according to configuration.

In case of the Google Open Authorization (OAuth) integration, the user is automatically registered and their credentials are stored in the internal database according to the user template configuration. The Google OAuth registration workflow is as follows:

  1. The user requests a MOSK management console resource.

  2. The user is redirected to the IAM login page and logs in using the Log in with Google account option.

  3. IAM creates a new user with the default access rights that are defined in the user template configuration.

  4. The user can access the MOSK management console resource.

The following diagram illustrates the external IdP integration to IAM:

../../../_images/iam-ext-idp.png

You can configure simultaneous integration with both external IdPs with the user identity matching feature enabled.