0

We are developing an application which is internal application but must be accessible from Internet. We have used OpenID Connect to authenticate users. Users must have a valid account in our IAM platform (ISAM IBM Security Access Management) to be able to log in to the application. When users browse to the application they are redirected to our IAM platform logon page. Once they enter their credentials, they will be able to enter into the application.

Now we want to have some kind of authorization based on which AD group users belong to. How can we achieve it? After the user has been authenticated and redirected to the application does the application need to get information from AD? How?

user217648
  • 3,338
  • 9
  • 37
  • 61

1 Answers1

2

There are two options.

1) Either only allow login people in the appropriate AD group, in which case your OpenID Connect must be able to request group information from IAM, or IAM set up to only allow login for respective AD group;

2) or check the AD group upon entering the application.

This would usually be done on application side and particular programming is dependant on application, but generally the application needs to make a LDAP request to AD to check if user is member of particular group, such as this:

How to write LDAP query to test if user is member of a group?

Gnudiff
  • 4,297
  • 1
  • 24
  • 25
  • About option 1, I would say that it is not about the access to the application. all users that has an account in our IAM platform be able to access the application. the question is what can we do to make some users that belong to AD group1 only see page1, page2, and page3. And the users who belong to AD group2 only see page 2, 5 and 6. About option 2, do we need to do some configuraion on the application side, i.e. joinging to a domain or something. – user217648 Sep 15 '17 at 06:56
  • @user217648 that depends on your detailed setup. But usually the LDAP query has to connect to LDAP server using some AD account to authenticate. So you would have to setup AD account for your application. Doesn't mean app's server HAS to be in domain, just that app supplies AD account and pass when making LDAP query. – Gnudiff Sep 15 '17 at 07:12