Connect Identity Service

This how-to describes how to connect security.manager for OGC to the Identity Service so that you can bind policies to roles of authenticated users.

As long as you do not connect security.manager for OGC to an Identity Service, security.manager for OGC can only enforce permissions that apply to all users. To be able to enforce permissions based on role or group memberships of users, you must connect security.manager for OGC to an Identity Service. When users authenticate with the identity provider configured there, security.manager for OGC can query the role or group memberships of the users and enforce permissions accordingly.

Configure connection

Create the file application.properties in the configuration directory of security.manager for OGC if it does not already exist. By default, this is the path ${user.home}/.secman-ogc/application.properties.
Add the following entries and adapt them:
security.mode=IDENTITY security.identity.self.service.url=https://id.example.com/identity/account/self
Replace https://id.example.com/identity/account/self with the actual Self info URL of the Identity Service you want to use. You can determine the Self info URL by calling up the base URL of the Identity Service in the browser, for example https://id.example.com/identity/. The URL is displayed on the page.
If you use a different hostname for security.manager for OGC than for the Identity Service, note the configuration instructions in the Identity Service regarding using different hostnames under one domain. Operating security.manager for OGC and Identity Service under different domains is not supported.
Save the file and restart Tomcat.

Test connection

To test the connection, you should try to log in and access the layer of a protected service that is only available to logged-in users.

For you to be able to test the connection as described here, the following prerequisites must be met:

Identity Service and security.manager for OGC are accessible via the same domain, for example https://id.example.com/identity/ and https://secman.example.com/secman-ogc/.
You have an account with the identity provider configured in the Identity Service.

Create policy

First, create a policy that allows access to a layer only for logged-in users.

Open the policy file of the service you want to test.
Create a policy for the role enhancedSecurity_authenticated that allows access to a layer, for example:
```
"policies":[
  {
    "layers": ["layerA"],
    "roles": ["enhancedSecurity_authenticated"]
  }
]
```
Replace layerA with the actual name of the layer you want to restrict access to.
Save the file and restart Tomcat.

Log in

Next, you need to log in via the Identity Service.

Call up the home page of the configured Identity Service in the browser, for example https://id.example.com/identity/.
Click on the link under Login, for example https://id.example.com/identity/account/login.
Log in with your account at the identity provider if prompted.

After successful login, you will be redirected back to the Self endpoint of the Identity Service, whose address ends with /identity/account/self.

Call protected service

Now call up the URL of the protected service in the browser, for example https://secman.example.com/secman-ogc/my-services/wms?service=WMS&request=GetCapabilities. For the browser to transmit the login information from the previous step as a cookie, you must call up the URL of the protected service in the same domain as that of the Identity Service, i.e. https://secman.example.com/secman-ogc/… if the Identity Service is accessible under https://id.example.com/….

If you have configured everything correctly, you should now have access to the layer that is only available to logged-in users.

Next steps

After you have connected to an Identity Service, you can bind policies to roles that are managed in the identity provider configured there. For more information, see the how-to Refer to roles from Identity Service in policies.