UnboundID Identity Broker - Identity Provider Adapter

Identity Broker Documentation Index
Configuration Reference Home

Identity Provider Adapter

A Identity Provider Adapter is a native adapter for interfacing with an external identity provider.

A Identity Provider Adapter can authenticate a user's identity with an external identity provider and optionally retrieve user attributes as SCIM data.

↓Relations from This Component
↓Properties
↓dsconfig Usage

Relations from This Component

The following components have a direct aggregation relation from Identity Provider Adapters:

Key Manager Provider

Trust Manager Provider

Properties

The properties supported by this managed object are as follows:

Basic Properties:	Advanced Properties:
↓ description	None
↓ enabled
↓ hostname-verification-method
↓ key-manager-provider
↓ trust-manager-provider
↓ java-class

Basic Properties

description

Description	A description for this Identity Provider Adapter
Default Value	None
Allowed Values	A string
Multi-Valued	No
Required	No
Admin Action Required	None. Modification requires no further action

enabled

Description	Indicates whether the Identity Provider Adapter is enabled.
Default Value	None
Allowed Values	true false
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

hostname-verification-method

Description	The mechanism for checking if the identity provider's hostname matches the name(s) stored inside the server's X.509 certificate. This is only applicable if SSL is being used for connection security.
Default Value	strict
Allowed Values	allow-all - This mechanism turns hostname verification off. browser-compatible - This mechanism works the same way as cURL and Firefox. The hostname must match either the first CN, or any of the Subject Alternative Names. A wildcard can occur in the CN, and in any of the Subject Alternative Names. The only difference between 'browser-compatible' and 'strict' is that a wildcard (such as ".foo.com") with 'browser-compatible' matches all subdomains, including "a.b.foo.com". strict* - This mechanism works the same way as the Java Runtime Environment. It is also compliant with RFC 2818 for dealing with wildcards. The hostname must match either the first CN, or any of the Subject Alternative Names. A wildcard can occur in the CN, and in any of the Subject Alternative Names. A wildcard such as "*.foo.com" matches only subdomains in the same level, for example "a.foo.com". It does not match deeper subdomains such as "a.b.foo.com".
Multi-Valued	No
Required	No
Admin Action Required	The Identity Provider Adapter must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

key-manager-provider

Description	The key manager provider to use if SSL (HTTPS) is to be used for connection-level security. When specifying a value for this property (except when using the Null key manager provider) you must ensure that the external server trusts this server's public certificate by adding this server's public certificate to the external server's trust store.
Default Value	The Java Runtime Environment's default key manager will be used
Allowed Values	The DN of any Key Manager Provider. The associated key manager provider must exist and must be enabled if SSL is to be used.
Multi-Valued	No
Required	No
Admin Action Required	The Identity Provider Adapter must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

trust-manager-provider

Description	The trust manager provider to use if SSL (HTTPS) is to be used for connection-level security.
Default Value	The Java Runtime Environment's default trust manager will be used
Allowed Values	The DN of any Trust Manager Provider. The associated trust manager provider must exist and must be enabled if SSL is to be used.
Multi-Valued	No
Required	No
Admin Action Required	The Identity Provider Adapter must be disabled and re-enabled for changes to this setting to take effect. In order for this modification to take effect, the component must be restarted, either by disabling and re-enabling it, or by restarting the server

java-class (Read-Only)

Description	Specifies the fully-qualified name of the Java class that provides the Identity Provider Adapter implementation.
Default Value	None
Allowed Values	The fully-qualified name of a Java class that extends or implements com.unboundid.directory.broker.core.dataview.IdentityProviderAdapter
Multi-Valued	No
Required	Yes
Admin Action Required	None. Modification requires no further action

dsconfig Usage

To list the configured Identity Provider Adapters:

dsconfig list-identity-provider-adapters
     [--property {propertyName}] ...

To view the configuration for an existing Identity Provider Adapter:

dsconfig get-identity-provider-adapter-prop
     --adapter-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Identity Provider Adapter:

dsconfig set-identity-provider-adapter-prop
     --adapter-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Identity Provider Adapter:

dsconfig create-identity-provider-adapter
     --adapter-name {name}
     --type {type}
     --set enabled:{propertyValue}
     --set java-class:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Identity Provider Adapter:

dsconfig delete-identity-provider-adapter
     --adapter-name {name}