Highlighted
Super Contributor.
Super Contributor.
381 views

Multiple domains for OSP

Hi,

In my present company we are having multiple AD domains, is there anyway to connect all the domains as an Identity Service for OSP?

Thanks

10 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Multiple domains for OSP

OSP itself, is not exactly, but mostly a stripped down version of NAM and can do alot of amazing things. However, the interface to manage it is basically removed in the version we get in IDG, IDM, AA, etc...

There was a GUI to configure it in the Social Access (xAccess) products but we no longer have that.

Are all these domains in the same forest?  Iw onder if you can auth against the Globlal Catalog instead?  If not, IDM to sync all the users to one meta directory and use eDir for auth.

 

Highlighted
Super Contributor.
Super Contributor.

Re: Multiple domains for OSP

All these domains are in same forest. I might end up authenticating against Global Catalog. Thanks for your response.
Highlighted
Super Contributor.
Super Contributor.

Re: Multiple domains for OSP

Geoff,

Have you ever tried to auth against the global catalog? Curious to know how this works with OSP.

Thanks

Nihii

Highlighted
Knowledge Partner
Knowledge Partner

Re: Multiple domains for OSP

I never have tried against the Global Catalog... Thinking about this more it may not work as OSP wants to write to the oidpInstances attributue, which I am not sure would be writebale in the global catalog?

An interesting question and I am curious to the answer.

Tags (2)
0 Likes
Highlighted
Super Contributor.
Super Contributor.

Re: Multiple domains for OSP

@Stevewdj Any suggestions on this scenario?

Highlighted
Micro Focus Expert
Micro Focus Expert

Re: Multiple domains for OSP

Greetings,
    My understanding of AD's Global Catalog is that it is a read-only replica.  OSP is required to write the refresh token revocation entry on the user in the Identity Server (eDirectory or Active Directory) that it is pointing to.  Since Global Catalog is a read-only the write would then fail, which would cause the login to fail.  Therefore, I do not believe that AD's Global Catalog can be utilized at this moment.
 
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
Highlighted
Knowledge Partner
Knowledge Partner

Re: Multiple domains for OSP

Rats, initially I thought the GC could work, but the oidpInstances write issue is the show stopper.  Drat.

Highlighted
Super Contributor.
Super Contributor.

Re: Multiple domains for OSP

Thanks, Geoff and Steve.

Since I cannot use our AD for auth. I am planning to use eDir, but our eDir is already being used by IDM 4.5 apps. Can I utilize the same eDir for authenticating users into IG without integrating IDM? Currently, our IDM apps are being used only by admins(3 - 4 max users). And we are planning to upgrade to 4.8, but can't wait till the upgrade.

Highlighted
Knowledge Partner
Knowledge Partner

Re: Multiple domains for OSP

Absotutley!  Of course!  eDir is great! 

This is WHY you have a metadirectory with extra info.

 

Highlighted
Knowledge Partner
Knowledge Partner

Re: Multiple domains for OSP

I am trying to think, if OSP can do the Kerb auth from AD logins for SSO and also auth against eDir?  I.e. Map the Kerb identity that auths to OSP, and then use the eDir identity I am not sure, but you have multiple domains so Kerb SSO may not work anyway... Steve could better answer that one.

 

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.