Session Providers and Roles

Each session provider retrieves raw role information in a different manner, as described in the following sections.

LDAP Session Provider

The LDAP Session Provider queries the configured LDAP server for the group memberships of the authenticated user. Even though there may be several LDAP servers configured, each user ID may only be present in one LDAP server. If a logon attempt finds the provided user id in more than one LDAP server, an exception will be thrown and the login will fail. The groups (raw roles) of the user are gathered from the same LDAP server as the user was found in.

When the grid role mapping queries the LDAP Session Provider for available groups, the session provider makes calls to all the configured LDAP servers to get a list of all available groups.

Windows Session Provider

The Active Directory is used to get the group membership (raw roles) for the authenticated user, as well as the available groups for the session provider roles for the grid role mapping.

SAML Session Provider

The SAML Session Provider receives the authenticated user’s raw roles in the Security Role claim from the Security Token Service (AD FS). The Security Roles are created, configured and assigned (both to application and to users) in the IFS management tool.

If there is a Security Role defined in IFS that is identical to a role in the Grid and the user is assigned this role, the Grid role is automatically assigned to the user without any mapping requirement. Note that application roles must have the application scope (<Application name>/role) in order to be automatically mapped in this way.

When the grid role mapping queries the SAML Session Provider for available groups, the session provider makes calls to the IFS web services to get a list of all available Security Roles in IFS. Not all the Security Roles in the list from IFS are necessarily emitted by the grid application in IFS. Compare with the Security Roles assigned to the grid application in IFS for details, since the output from the IFS web service can not be filtered per application.

The SAML Session Provider has two application properties that are essential to be able to query for groups (raw roles). Those are the "IFS administrator" and the "IFS administrator password". They are required to be able to connect to the IFS Web Services. For details on required account permissions, see Installing and configuring the SAML Session Provider.