In Russia we have ESIA platform (Unified identification and authentication system). We need integrate it with CUBA platform. Do you have any solutions?
We are going to make a distributed system using CUBA platform. There is an application that manages and stores all users and roles. And there are a lot of other applications that will access the database with users and roles to the central application (Apps don’t have own databases with user,roles. Ie, you can’t add users or roles to such applications. You can only change and store permissions individually). As far as I understand, this can not be realized by the standard capabilities of the CUBA. Can you suggest how this can be implemented with minimal changes in the code to keep the possibility of updates in the future?
CUBA supports pluggable authentication in web client with CubaAuthProvider interface. There are two existing implementations of it - LdapAuthProvider and IdpAuthProvider plus one NTLM v2 based implementation described in docs that uses Jespa proprietary library. IdpAuthProvider and JespaAuthProvider both support SSO approach, but IdpAuthProvider implements SSO only for CUBA-based applications. You can implement your own CubaAuthProvider using IdpAuthProvider as an example. IdpAuthProvider is described here: Single-Sign-On for CUBA Applications - CUBA Platform. Developer’s Manual
First of all, as your applications have different functionality, you need to specify different permissions on the application level. Permissions are defined for roles, so you cannot have permissions without roles. It means that roles have to be created in the applications as well. Second, a lot of standard CUBA functionality uses references to the User entity, so it should exist in the app database. So I think getting rid of users in app databases is close to impossible. It doesn’t mean you cannot authenticate users in a centralized way - see 1) above. But you have to replicate users data (at least IDs and login names) between all applications in order to use CUBA in a more or less standard way.
So the security management process can be as follows:
The list of roles (without permissions) is maintained in a central app.
Roles (without permissions) are replicated throughout all apps. In each app you define permissions for roles separately.
Users are created and roles are assigned to users in the central app. Users and user-role links (UserRole instances) are replicated throughout all apps.
Apps do not store passwords, authentication is done externally.