Application Integration overview
The Crowd framework allows an application to perform authentication and authorisation calls against a mapped directory, including:
- Authenticate a principal (i.e. a user).
- Validate and invalidate an existing principal authentication.
- Find a principal by their authentication token.
- Search principals, groups and roles by name or attributes
- Add principals, groups and roles.
- Validate a principal's group and role membership.
- Add and remove principals from groups and roles.
- Update a principal's attribute data.
- Update or reset a principal's authentication credentials.
Crowd's application provisioning allows an application to be mapped to multiple directories. When an application needs to authenticate or authorise a principal, Crowd will call the directory listed first. If the security call can be processed by the directory, the operation will then return the result. If the call cannot be processed, the next directory in the list will then be used when processing the security call until all directories have been exhausted. If the security call cannot be processed, an
Exception (based on the method) will be thrown.
When an application needs to perform a security request (that is, needs to authenticate or authorise a user) via Crowd's API, the following two steps need to occur:
- The application authenticates itself with Crowd; the authentication token may be reused by the application during subsequent calls. During this step, Crowd validates the application's credentials and address against known application credentials/addresses.
- Using the authenticated token from the previous step, the application then performs the security request for a particular user.
Should the application's requesting token become invalid, the client library will attempt to re-authenticate and perform the security request. If the second authentication request fails, an
Exception will be thrown, specifying that the application's credentials are invalid.
Diagram -- Application Authorisation Sequence:
- If you are using the SOAP interface, you will need to explicitly implement each step of the application authorisation sequence. As an example, please see the Microsoft .NET Client. We recommend that you use the SOAP API for long-term compatibility.
- If you have a Java application, you can use the Java client libraries shipped with Crowd. The application authorisation sequence above is fully handled by the supplied Java implementation. But please be aware that the libraries may change between releases. You may need to re-compile your source and possibly change a package name.