The Crowd framework allows an application to perform authentication and authorisation calls against a mapped directory, including:
Authenticating a user
Validating and invalidating existing user authentication
Finding a user by their authentication token
Searching users and groups by name or attributes
Adding users and groups
Validating user’s group membership
Adding and removing users from groups
Updating user’s attribute data
Updating or resetting user’s authentication credentials
Crowd's application provisioning allows an application to be mapped to multiple directories. When an application needs to authenticate or authorise a user, Crowd will call the directory listed first. If the security call can be processed by the directory, the operation will then return the result. If the call cannot be processed, the next directory in the list will then be used when processing the security call until all directories have been exhausted. If the security call cannot be processed, an Exception (based on the method) will be thrown.
When an application needs to perform a security request (that is, needs to authenticate or authorise a user) via Crowd's API, the following two steps need to occur:
The application authenticates itself with Crowd; the authentication token may be reused by the application during subsequent calls. During this step, Crowd validates the application's credentials and address against known application credentials/addresses.
Using the authenticated token from the previous step, the application then performs the security request for a particular user.
Should the application's requesting token become invalid, the client library will attempt to re-authenticate and perform the security request. If the second authentication request fails, an Exception will be thrown, specifying that the application's credentials are invalid.
Diagram -- CrowdClient usage:
If you are using the SOAP interface, you will need to explicitly implement each step of the application authorisation sequence. As an example, please see the Microsoft .NET Client. The SOAP API is no longer present in Crowd 5.0.0 and we recommend that you use the REST API for long-term compatibility.
If you have a Java application, you can use the Java client libraries shipped with Crowd. The application authorisation sequence above is fully handled by the supplied Java implementation. But please be aware that the libraries may change between releases. You may need to re-compile your source and possibly change a package name.