Deploy Cúram Universal Access in Identity Only mode for Registered Users

Add the following properties to AppServer.properties:

curam.security.check.identity.only=true
curam.security.user.registry.disabled.types=EXT_AUTO,EXT_GEN

To re-configure the application server run:

appbuild configure

The curam.security.check.identity.only property ensures that application security is set to work in Identity Only mode. For more information about Identity Only authentication mode please refer to the Cúram Deployment Guide for WebSphere or Cúram Deployment Guide for WLS as appropriate. In Identity Only mode authentication only uses the internal user table to check for the existence of the user. The validation of the password is left to a subsequent module, either a JAAS module (Oracle WebLogic) or the User Registry (IBM® WebSphere®).

Take the example of a user, "johnsmith", who has been registered with the CentralID LDAP server. In order for John Smith to be able to use Cúram Universal Access, there must also be a "johnsmith" entry in the ExternalUser table. When John Smith logs in, his authentication request is passed to the Cúram JAAS Login Module. This checks that the user "johnsmith" exists in the Cúram ExternalUser table but does not check the password. The authentication then proceeds to the User Registry (WebSphere) or LDAP JAAS Module (WebLogic) where the username and password are checked against the contents of the CentralID LDAP server. For this to work correctly it is necessary to configure the application server with the connection details for the secure LDAP server.

The Identity Only configuration allows the application to defer to an external security system such as an LDAP-based directory service for the authentication of user credentials. This does not work for anonymous users of Universal Access however. When a user accesses the front page of Universal Access for the first time, they are automatically logged in as the "publiccitizen" user. If they subsequently choose to Screen themselves or perform an Intake Universal Access creates a new "generated" anonymous user. Each generated user is unique and this ensures that the data belonging to that user is kept confidential. Neither the publiccitizen nor the generated users are inserted into the LDAP directory so they cannot be authenticated using the Identity Only mechanism. This is the purpose of the following line of configuration:

curam.security.user.registry.disabled.types=EXT_AUTO,EXT_GEN

This line ensures that users with the user type EXT_AUTO (the publiccitizen) and EXT_GEN (generated users) are authenticated against Cúram's External User table. Once the server has been configured with the above configuration and started, perform the following configuration steps:

1. Log in as sysadmin.
2. Select Application Data -> Property Administration.
3. Select Category "Citizen Account - Configuration".
4. Set the property 'curam.citizenaccount.public.included.user to the value EXT_AUTO'.
5. Set the property 'curam.citizenaccount.anonymous.included.user to the value EXT_GEN'.
6. Publish the property changes.

   One final configuration entry is required in order to ensure that Universal Access operates correctly with respect to authentication, this change can be made as follows.

7. Log in as sysadmin.
8. Select Application Data -> Property Administration.
9. Select Category "Infrastructure – Security parameters".
10. Set curam.custom.externalaccess.implementation to 'curam.citizenworkspace.security.impl.CitizenWorkspacePublicAccessSecurity'.
11. Publish the property changes.

Finally, logout and restart the server. This configuration task should be complete at this point.