Introduction
CUE User Manager is CCI / Escenic's new solution for managing user access to CUE. It provides a standard interface to a centralized Identity and Access Management (IAM) system that can be shared by all CUE-related back-end systems. Instead of the CUE Content Store having its own integrated user management functionality, it can delegate responsibility for access control to CUE User Manager.
The use of such a centralized IAM system has a number of advantages:
-
Single sign-on for users
-
Simpler user management: no problems keeping identities consistent between systems, no redundancies or duplication
-
Simpler auditing: all user activities are reported by one system in a single, consistent format
-
Reduced resource usage
-
Deal with upgrades to the IAM system: any changes in the IAM system's API will only affect CUE User Manager rather than requiring changes in all back-end systems.
CUE User Manager needs an IAM system that provides the following user management tasks:
-
Authentication: is the user who he says he is?
-
Authorization: what is this user allowed to do?
-
Identity management: what information should be stored for each user (mail address, profile and so on).
IAM systems can be configured either to act as a complete, standalone IAM system or to co-operate with other authentication systems such as Active Directory, Google and Facebook.
CUE Content Store and CUE Print are already able to make use of a common IAM system (Active Directory) to enable single sign-on for users, so what benefit does CUE User Manager offer? It can best be seen as an insulating layer between the CUE back-end systems and the IAM system, making it easier to deal with upgrades to the IAM system: any changes in the IAM system's API will only affect CUE User Manager rather than requiring changes in all back-end systems. In theory it is possible to use any IAM system that supports:
-
OpenID Connect Core 1.0 for authentication.
-
OpenID Connect Discovery 1.0 for service discovery.
-
System for Cross-domain Identity Management 2 (SCIM 2) for identity management.
-
User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization for web resource authorization.
This guide assumes that
CUE User Manager is
installed on um.example.com
and the IAM backend system
is installed on iam.example.com
.