Authentication

FileNet P8 platform uses Java™ Authentication and Authorization Service (JAAS) to provide authentication capabilities.

The JAAS standard forms the framework for security interoperability in the Java Platform, Enterprise Edition (Java EE) world and enables a wide range of integrations with different vendor security environments.

Diagram showing how the FileNet P8 platform uses JAAS to provide authentication capabilities

JAAS provides a policy-based, pluggable framework for reliably and securely determining who is invoking a Java application. The design of JAAS as a pluggable framework is a key architectural benefit of Java EE. It allows applications to remain independent of the underlying authentication technologies, and it allows other application server vendors, authentication providers, and single sign-on providers to package solutions that can be used by all Java EE applications and clients. Authentication is performed by the Java EE application server, rather than by FileNet P8 . In a user environment, new or updated single sign-on solutions can be plugged in without requiring modifications to the client and server applications that are already deployed.

In addition to supporting pluggable authentication, the JAAS standard also allows for stacked authentication, wherein more than one step might be required to complete successfully in order for authentication to succeed. For example, a configuration might require a user name and password authentication, as well as a separate biometric authentication.

Although JAAS is used to establish a caller's identity, an LDAP directory service is used to establish each user's group memberships. Enterprise identity management is provided by using directory service products. You can choose to create the various FileNet P8 -defined users and groups in your directory service, or you can map these required roles to your own accounts and keep the FileNet P8 directory service footprint to a minimum. FileNet P8 supports groups that can include any number of users and other nested groups. Also, it honors any account states and restrictions (such as disabled and restricted logon hours) that are defined by the directory service.