Product SiteDocumentation Site

13.5. Identity Management

This subsystem provides a domain model that allows you to configure PicketLink Identity Management Services using the standalone.xml or domain.xml. Basically, what the subsystem does is parse the configuration, automatically build a PartitionManager and expose it via JNDI for further access.
With the subsystem you can :
  • Externalize and centralize the IDM configuration for deployments.
  • Define multiple configuration for identity management services.
  • Expose the PartitionManager via JNDI for further access.
  • If using CDI, inject the PartitionManager instances using the Resource annotation.
  • If using CDI, use the PicketLink IDM alone without requiring the base module dependencies.
The IDM domain model is an abstraction for all PicketLink IDM configuration, providing a single schema from which all configuration can be defined. If you're already familiar with the Configuration API, you'll find the syntax pretty simple and intuitive.
<subsystem xmlns="urn:jboss:domain:picketlink-identity-management:1.0">
	
	<!-- A complete configuration using a file-based identity store. -->
        <partition-manager jndi-name="picketlink/FileCompletePartitionManager" name="file.complete.partition.manager">
            <identity-configuration name="file.config">
                <file-store relative-to="jboss.server.data.dir" working-dir="pl-idm-complete" always-create-files="true" async-write="true"
                            async-write-thread-pool="10">
                    <supported-types supports-all="true"/>
                </file-store>
            </identity-configuration>
        </partition-manager>
        
	<!-- A configuration using a JPA-based identity store. The store is configured using a existing datasource. -->
        <partition-manager jndi-name="picketlink/JPADSBasedPartitionManager" name="jpa.ds.based.partition.manager">
            <identity-configuration name="jpa.config">
                <jpa-store data-source="jboss/datasources/ExampleDS">
                    <supported-types supports-all="true"/>
                </jpa-store>
            </identity-configuration>
        </partition-manager>

</subsystem>

Note

If you are looking for more examples about how to use the domain model, take a look at JBOSS_HOME/docs/examples/configs/standalone-picketlink.xml.
Most of the configuration are known if you are familiar with the PicketLink IDM configuration. But the domain model provides some additional configuration in order to allow deployments to access the configured identity management services. Basically, each configuration must have a:
  • jndi-url, that defines where the PartitionManager should be published in the JNDI tree for further access.
  • name, the name of the configuration to allow other subsystems to inject the Identity Management Services using the MSC injection infrastructure.
The rest of the configuration is very similar with how you use the Configuration API to programmaticaly build the IDM configuration. For a complete description of the domain model elements, please take a look at the XML Schema.

13.5.1. <code xmlns="http://docbook.org/ns/docbook">JPAIdentityStore</code>

In order to provide a better and easy integration with the container, the JPAIdentityStore configuration provides some additional configuration to let you configure how the EntityManagerFactory is built or used by the JPAIdentityStore.

13.5.1.1. Using a DataSource JNDI Url

When you specify a DataSource JNDI url, the subsystem will automatically build a EntityManagerFactory using a default configuration. This is the fastest way to get a JPA Identity Store up and running, specially if you just want to use the Section 5.1, “Basic Identity Model” provided by PicketLink.
The DataSource JNDI url can be specified using the data-source attribute as follows:
<subsystem xmlns="urn:jboss:domain:picketlink-identity-management:1.0">

<!-- A configuration using a JPA-based identity store. The store is configured using a existing datasource. -->
        <partition-manager jndi-name="picketlink/JPADSBasedPartitionManager" name="jpa.ds.based.partition.manager">
            <identity-configuration name="jpa.config">
                <jpa-store data-source="jboss/datasources/ExampleDS">
                    <supported-types supports-all="true"/>
                </jpa-store>
            </identity-configuration>
        </partition-manager>

</subsystem>
This configuration option is very handy if you want to use the Basic Model provided by PicketLink.

13.5.1.2. Using a EntityManagerFactory JNDI Url

Sometimes you may need more control over the JPA Persistence Unit configuration. In this case you can use the entity-manager-factory attribute to specify where your previously built EntityManagerFactory is located.
<subsystem xmlns="urn:jboss:domain:picketlink-identity-management:1.0">

	<!-- A configuration using a JPA-based identity store. The store is configured using a existing JPA EntityManagerFactory, obtained via JNDI. -->
        <partition-manager jndi-name="picketlink/JPAEMFBasedPartitionManager" name="jpa.emf.based.partition.manager">
            <identity-configuration name="jpa.config">
                <jpa-store entity-manager-factory="jboss/MyEntityManagerFactory">
                    <supported-types>
                        <supported-type code="Partition"/>
                        <supported-type code="IdentityType"/>
                        <supported-type code="Relationship"/>
                    </supported-types>
                </jpa-store>
          </identity-configuration>
        </partition-manager>

</subsystem>

13.5.1.3. Using a JBoss Module

The JPA Identity Store configuration allows you to specify a JBoss Module from where the JPA Persistence Unit and mapped entities will be loaded from.
This configuration can be done using two attributes:
  • entity-module, the module name where the JPA Persistence Unit and all mapped entities are located.
  • entity-module-unit-name, the name of the JPA Persistence Unit name. If you don't provide a name the subsystem will use identity.
<subsystem xmlns="urn:jboss:domain:picketlink-identity-management:1.0">

	<!-- A configuration using a JPA-based identity store. The store is configured using a existing JPA Persistence Unit from a static module. -->
        <partition-manager jndi-name="picketlink/JPAEMFModulePartitionManager" name="jpa.emf.modules.partition.manager">
            <identity-configuration name="jpa.config">
                <jpa-store entity-module="my.module" entity-module-unit-name="my-persistence-unit-name">
                    <supported-types supports-all="true"/>
                </jpa-store>
          </identity-configuration>
        </partition-manager>

  </subsystem>