Idea ID: 2878138

IDM REST Driver certificate based authentication

Status: Accepted

The rest driver provides a flexible generic connection between IDM and a connected application supporting a REST API. It provides out of the box a number of useful configuration options to authenticate to a whole suite of different end points using different authentication methods. One method which is really important and appears to be missing from the default configuration options is Certificate Based Authentication (CBA) which is becoming increasingly important as a strong modern authentication method.

 

OpenText support and provide the option to use CBA as part of other drivers (eg. the Azure Driver), but this is not currently supported as part of the REST driver. As a customer we have a requirement to authenticate an existing REST driver to Azure using CBA in order to move away from older authentication methods. This has become critical. On investigation and discussions with support it appears that CBA is not currently supported on the REST shim, although the Azure driver which implements a number of the REST driver capabilities does have this functionality. This enhancement request is to provide support for certificate based authentication on the REST driver shim, to allow the already useful tool to become much more flexible and support strong modern authentication. A number of customers currently have technical limitations that prevent the use of the Azure shim, and instead use their own implementations through the REST driver and Graph API, so I believe this could be very benificial to a number of organizations who want to use CBA.

Parents
  • Can you share details on the limitations on the Azure AD Driver that prevents it from being used for integrations with Azure AD service ?

  • The Graph API gives access to quite a wide range of object types out in Azure/Entra that can be modified, rather than being tied down to Groups/Users specifically.  's example above is a great example. Another key advantage for some customers with using REST is not having to install and use the Exchange & PowerShell service which requires quite a lot of elevated permissions to run, many of which customers are wary to provision, especially when the driver may only be there to do some fairly basic calls.

Comment
  • The Graph API gives access to quite a wide range of object types out in Azure/Entra that can be modified, rather than being tied down to Groups/Users specifically.  's example above is a great example. Another key advantage for some customers with using REST is not having to install and use the Exchange & PowerShell service which requires quite a lot of elevated permissions to run, many of which customers are wary to provision, especially when the driver may only be there to do some fairly basic calls.

Children
  • Well, to be fair, you don't really need to install and use the Exchange & PowerShell service, especially when the driver is only used to provide some fairly basic functionality.  None of my instances have it.

    Doesn't mean it wouldn't be nice to be able to use the generic REST driver for MS Graph.