Package com.flowable.idm.engine.microsoft.graph

Class GraphIdmIdentityService

java.lang.Object

org.flowable.common.engine.impl.service.CommonServiceImpl<CoreIdmEngineConfiguration>

org.flowable.common.engine.impl.service.CommonEngineServiceImpl<CoreIdmEngineConfiguration>

com.flowable.idm.engine.impl.BaseIdmIdentityServiceImpl

com.flowable.idm.engine.impl.ReadOnlyIdmIdentityService

com.flowable.idm.engine.microsoft.graph.GraphIdmIdentityService

All Implemented Interfaces:

PlatformIdentityService, org.flowable.idm.api.IdmIdentityService

public class GraphIdmIdentityService
extends ReadOnlyIdmIdentityService

This Identity Service provides users and groups to Flowable from the Graph API provided by the Microsoft Azure Cloud Platform.

It supports mostly a similar feature set as the LdapIdmIdentityService like custom attribute mapping, Tenant- UserDefinition- and UserGroup-Providers, Attribute Mappers, etc.

Graph API consists of the 2 main identity entities User and Group.

Graph API has certain restrictions compared to LDAP that forces the queries to execute certain functionalities in memory after the actual query to Graph API instead of delegating them to the API. This is:

• Graph API does not support filtering the users for group membership. Instead, the group API is called to get the members for the given group, and in memory union or intersection is done to filter the resultSet.
• Graph API does not support paging. Instead, the API delivers a resultSet of entries. Further API requests need to be executed to get further pages of the identities. This Identity service currently iterates through the pages to find the right paged data. However, when using more complex queries such as memberOf, etc., there will be no paging done. Additional query parameters should be passed to filter the results.
• By default, a lot of attributes will be delivered for the User and Group entities when calling the appropriate Graph REST APIs. Most of them are unnecessary for the IDM. To optimize performance and bandwidth, only the defined mapping attributes are provided in the select.
• Graph API does not allow ordering for certain properties like e.g., surname or givenName. Therefore, the ordering for these attributes is not supported.
• Usually, the Graph API is already tenant-aware by the usage of the subscription/tenant ID provided by EntraID. This is the suggested way to have a defined set of users and groups for the IDM. Also, the GraphUserProperties.Query.getBaseGroup() or GraphUserProperties.Query.getDefaultFilter() can be used to have a reduced set of users. Or, the GraphUserProperties.Query.getDefaultFilter() can be used to have a reduced set of groups. That said, it is till possible to map a Graph API attribute to the tenantId property to have on-top segregation of users based on a defined attribute value like e.g., companyName.

Author:

Roger Villars, Filip Hrisafov

Field Summary

Fields

Modifier and Type	Field	Description
protected String	baseUrl
protected final org.flowable.content.api.ContentService	contentService
protected final GraphConfigurationApi	graphConfiguration
protected final org.slf4j.Logger	logger
protected List<String>	uniqueTenantIds

Fields inherited from class org.flowable.common.engine.impl.service.CommonEngineServiceImpl

commandExecutor

Fields inherited from class org.flowable.common.engine.impl.service.CommonServiceImpl

configuration

Constructor Summary

Constructors

Constructor	Description
GraphIdmIdentityService(CoreIdmEngineConfiguration configuration, GraphConfigurationApi graphConfiguration, org.flowable.content.api.ContentService contentService)

Method Summary

Modifier and Type	Method	Description
PlatformGroupQuery	createPlatformGroupQuery()
PlatformUserQuery	createPlatformUserQuery()
List<String>	findUniqueTenantIds()	Find the unique tenant ids
GraphConfigurationApi	getGraphConfiguration()
List<String>	getUniqueTenantIds()
void	setBaseUrl(String baseUrl)
void	setUniqueTenantIds(List<String> uniqueTenantIds)

Methods inherited from class com.flowable.idm.engine.impl.ReadOnlyIdmIdentityService

checkPassword, createMembership, createNativeGroupQuery, createNativeUserQuery, createNewGroupBuilder, createNewUserBuilder, createUpdateGroupBuilder, createUpdateUserBuilder, deleteGroup, deleteMembership, deleteUser, findPlatformGroupById, findPlatformGroupsForUser, findPlatformUserById, getGroupsWithPrivilege, getUsersWithPrivilege, newGroup, newUser, saveGroup, saveUser, updateUserPassword

Methods inherited from class com.flowable.idm.engine.impl.BaseIdmIdentityServiceImpl

addGroupPrivilegeMapping, addUserPrivilegeMapping, checkAccessToken, createAccessTokenQuery, createAuthenticationTokenBuilder, createGroupQuery, createNativeTokenQuery, createNewAccessTokenBuilder, createPlatformIdentityInfoBuilder, createPlatformIdentityInfoQuery, createPrivilege, createPrivilegeQuery, createProperty, createTokenQuery, createUserQuery, deleteAccessToken, deleteGroupPrivilegeMapping, deletePlatformIdentityInfoByGroupId, deletePlatformIdentityInfoByGroupIdAndTenantId, deletePlatformIdentityInfoById, deletePlatformIdentityInfoByUserId, deletePlatformIdentityInfoByUserIdAndTenantId, deletePrivilege, deleteProperty, deleteToken, deleteUserInfo, deleteUserPrivilegeMapping, findAccessToken, findIdentityInfoByUserIdAndName, findPropertyByName, getPlatformUserInfo, getPrivilegeMappingsByPrivilegeId, getUserInfo, getUserInfoKeys, getUserPicture, newToken, saveToken, setAuthenticatedUserId, setPlatformUserInfo, setUserDefinitionById, setUserDefinitionByKey, setUserInfo, setUserPicture, setUserStateAndSubState, setUserStateAndSubState, updateProperty, updateUserPresence, updateUserPresence

Methods inherited from class org.flowable.common.engine.impl.service.CommonEngineServiceImpl

getCommandExecutor, setCommandExecutor

Methods inherited from class org.flowable.common.engine.impl.service.CommonServiceImpl

getConfiguration

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface com.flowable.core.idm.api.PlatformIdentityService

deactivateUser, reactivateUser, setUserState, setUserSubState

Field Details

logger

protected final org.slf4j.Logger logger

graphConfiguration

protected final GraphConfigurationApi graphConfiguration

contentService

protected final org.flowable.content.api.ContentService contentService

baseUrl

protected String baseUrl

uniqueTenantIds

protected List<String> uniqueTenantIds

Constructor Details

GraphIdmIdentityService

public GraphIdmIdentityService(CoreIdmEngineConfiguration configuration,
 GraphConfigurationApi graphConfiguration,
 org.flowable.content.api.ContentService contentService)

Method Details

createPlatformUserQuery

public PlatformUserQuery createPlatformUserQuery()

Specified by:

createPlatformUserQuery in interface PlatformIdentityService

Specified by:

createPlatformUserQuery in class ReadOnlyIdmIdentityService

createPlatformGroupQuery

public PlatformGroupQuery createPlatformGroupQuery()

Specified by:

createPlatformGroupQuery in interface PlatformIdentityService

Specified by:

createPlatformGroupQuery in class ReadOnlyIdmIdentityService

findUniqueTenantIds

public List<String> findUniqueTenantIds()

Description copied from interface: PlatformIdentityService

Find the unique tenant ids

Specified by:

findUniqueTenantIds in interface PlatformIdentityService

Specified by:

findUniqueTenantIds in class ReadOnlyIdmIdentityService

Returns:

a list of the unique tenant ids

getUniqueTenantIds

public List<String> getUniqueTenantIds()

setUniqueTenantIds

public void setUniqueTenantIds(List<String> uniqueTenantIds)

getGraphConfiguration

public GraphConfigurationApi getGraphConfiguration()

setBaseUrl

public void setBaseUrl(String baseUrl)