Skip to end of metadata
Go to start of metadata

    Middleware Spaces:    Signet | Grouper | Shib
    I2MI-Common-SW:    Subject API  LDAP Provisioning Connector

The Subject API

The Subject API is a technology developed jointly by the Signet and Grouper Projects to integrate a java application with a site's existing Identity Management operations. It enables any type of object whose identity is being managed - person, group, application, computer, etc. - to be presented to that application without requiring the application to be specifically designed for particular object types or with knowledge of how those objects are stored and represented. Those details form the configuration of the Subject API.

Figure 1 (below) illustrates the general role of the Subject API in the interaction between an application and a site's Identity Management infrastructure. There are two parts to the Subject API: the Source interface and the Subject interface. An application uses the Source interface to search for and select Subjects from back-end stores, which are presented as abstracted, flat Subject objects via the Subject interface.

Figure 1: Subject API Interaction Model

Search & Selection Methods

The Source interface provides three principal methods of searching for and selecting Subjects:




Retrieve a specific subject from a specific source by its SubjectId.


Retrieve a specific subject by unique match against one or more configured identifying attributes.


List all subjects meeting a given search criterion.

Deployers supply back-end specific search & selection statements for each of these three methods that determine 1) when a Subject matches each search criterion and 2) which of its attributes will be presented to the calling application. Callers need only persist a reference to the sourceId and subjectId of Subjects to be able to fully instantiate them at any time. Various methods in the Subject interface provide access to these identifiers and other attributes of each Subject.

The getSubject() method is used by the application to instantiate a Subject object from its persisted subject reference data (subjectId and sourceId). For example, the Grouper UI uses getSubject() to display the name each member of a group.

The getSubjectByIdentifier() method is used to enable the application to locate a unique subject by reference to any of its identifying attributes. For example, consider a site that manages both netIds and registryIds for its users, and suppose they choose to use registryId as their subjectId. When a user logs in with their netId, the application uses getSubjectByIdentifier() to locate and instantiate a Subject object for the user from the user's netId.

The search() method is used to by a User Interface application to allow a human to search for and list subjects using familiar attributes like name parts, departments, etc. For example, to grant a person a privilege, the Signet UI first does a search() using the user's specified search term, displays a list of the names and descriptions of the matching subjects, and enables the UI user to select one.

The Subject API in Signet-Grouper Integration

    In Figure 2, notice the the Subject API acting between Signet and Grouper.

Figure 2: Subject API between Signet and Grouper


         (question) Questions or comments? (info) Contact us.

    Middleware Spaces:    Signet | Grouper | Shib
    I2MI-Common-SW:    Subject API  LDAP Provisioning Connector

  • No labels