IAM runs as a Node.js application. The following picture illustrates how IAM works with other Domino components to provide authorization services for your application.
Note the following characteristics of an IAM deployment:
- IAM requires the Node.js runtime.
- IAM stores its data to its own Domino nsf.
- The communication with Domino is through domino-db.
- To encrypt data, IAM uses the domino-db encryption feature. This encryption requires the use of the Domino ID vault.
- To authenticate users, IAM refers to the Domino LDAP directory or to Microsoft Active Directory to retrieve user information. IAM doesn't itself manage user information.
- Besides the storage server role, Domino also need to be configured as an IAM Resource Provider. As a result, it can trust the tokens IAM grants to your application and return data to you.
The exact set of configuration steps varies depending on the kind of resource provider(s) you need to deploy. In the previous diagram, Proton acts as a resource provider. Therefore, Proton needs to be configured to make introspection requests to IAM. In the following diagram, the OAuth DSAPI extension acts as a resource provider -- allowing Domino Access Services (DAS) requests accompanied by an IAM access token. Therefore, the OAuth DSAPI extension needs to be configured to make intropection requests.
In summary, IAM setup requires five major steps:
- Preparation: See Preparation
- Configure Domino as IAM Storage Server: See Domino Configuration
- Setup IAM server: See IAM Configuration
- Configure IDP to connect with LDAP: See IAM Management
- Configure a Domino Resource Provider: See Domino Resource Provider Overview
There are quite a few steps to set up a secure and stable IAM environment. To get an IAM server up more quickly, IAM provides a "Pilot mode". See Setup Pilot Mode.
NOTE: Pilot mode is recommended for development and exploration only. It is not recommended for production deployments.