Configuring MarkLogic Server for External Security

External security happens in three major steps:

MarkLogic Server authenticates an app server user by communicating with an external agent through information stored in the external security object.
Once the external agent responds with the information that identifies the user, MarkLogic Server extracts from it values to match to external names.
MarkLogic Server authorizes the user by matching those external names to either internal users or roles.

To configure MarkLogic Server for external security, follow this outline:

Sign up with the external agent of your choice. How to choose one and sign up is beyond the scope of this guide.
Create your external security object with the information gleaned from what your external agent provided when you signed up. This information includes attribute names, field names, and other connection details required for the integration and translation of the authentication response. You can create an external security object through one of these methods:
Configure your app servers to use your desired authentication type and external security object.
Assign attributes or field values from the external agent as external names:
- Internal authorization: Assign external names to relevant users through one of these methods:
  - Admin Interface
  - sec:user-set-external-names()
  - sec:create-user() with the external-names parameter
  - POST /manage/v2/users
  - PUT /manage/v2/users/[id-or-name]/properties
- External authorization: Assign external names to relevant roles through one of these methods:
  - Admin Interface
  - sec:role-set-external-names()
  - sec:create-role() with the external-names parameter
  - POST /manage/v2/roles
  - PUT /manage/v2/roles/[id-or-name]/properties

All examples in this section were run on a freshly installed instance of MarkLogic Server.

In this section:

Securing MarkLogic Server