Configuring Repositories

You can configure general repository-related settings, browse, update or disable the configured repositories, or add new repositories.

You can manage the local sqldb database or an Lightweight Directory Access Protocol (LDAP) directory. When using an external repository, users from this repository are added to the local sqldb database progressively as they log on. Depending on the synchronization parameters you choose, the users' information added to the local sqldb database may be only their usernames and email addresses or all their information.

This task shows you how to:

Browse the Repository (sqldb) Created by the Installation

When you install 3DPassport, a local database named sqldb(Technical) is created. Users can then create passport data and log in as explained in Installation and Setup: Install: 3DEXPERIENCE Platform: Installing 3DEXPERIENCE Platform Services for the First Time: Installing Services One-by-One: 3DPassport: Post-Installation: Creating End User Passport Data Manually in the Local Database

This solution is easy-to-use and is suitable if you do not need or intend to use an external database directory (for example, Active Directory, LDAP) for authentication purposes, since all user data are created by the users themselves when they create their account. Therefore it requires a minimum amount of administration.

Before you begin: Make sure that your repository configurations are compatible with your parameter choices. If you authorize creation of new accounts, allow at least one repository for creation. If you authorize password updates, let the repositories authorize updates.
  1. Click Integration, then the Repository tab.
  2. Click to display the repository configuration.
  3. Locate the sqldb (Technical) area.

    The Basic Configuration area contains information about the configured repository, for example:

    Repository Name
    sqldb for example.
    Type
    The type can be: LDAPor SQL or WebService. In our example, it is an SQL database.
    URL of the database storing the users
    For example:
    ORACLE: jdbc:oracle:thin:@//vdevpril900dsy:1521/E4ALL
    SQL Server: jdbc:sqlserver://dell2176dsy.dsone.3ds.com\MSSQL;databaseName=passdb
    Driver class name
    For example:
    ORACLE: oracle.jdbc.OracleDriver
    SQL Server: com.microsoft.sqlserver.jdbc.SQLServerDriver
    Username of the database user
    Database administrator username. For example:
    iam
    Password of the database user
    Password of database administrator user.
    Password hashing algorithm
    The algorithm is used to hash user account passwords in the database. Choose one to prevent possible account hacking if the database is compromised. The algorithm can be: sha-256 or sha-512.

    All the above parameters are those specified during the installation.

    The Operations Configuration area contains generic operations settings:

    Allow creation
    Select this check-box to enable creation of user data in the local sqldb database.
    Allow update
    Select this check-box to enable updating of user data in the local sqldb database.

    Updated data is then duplicated at each login or at first login or after the number of seconds specified according to the repository configuration. If a repository is not synchronized, but the sqldb(Technical) database authorizes updates, only the username and email is copied into the sqldb(Technical) database at creation time. However, all user's data (except password) will be updated in sqldb(Technical) if the user updates his information through the 3DPassport profile page. In most cases, the sqldb(Technical) database should be configured in read-only mode only if the administrator wants to prevent data in the external repository from being stored in 3DPassport. In this case, synchronization of the external repository should be disabled.

    Allow deletion
    Select this box to allow deletion.

    The Advanced Configuration area contains advanced database configuration parameters. Do not edit them.

    This repository can be updated. You can edit all basic configuration fields of the local sqldb database. If you want to plug the 3DPassport application into a new empty database, make sure that you modify the database URL, username and password in both the passport administration tools GUI and the /TomEE_install_directory/webapps/ROOT_URI/WEB-INF/classes/database.properties file accordingly.

    If the fields have been edited, then you apply an upgrade (for example, a hot fix), the installation takes the new values into account, and you do not need to specify them at installation time.

    The local sqldb database cannot be disabled.

    Note: It can be combined with external databases or directories as explained below.

Add a New LDAP Repository

The local sqldb(Technical) database solution may not be suitable. For example, you may store all your company's user data in an external repository (for example, Active Directory, OpenLDAP) which serves as a centralized user credential reference, and you may not want this data to be contained in the local sqldb database.

Note: You cannot create users that already exist in a remote repository into which 3DPassport is plugged. And you do not need to create these users in 3DPassport: you can automatically log into 3DPassport using the credentials stored in the LDAP repository.

  1. Click Repository.
  2. Click .

    The Basic Configuration area contains basic information about the repository to configure:

    Repository name
    Type the repository name.
    Type
    The type is : LDAP is selected by default.

    Specify the settings appropriate for LDAP (see the LDAP documentation for a detailed description).

    Url(s) of the LDAP server(s) storing the users
    This is the URL of the LDAP server. You must provide the full URL with protocol (ldap or ldaps), hostname and port:
    ldap://hostname:port
    Distinguished name of the LDAP user
    Enter the DN of the user to connect to your LDAP server using the following format:
    cn=root,dc=my-domain,dc=com

    If you configured the LDAP server in anonymous bind mode, you can leave this field blank.

    Password of the LDAP user
    Enter the password of the user.

    If you configured the LDAP server in anonymous bind mode, you can leave this field blank.

    More about LDAP anonymous binding

    3DPassport supports the following LDAP bind operations:

    • Simple Bind: you provide user credentials by the means of a username (in a DN form) and a password, as usual
    • Anonymous Bind: you can authenticate on 3DPassport with an LDAP account while 3DPassport is configured to contact an LDAP server as anonymous. In this case, the DN of the LDAP user and password fields can be left blank, and end user credentials are sent to the LDAP server.

    Simple binding refers to the default 3DPassport bind operation. When you connect to the desired 3DPassport service URL, then click 3DPassport Control Center to display the administration tool GUI, then click Integration -> Repository, you access the repository configuration page.

    When adding a new LDAP repository, you are prompted to specify both the Distinguished name of the LDAP user and the Password of the LDAP user, to be able to bind to the LDAP server.

    For example, in this default mode, let's assume you log onto the 3DPassport as admin_platform and create a new LDAP repository, and creation mode is activated, as well as synchronization. Then, a user creates and registers user ses, for example. If as admin_platform you then search for user ses, you can check that the user ses has been created in both the local sqldb database and in the LDAP directory.

    The user ses can then log onto the 3DPassport by specifying the appropriate credentials.

    However, you also have the additional possibility to configure your LDAP server in anonymous bind mode. When you do so, you no longer have to specify any values for the Distinguished name of the LDAP user and the Password of the LDAP user: you can leave both fields blank.

    You need to have an LDAP server (Active Directory, OpenLDAP, ...) configured to allow anonymous binding.

    Note: OpenLDAP is supposed to be configured to authorize anonymous bind for read/bind but not for modify operations.

    For example, you can configure your OpenLDAP by following the procedure below on your OpenLDAP server:

    1. Get the current configuration by running the following command:

      ldapsearch -b cn=config -D cn=admin,cn=config -W > slapdconf.txt

    2. Modify the configuration via a LDIFF file by running the following command:

      ldapmodify -D cn=admin,cn=config -W -f change.ldiff

      Here are the contents of the LDIFF file authorizing anonymous access:

      dn: olcDatabase={1}hdb,cn=config 
      changetype: modify 
      replace: olcAccess 
      olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=3ds,dc=com" write by anonymous auth by self write by * none 
      olcAccess: {1}to * by self write by dn="cn=admin,dc=3ds,dc=com" write by * write

    Connect to the desired 3DPassport service URL, then click Administration Tools to display the administration tool GUI, then click Repositories to access the repository configuration page.

    This time, leave the following fields blank: Distinguished name of the LDAP user and the Password of the LDAP user, then click the Update button.

    Log out, then authenticate with an existing user account from your LDAP repository. You will be redirected to the My Profile page.

    Note: In the LDAP anonymous binding mode illustrated above, LDAP user creation and update is not possible, because if the LDAP server is configured in anonymous mode for all operations including modification, the behavior is that the anonymous user can modify anything, but the users themselves when authenticated will not be able to modify their own attributes.

    This means that any user you create can be searched for only in the local sqldb database, but not in the LDAP directory. In our example above, when searching for user ses after activating anonymous binding, you will get the following message:

    User not found in SEStestOPENLDAP

    Format of users' distinguished name
    This is used to configure the distinguished name (DN) to create a new account in the LDAP based on the fields provided by the user at registration, using the following format:
    cn={givenName} {sn},ou=people,dc=my-domain,dc=com
    Base distinguished name of all users operation
    This is the base RDN to search users from, using the following format:
    dc=my-domain,dc=com
    Employee Type
    This is the employee flag to distinguish internal and external users. You must use a numeric value (not mandatory).
    Code of active users
    The numeric code for enabled account. For example in Active Directory, active users have the useraccountcontrol flag set to 512 (delta a bit mask) when enabled (not mandatory). Sample value: 512.
    Code of inactive users
    The numeric code for disabled account. For example in Active Directory, active users have useraccountcontrol flag set to 514 (delta a bit mask) when disabled (not mandatory). Sample value: 514.
    Read timeout
    Enter a value in milliseconds for read timeout (mandatory). For example: 3000.
    Connect timeout
    Enter a value in milliseconds for connect timeout (mandatory). For example: 3000.

  3. Specify the settings in the Operations Configuration area, which is common to all repository types.

    Allow authentication

    Check this check-box to specify that users logging on and connecting to the 3DPassport service can be authenticated in the external repository. If you allow authentication on several repositories, all repositories will be contacted. One positive answer is sufficient to allow authentication.

    If this option is checked, even synchronized repositories are contacted for authentication.

    In the Order in get repository list list, select a positive index if you want to allow user information to be retrieved from the repository. The higher the index, the more pre-emptive the user information will be when merging information from different repositories. This sets the order in which each repository is requested for each operation. The local sqldb database is always requested first.

    Allow creation
    Check this check-box to enable creation of user accounts in the external repository. If unchecked, no user accounts can be created in this repository. If you have requested data synchronization, the user data will be copied into the local sqldb database, otherwise only the login and email address will be copied to the local sqldb database. You can allow the creation in several repositories, and user accounts will be created in all these repositories. At the first login, data will be synchronized in the local sqldb database .
    Allow update
    Check this check-box to enable updating of user accounts in the external repository. If unchecked, no user accounts can be updated in this repository. If you have requested data synchronization, the user data will be copied into the local sqldb database. You can allow update in several repositories, and user accounts will be updated in all these repositories.
    Allow deletion
    Check this check-box to enable deletion of user accounts in the external repository.

  4. Specify the settings in the Attributes Mapping area.

    Specify here the LDAP attributes to map to 3DPassport attributes.

  5. Specify the settings in the Synchronization Configuration area, which is common only to all external repository types.

    The term synchronization, significant only in the context of external repositories, refers to the duplication of user information, contained in the external repositories, in the local sqldb database. Synchronization controls allow you to do so.

    Synchronize users' data
    Check this check-box if you want to allow user information from the external repository to be duplicated into the local sqldb database.
    Note: User information does not include the password.
    Synchronization Frequency

    If synchronization is activated, choose a frequency:

    • Synchronize users' data only at first login
    • Synchronize users' data at each login
    • Synchronize every X seconds: if you choose this option, enter the number of seconds between each synchronization, for example 86400 for a synchronization every day. By doing so, each time a user logs in, if the last synchronization is older than X seconds, a new synchronization will be launched.
    Synchronization frequency (in seconds)
    Specify a number of seconds between two synchronizations. The value by default is 10.
    Synchronize the users' password
    Synchronize the users' password into the local sqldb database.

    Recommended Settings for Synchronization

    This section specifies different scenarios that you may encounter, and explains how to set synchronization settings for each scenario.

    Default
    In the default scenario, you want to get the latest user data from external repository each time a user logs in and you want the aggregated data to be stored in the local sqldb database. To do so:
    • check the Synchronize users' data check button
    • set Synchronization frequency to Synchronize users’ data at each log in
    • check Allow update to allow sqldb(Technical) updating.
    Data Privacy Enforcement

    When enforcing data privacy, you want to get the latest user data from external repository at any time, but you do NOT want the external data to be stored in the local sqldb database. To do so, uncheck the Synchronize users' data check box.

    Uncheck Allow update to disable sqldb(Technical) updating.

    Performance
    In this scenario, you do not want to fetch data from the external repository too often and you want to mainly rely on the local sqldb database to get user data. You want the aggregate data retrieved from repositories to be stored in the local sqldb database. To do so:
    • check the Synchronize users' data check button
    • set Synchronization frequency to Synchronize every X seconds and choose a frequency value in seconds (recommended value is 86400 seconds = 1 day)
    • check Allow update to allow sqldb(Technical) updating.
    Initial provisioning
    In this scenario, you want to get initial user data from the external repository to populate the local sqldb database, but you want to rely only on the local sqldb database later on. To do so:
    • check the Synchronize users' data check button
    • set Synchronization frequency to Synchronize users’ data only at first login
    • check Allow update to allow sqldb(Technical) updating.
    Note: Usernames and email addresses are synchronized in all cases.

  6. Specify the settings in the Advanced Configuration area.

    This is mandatory.

    When you add a new repository, the default connector configuration parameters are displayed in the Advanced configuration area:

    builder=com.dassault_systemes.dspassport.repo.ldap.builder.LDAPRepositoryBuilder
    dao.attributesMapper.builder=com.dassault_systemes.dspassport.repo.ldap.builder.SimpleAttributeMapperBuilder
    dao.attributesMapper.defaultValues._objectClass.0=top
    dao.attributesMapper.defaultValues._objectClass.1=person
    dao.attributesMapper.defaultValues._objectClass.2=organizationalPerson
    dao.attributesMapper.defaultValues._objectClass.3=user
    dao.attributesMapper.defaultValues._objectClass.builder=com.dassault_systemes.
    dspassport.repo.ldap.builder.SimpleLdapAttributeBuilder
    dao.attributesMapper.toremove.0=active
    dao.attributesMapper.toremoveatinsert.0=unicodePwd
    dao.baseenvtprops.java.naming.security.authentication=simple
    dao.builder=com.dassault_systemes.dspassport.repo.ldap.builder.LDAPDAOBuilder
    dao.pooled=false
    dao.transformer.builder=com.dassault_systemes.dspassport.repo.ldap.builder.SimpleUserFilterToRequestTransformerBuilder
    userPopulator.builder=com.dassault_systemes.dspassport.repo.ldap.builder.UserLDAPPopulatorBuilder
    userPopulator.c=country
    userPopulator.givenName=firstName
    userPopulator.l=city
    userPopulator.mail=email
    userPopulator.postalCode=zip
    userPopulator.sAMAccountName=username
    userPopulator.sn=lastName
    userPopulator.streetaddress=address
    userPopulator.telephoneNumber=telephone
    userPopulator.unicodePwd=password

    The default advanced configuration also contains the mapping parameters, as listed in the table. You must change them to fit exactly your LDAP attributes.

    The settings related to Attributes mapping that are set in the Advanced configuration are used to automatically prefill the Attributes mapping section. They will be saved but they will not be displayed anymore in the Advanced configuration text area, but only in the Attributes mapping section.

    You can fill the Attributes mapping section or the Advanced configuration. The results will be the same and only visible in Attributes mapping.

    Support of LDAP groups for user authentication

    On the LDAP server side, using the LDAP group mechanism, you can create and configure groups of users. Then, on the 3DPassport side, you can configure allow lists and deny lists of groups for the purpose of authorizing access for or denying access to users at login, depending on which group they belong to.

    If you decide to use this feature, use an LDAP repository that serves membership attributes (operational or not). For example: Open LDAP, Active Directory (AD LDAP).

    To configure this feature, first of all, create an organizational unit on your LDAP server, create the groups and add users to the groups.

    Then, on the 3DPassport side, edit the advanced LDAP configuration as follows:

    1. Map the membership attribute.

      You must define the mapping between the 3DPassport and the LDAP repository for the membership attribute. Most of the time, this attribute will be operational, but you can also pick a non-operational attribute.

      Here are a few examples of attributes used in certain LDAP solutions:

      LDAP solutionName of the attribute for membership
      Active Directory memberOf
      OpenLDAP memberOf

      This example shows how to set the property with OpenLDAP:

      userPopulator.memberOf=memberOf

      This example shows how to set the property when using an LDAP server that stores the groups in an attribute named "membership":

      userPopulator.membership=memberOf
    2. Enable the feature by setting the following property:
      dao.membership.active=true

      or disable it as follows:

      dao.membership.active=false
    3. Configure the allow lists and deny lists using following properties:
      Property name Description
      dao.membership.allowlist.0 First group of the allow list
      dao.membership.allowlist.1 Second group of the allow list
      dao.membership.allowlist.n n-th group of the allow list
      dao.membership.denylist.0 First group of the deny list
      dao.membership.denylist.1 Second group of the deny list
      dao.membership.denylist.n n-th group of the deny list

      Here are examples of properties to set:

      dao.membership.allowlist.0=cn=allow1,ou=Groups,dc=3ds,dc=com
      dao.membership.allowlist.1=cn=allow2,ou=Groups,dc=3ds,dc=com
      dao.membership.denylist.0=cn=deny1,ou=Groups,dc=3ds,dc=com
      dao.membership.denylist.1=cn=deny2,ou=Groups,dc=3ds,dc=com

      Users are authorized or denied access according to the following rules:

      • if a user belongs to one or more of the allowlisted groups, access is authorized
      • if a user belongs to one or more of the denylisted groups, the user is denied access
      • denylisted groups take priority over allowlisted groups: this means that if a group belongs to both a allowlist and a denylist, the group is considered denylisted.
      • if a user does not belong to any allowlisted group and the feature is enabled, the user is denied access.

      When access is denied, the following message is displayed at login:

      Your account does not have the required membership

      Here is a full example of a typical LDAP allowlist/denylist configuration for an Active Directory LDAP server:

    Type=AD
    •         Repository name: AD LDAP
    •         Url(s) of the LDAP server(s) storing the users: ldap://vinduspassportdsy:389
    •         Distinguished name of the LDAP user: cn=admin,dc=3ds,dc=com
    •         Password of the LDAP user: Passport1
    •         Format of users' distinguished name: cn={givenName} {sn},ou=Users,dc=3ds,dc=com
    •         Base distinguished name of all users operation: ou=Users,dc=3ds,dc=com
    Advanced config:
    builder=com.dassault_systemes.dspassport.repo.ldap.builder.LDAPRepositoryBuilder
    dao.attributesMapper.builder=com.dassault_systemes.dspassport.repo.ldap.builder.SimpleAttributeMapperBuilder
    dao.attributesMapper.defaultValues._objectClass.0=inetOrgPerson
    dao.attributesMapper.defaultValues._objectClass.builder=com.dassault_systemes.dspassport.repo.ldap.builder.SimpleLdapAttributeBuilder
    dao.attributesMapper.defaultValues.userAccountControl=512
    dao.attributesMapper.toremove.0=active
    dao.attributesMapper.toremoveatinsert.0=userAccountControl
    dao.attributesMapper.toremoveatinsert.1=unicodePwd
    dao.attributesMapper.toremoveatinsert.2=passwordCreationTime
    dao.baseenvtprops.java.naming.security.authentication=simple
    dao.builder=com.dassault_systemes.dspassport.repo.ldap.builder.LDAPDAOBuilder
    dao.membership.active=true
    dao.membership.allowlist.0=cn=allow1,ou=Groups,dc=3ds,dc=com
    dao.membership.allowlist.1=cn=allow2,ou=Groups,dc=3ds,dc=com
    dao.membership.denylist.0=cn=deny1,ou=Groups,dc=3ds,dc=com
    dao.membership.denylist.1=cn=deny2,ou=Groups,dc=3ds,dc=com
    dao.pooled=false
    dao.transformer.builder=com.dassault_systemes.dspassport.repo.ldap.builder.SimpleUserFilterToRequestTransformerBuilder
    fieldHandlers.0.builder=com.dassault_systemes.dspassport.core.builders.impl.fieldhandlers.CaseFieldHandlerBuilder
    fieldHandlers.0.exceptions.0=ENOVIA_CLOUD
    fieldHandlers.0.fieldName=username
    fieldHandlers.1.builder=com.dassault_systemes.dspassport.core.builders.impl.fieldhandlers.ConstantValueFieldHandlerBuilder
    fieldHandlers.1.fieldName=company
    fieldHandlers.1.fieldValue=Dassault Systemes
    sync.enabled=true
    sync.frequency=0
    sync.password=true
    userPopulator.active=active
    userPopulator.builder=com.dassault_systemes.dspassport.repo.ldap.builder.UserLDAPPopulatorBuilder
    userPopulator.givenName=firstName
    userPopulator.mail=email
    userPopulator.memberOf=memberOf
    userPopulator.o=country
    userPopulator.sn=lastName
    userPopulator.uid=username
    userPopulator.userPassword=password

    LDAP Parameter Name
    userPopulator .<LDAP_ATTRIBUTE>=<Passport_attribute>
    Description

    This maps a DB attribute to a 3DPassport field. The default attribute list is as follows (* means mandatory):

    • address
    • city
    • company
    • country*
    • email*
    • firstName*
    • language
    • lastName*
    • password*
    • telephone
    • username*
    • zip

    The syntax is as follows:

    userPopulator.ldapfieldname=passportfieldname

    where ldapfieldname is the name of the field in your LDAP repository, and passportfieldname is the name of this field as known in 3DPassport.

    Value type
    String
    Mandatory
    no
    Sample value

    For example:

    userPopulator.unicodePwd = password

    userPopulator.givenName = firstName

    userPopulator.first_name=firstName

    The default advanced configuration also contains a default LDAP objectclass definition, as described below:

    dao.attributesMapper.defaultValues._objectClass.0=user
    dao.attributesMapper.defaultValues._objectClass.1=organizationalPerson
    dao.attributesMapper.defaultValues._objectClass.2=person
    dao.attributesMapper.defaultValues._objectClass.3=top

    You might want to change them to fit exactly your LDAP configuration.

    Note: When the administrator adds an LDAP repository, if this LDAP repository is a Microsoft AD server, the administrator must add the following line in the advanced configuration:

    dao.pwdEncoder=ad

    which sends the password with a different encoding, UTF16 little endian, which is the encoding expected by Microsoft AD (but not by OpenLDAP).

  7. Click Save as draft to create a draft repository.

    The repository will be added as disabled, so you can test it and reconfigure it before going live.

  8. On the main page, click Save to save the repository.

Add a WebService Repository

This feature allows 3DPassport to be plugged into an external SOAP webservice to authenticate users. In addition to the existing LDAP and SQL repository connectors, it provides a new SOAP webservice connector to connect to an external API.

Authentication of user accounts will be made through a SOAP request to the external webservice The external webservice itself must be publicly available and cannot require credentials to be used.

Only authentication is supported (i.e the verification of the credentials provided at the login step), and does not support retrieval of user account attributes. So it means that the 3DPassport must be prepopulated with the all the user accounts that will be allowed to authenticate on the 3DPassport and 3DEXPERIENCE platform.

During user account population on 3DPassport, if the password is set and differs from the external SSO one, then the user will be allowed to use either the 3DPassport password or the external SSO password.

  1. Click Repository.
  2. Click
  3. In the Type list, select WebService.
  4. Specify the web service settings in the Basic configuration section to configure the repository connector.

    The settings are:

    Repository name
    Name of the repository
    Type
    WebService type.
    Webservice endpoint
    URL of the SOAP webservice.
    Authentication action
    SOAPAction header value for the authentication operation (optional).
    Authentication request type
    Media type of the content sent in the body of the request. It should be the one set by default for the SOAP request (text/xml) (optional).
    Authentication request template
    SOAP request content that will be sent to the webservice endpoint. You must include the placeholders usertoken and password that will be sent to the webservice to authenticate users accounts. Here is an example of a request template:

    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="https://widgetfactorydev.extranet.3ds.com/api/passport/" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <SOAP-ENV:Body>
             <ns1:authenticate>
                     <param0 xsi:type="xsd:string">{usertoken}</param0>
                     <param1 xsi:type="xsd:string">{password}</param1>
             </ns1:authenticate>
    </SOAP-ENV:Envelope>
    

    Authentication response template
    This is the SOAP response message sent by the webservice and that will be parsed by 3DPassport. You must set the placeholder success for the authentication result (true or false). Here is an example of a response template:
    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" 
    xmlns:ns1="https://widgetfactorydev.extranet.3ds.com/api/passport/" xmlns:xsi="httpp://www.w3.org/2001/XMLSchema-instance" 
    xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" 
    SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
       <SOAP-ENV:Body>
              <ns1:authenticateResponse>
                        <return xsi:type="ns2:Map">
                              <item>
                                    <key xsi:type="xsd:string">success</key>
                                    <value xsi:type="xsd:boolean">{success}</value>
                              </item>
                        </return>
              </ns1:authenticateResponse>
          </SOAP-ENV:Body>
    </SOAP-ENV:Envelope>
    
    Operations Configuration
    Select the Allow authentication check box.

    You can verify the configuration in in the Repository line.

  5. Enable the repository by switching the Active column and click Test.

Modify a Repository

  1. Click Repository.
  2. Click to edit the repository.
  3. Modify the fields in the repository form.
  4. Click in the area containing the advanced configuration parameters.

    Only modify the advanced configuration properties if you are aware of what you are changing.

  5. Click Save as draft to save the configuration.
  6. On the main page, click Save to save the repository.

Perform Miscellaneous Repository Actions

  1. Click Repository.
  2. Switch the Active column to disable or enable repositories.

    When a repository has been disabled by clicking Disable, it is not taken into account when creating, updating, authenticating and fetching users.

    If you disable a repository, the users in the repository will be able to login again only if the repository was synchronized, password included.

    You can only disable non-technical repositories such as the local sqldb database.

    To re-enable a previously disabled repository, you have to at least enable one of the authentication, create, fetch or update operations, then toggle the button in the Active column to enable the repository again.

  3. Click Test to perform a connection test.

    When you disable a repository, a message like this is displayed, for example:

    Success test connection: AD LDAP

  4. Click to get read-only information about how non-technical repository operations (not the local sqldb database) have been configured, even if disabled.
  5. Click to delete the repository.

    If the repository is correctly configured but you do not access it, an error message is displayed.