The security domains configured on the platform can be used in multiple contexts, including:
- Login domain, for logging in to the portal
- resource owner domain, for OAuth resource owners
- App authentication in API runtime, for sending API requests
There are also other scenarios where security domains are used.
One domain can be configured for use for multiple purposes, or separate domains can be configured for separate purposes.
As a hypothetical scenario, one tenant could have two domains—one for general use, allowing developers to log in via Facebook, and the other for Site Administrators or Business Administrators, allowing login only by signing up for the platform. This scenario would provide a "back door" in case an issue were to arise with the first domain, and can also offer streamlined access to advanced features for the administrators.
In the Akana API Platform user interface, in the Administration section, the Site Admin can set up domains and then specify which domains are used for login and for other purposes. Only the Site Admin can configure domains.
In the API, activities relating to domains are supported by several operations, including an operation in the Login service that retrieves a list of available domains and an operation in the Users service that returns the login domain for a specified user.
When a specific domain is configured for the purpose of developer logins to the portal, it is called a login domain.
The login domain is an entity used to model integration to an external identity store, such as Facebook, Google, or Siteminder. For example, if a tenant wants the tenant platform to be set up so that users can log in using accounts from an external identity store such as Siteminder, we model the domain in our database.
When a user creates an account on the platform, the platform itself is the login domain.
When the user is logging in, the domain request parameter for the GET /api/login/ssoLoginInstructions operation lets the platform know which domain the user wants to use; the login credential requirements for that domain are then returned in the response.