Cerbos authorization for Gluu Server
Gluu Server provides open source OpenID Connect, SAML, and FIDO authentication with LDAP-backed user management. Cerbos uses Gluu's identity claims and group memberships to evaluate fine-grained authorization policies, giving you resource-level access control without modifying Gluu's configuration.
LDAP-backed identity
Use Gluu's LDAP directory groups, custom attributes, and organizational units as inputs to Cerbos authorization policies
Open source stack
Pair Gluu's open source identity platform with Cerbos for a fully open source authentication and authorization stack
Protocol flexibility
Whether users authenticate via OpenID Connect, SAML, or FIDO through Gluu, the same Cerbos policies govern access
How Cerbos works with Gluu Server
Gluu Server handles authentication, confirming who a user is. Cerbos handles authorization, deciding what that user can do. Together they give you a complete access control stack without coupling identity logic to business rules.
Cerbos lets you write fine-grained, context-aware authorization policies in human-readable YAML. Policies are decoupled from application code so product and security teams can update permissions without a release cycle.
Because Cerbos runs as a stateless Policy Decision Point (PDP) next to your application, authorization checks are sub-millisecond and scale horizontally with your infrastructure.
How Cerbos works with Gluu Server
- Users authenticate via Gluu Server, Gluu handles login, federation, and MFA using OpenID Connect, SAML, or FIDO. User attributes and group memberships are sourced from Gluu's LDAP directory.
- Extract identity from the Gluu-issued token, Your application validates the OpenID Connect token and extracts the user's claims, group memberships, and any custom attributes from the Gluu user store.
- Send identity and resource context to Cerbos, Pass the Gluu user attributes as principal attributes alongside the target resource and desired action to the Cerbos PDP.
- Cerbos evaluates policies and returns a decision, Cerbos evaluates your YAML policies against the Gluu identity data and resource attributes, returning allow or deny. Your application enforces the result.
FAQ
How does Cerbos work with Gluu Server?
Gluu Server authenticates users via OpenID Connect, SAML, or FIDO and provides identity claims from its LDAP-backed user store. Your application extracts these claims from Gluu-issued tokens and passes them to Cerbos as principal attributes. Cerbos evaluates them against your policies to make fine-grained authorization decisions.
Can I use Gluu's LDAP groups in Cerbos policies?
Yes. Gluu Server stores user groups and organizational units in its LDAP directory and can include them as claims in OpenID Connect tokens. Pass these group memberships to Cerbos as principal attributes and write policies that reference specific groups, organizational hierarchies, or combinations of group memberships.
Does Cerbos replace Gluu's authorization features?
No. Gluu handles authentication, federation, and identity management. Cerbos adds application-level authorization. Gluu's UMA (User-Managed Access) addresses API protection, while Cerbos provides fine-grained, attribute-based access control within your application logic.
Learn more about Cerbos
Related integrations
View all integrations →
Cerbos + Gluu Server
- Cerbos extends Gluu Server roles with fine-grained, attribute-based permissions
- Policies defined in human-readable YAML, managed as code
- Authorization logic decoupled from application code
- Sub-millisecond policy evaluation via stateless PDP
Authorization for AI systems
By industry
By business requirement
Useful links
What is Cerbos?
Cerbos is an end-to-end enterprise authorization software for Zero Trust environments and AI-powered systems. It enforces fine-grained, contextual, and continuous authorization across apps, APIs, AI agents, MCP servers, services, and workloads.
Cerbos consists of an open-source Policy Decision Point, Enforcement Point integrations, and a centrally managed Policy Administration Plane (Cerbos Hub) that coordinates unified policy-based authorization across your architecture. Enforce least privilege & maintain full visibility into access decisions with Cerbos authorization.