test

Sun Java System Access Manager 7 2005Q4 Administration Guide

Realm-based Authentication

This method of authentication allows a user to authenticate to an realm or sub-realm. It is the default method of authentication for Access Manager . The authentication method for an realm is set by registering the Core Authentication module to the realm and defining the realm Authentication Configuration attribute.

Realm-based Authentication Login URLs

The realm for authentication can be specified in the User Interface Login URL by defining the realm Parameter or the domain Parameter. The realm of a request for authentication is determined from the following, in order of precedence:

  1. The domain parameter.

  2. The realm parameter.

  3. The value of the DNS Alias Names attribute in the Administration Service.

    After calling the correct realm, the authentication module(s) to which the user will authenticate are retrieved from the realm Authentication Configuration attribute in the Core Authentication Service. The login URLs used to specify and initiate realm-based authentication are:


    http://server_name.domain_name:port/amserver/UI/Login
http://server_name.domain_name:port/amserver/UI/Login?domain=domain_name
http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name

    If there is no defined parameter, the realm will be determined from the server host and domain specified in the login URL.

Realm-based Authentication Redirection URLs

Upon a successful or failed organization-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful realm-based Authentication Redirection URLs

The redirection URL for successful realm-based authentication is determined by checking the following places in order of precedence:

  1. A URL set by the authentication module.

  2. A URL set by a goto Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

  7. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

  8. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

  9. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

  10. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Realm-based Authentication Redirection URLs

The redirection URL for failed realm-based authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

  7. A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).

  8. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

  9. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

  10. A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.

To Configure Realm-Based Authentication

Authentication modules are set for realms by first adding the Core Authentication service to the realm.

ProcedureTo Configure The Realms’s Authentication Attributes

  1. Navigate to the realm for which you wish to add the Authentication Chain.

  2. Click the Authentication tab.

  3. Select the Default Authentication Chain from the pull down menu.

  4. Select the Administrator Authentication Chain from the pull down menu. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The default authentication module is LDAP.

  5. Once you have defined the authentication chains, click Save.