Authentication Types

The Authentication Service provides different ways in which authentication can be applied. These different authentication methods can be accessed by specifying Login URL parameters, or through the authentication APIs (see Chapter 5, Using Authentication APIs and SPIs, in Sun Java System Access Manager 7 2005Q4 Developer’s Guide in the Developer's Guide for more information). Before an authentication module can be configured, the Core authentication service attribute realm Authentication Modules must be modified to include the specific authentication module name.

The Authentication Configuration service is used to define authentication modules for any of the following authentication types:

• Realm-based Authentication

• Organization-based Authentication

• Role-based Authentication

• Service-based Authentication

• User-based Authentication

• Authentication Level-based Authentication

• Module-based Authentication

Once an authentication module is defined for one of these authentication types, the module can be configured to supply redirect URLs, as well as a post-processing Java class specification, based on a successful or failed authentication process.

How Authentication Types Determine Access

For each of these methods, the user can either pass or fail the authentication. Once the determination has been made, each method follows this procedure. Step 1 through Step 3 follows a successful authentication; Step 4 follows both successful and failed authentication.

1. Access Manager confirms whether the authenticated user(s) is defined in the Directory Server data store and whether the profile is active.

   The User Profile attribute in the Core Authentication module can be defined as Required, Dynamic, Dynamic with User Alias, or Ignored. Following a successful authentication, Access Manager confirms whether the authenticated user(s) is defined in the Directory Server data store and, if the User Profile value is Required, confirms that the profile is active. (This is the default case.) If the User Profile is Dynamically Configured, the Authentication Service will create the user profile in the Directory Server data store. If the User Profile is set to Ignore, the user validation will not be done.

2. Execution of the Authentication Post Processing SPI is accomplished.

   The Core Authentication module contains an Authentication Post Processing Class attribute which may contain the authentication post-processing class name as its value. AMPostAuthProcessInterface is the post-processing interface. It can be executed on either successful or failed authentication or on logout.

3. The following properties are added to, or updated in, the session token and the user’s session is activated.

   realm. This is the DN of the realm to which the user belongs.

   Principal. This is the DN of the user.

   Principals. This is a list of names to which the user has authenticated. (This property may have more then one value defined as a pipe separated list.)

   UserId. This is the user’s DN as returned by the module, or in the case of modules other than LDAP or Membership, the user name. (All Principals must map to the same user. The UserID is the user DN to which they map.)

   ---

   Note –

   This property may be a non-DN value.

   ---

   UserToken. This is a user name. (All Principals must map to the same user. The UserToken is the user name to which they map.)

   Host. This is the host name or IP address for the client.

   authLevel. This is the highest level to which the user has authenticated.

   AuthType. This is a pipe separated list of authentication modules to which the user has authenticated (for example, module1|module2|module3).

   clientType. This is the device type of the client browser.

   Locale. This is the locale of the client.

   CharSet. This is the determined character set for the client.

   Role. Applicable for role-based authentication only, this is the role to which the user belongs.

   Service. Applicable for service-based authentication only, this is the service to which the user belongs.

4. Access Manager looks for information on where to redirect the user after either a successful or failed authentication.

   URL redirection can be to either an Access Manager page or a URL. The redirection is based on an order of precedence in which Access Manager looks for redirection based on the authentication method and whether the authentication has been successful or has failed. This order is detailed in the URL redirection portions of the following authentication methods sections.

URL Redirection

In the Authentication Configuration service, you can assign URL redirection for successful or unsuccessful authentication. The URLs, themselves, are defined in the Login Success URL and Login Failure URL attributes in this service. In order to enable URL redirection, you must add the Authentication Configuration service to your realm to make it available to configure for a role, realm, or user. Make sure that you add an authentication module, such as LDAP - REQUIRED, when adding the Authentication Configuration service.

Realm-based Authentication

This method of authentication allows a user to authenticate to an realm or sub-realm. It is the default method of authentication for Access Manager . The authentication method for an realm is set by registering the Core Authentication module to the realm and defining the realm Authentication Configuration attribute.

Realm-based Authentication Login URLs

The realm for authentication can be specified in the User Interface Login URL by defining the realm Parameter or the domain Parameter. The realm of a request for authentication is determined from the following, in order of precedence:

1. The domain parameter.

2. The realm parameter.

3. The value of the DNS Alias Names attribute in the Administration Service.

   After calling the correct realm, the authentication module(s) to which the user will authenticate are retrieved from the realm Authentication Configuration attribute in the Core Authentication Service. The login URLs used to specify and initiate realm-based authentication are:

   http://server_name.domain_name:port/amserver/UI/Login http://server_name.domain_name:port/amserver/UI/Login?domain=domain_name http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name

   If there is no defined parameter, the realm will be determined from the server host and domain specified in the login URL.

Realm-based Authentication Redirection URLs

Upon a successful or failed organization-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful realm-based Authentication Redirection URLs

The redirection URL for successful realm-based authentication is determined by checking the following places in order of precedence:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

7. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

8. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

9. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

10. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Realm-based Authentication Redirection URLs

The redirection URL for failed realm-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a gotoOnFail Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

7. A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).

8. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

9. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

10. A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.

To Configure Realm-Based Authentication

Authentication modules are set for realms by first adding the Core Authentication service to the realm.

To Configure The Realms’s Authentication Attributes

1. Navigate to the realm for which you wish to add the Authentication Chain.

2. Click the Authentication tab.

3. Select the Default Authentication Chain from the pull down menu.

4. Select the Administrator Authentication Chain from the pull down menu. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The default authentication module is LDAP.

5. Once you have defined the authentication chains, click Save.

Organization-based Authentication

This authentication type only applies to Access Manager deployments that have been installed in Legacy mode.

This method of authentication allows a user to authenticate to an organization or sub-organization. It is the default method of authentication for Access Manager . The authentication method for an organization is set by registering the Core Authentication module to the organization and defining the Organization Authentication Configuration attribute.

Organization-based Authentication Login URLs

The organization for authentication can be specified in the User Interface Login URL by defining the org Parameter or the domain Parameter. The organization of a request for authentication is determined from the following, in order of precedence:

1. The domain parameter.

2. The org parameter.

3. The value of the DNS Alias Names (Organization alias names) attribute in the Administration Service.

   After calling the correct organization, the authentication module(s) to which the user will authenticate are retrieved from the Organization Authentication Configuration attribute in the Core Authentication Service. The login URLs used to specify and initiate organization-based authentication are:

   http://server_name.domain_name:port/amserver/UI/Login http://server_name.domain_name:port/amserver/UI/Login?domain=domain_name http://server_name.domain_name:port/amserver/UI/Login?org=org_name

   If there is no defined parameter, the organization will be determined from the server host and domain specified in the login URL.

Organization-based Authentication Redirection URLs

Upon a successful or failed organization-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Organization-based Authentication Redirection URLs

The redirection URL for successful organization-based authentication is determined by checking the following places in order of precedence:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s organization entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

7. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

8. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

9. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s organization entry.

10. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Organization-based Authentication Redirection URLs

The redirection URL for failed organization-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a gotoOnFail Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s organization entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

7. A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).

8. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

9. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s organization entry.

10. A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.

To Configure Organization-Based Authentication

Authentication modules are set for an organization by first adding the Core Authentication service to the organization.

To Configure The Organizations’s Authentication Attributes

1. Navigate to the organization for which you wish to add the Authentication Chain.

2. Click the Authentication tab.

3. Select the Default Authentication Chain from the pull down menu.

4. Select the Administrator Authentication Chain from the pull down menu. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The default authentication module is LDAP.

5. Once you have defined the authentication chains, click Save.

Role-based Authentication

This method of authentication allows a user to authenticate to a role (either static or filtered) within an realm or sub realm.

---

Note –

The Authentication Configuration Service must first be registered to the realm before it can be registered as an instance to the role.

---

For authentication to be successful, the user must belong to the role and they must authenticate to each module defined in the Authentication Configuration Service instance configured for that role. For each instance of role-based authentication, the following attributes can be specified:

Conflict Resolution Level. This sets a priority level for the Authentication Configuration Service instance defined for different roles that both may contain the same user. For example, if User1 is assigned to both Role1 and Role2, a higher conflict resolution level can be set for Role1 so when the user attempts authentication, Role1 will have the higher priority for success or failure redirects and post-authentication processes.

Authentication Configuration. This defines the authentication modules configured for the role’s authentication process.

Login Success URL. This defines the URL to which a user is redirected on successful authentication.

Login Failed URL. This defines the URL to which a user is redirected on failed authentication.

Authentication Post Processing Classes. This defines the post-authentication interface.

Role-based Authentication Login URLs

Role-based authentication can be specified in The User Interface Login URL by defining a role Parameter. After calling the correct role, the authentication module(s) to which the user will authenticate are retrieved from the Authentication Configuration Service instance defined for the role.

The login URLs used to specify and initiate this role-based authentication are:

http://server_name.domain_name:port/amserver/UI/Login?role=role_name
http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name&role=role_name

If the realm Parameter is not configured, the realm to which the role belongs is determined from the server host and domain specified in the login URL itself.

Role-based Authentication Redirection URLs

Upon a successful or failed role-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Role-based Authentication Redirection URLs

The redirection URL for successful role-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the role to which the user has authenticated.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)

6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

7. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

8. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

9. A URL set in the iplanet-am-auth-login-success-url attribute of the role to which the user has authenticated.

10. A URL set in the iplanet-am-auth-login-success-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)

11. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

12. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Role-based Authentication Redirection URLs

The redirection URL for failed role-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s profile ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the role to which the user has authenticated.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)

6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

7. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

8. A URL set in the iplanet-am-user-failure-url attribute of the user’s profile (amUser.xml).

9. A URL set in the iplanet-am-auth-login-failure-url attribute of the role to which the user has authenticated.

10. A URL set in the iplanet-am-auth-login-failure-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)

11. A URL set in the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

12. A URL set in the iplanet-am-auth-login-failure-url attribute as a global default.

To Configure Role-Based Authentication

1. Navigate to the realm (or organization) to which you will add the authentication configuration service.

2. Click the Subjects tab.

3. Filtered Roles or Roles.

4. Select the role for which to set the authentication configuration.

   If the Authentication Configuration service has not been added to the role, click Add, select Authentication Service and click Next.

5. Select the Default Authentication Chain that you wish to enable from the pull down menu.

6. Click Save.

   ---

   Note –

   If you are creating a new role, the Authentication Configuration service is not automatically assigned to it. Make sure that you select the Authentication Configuration service option at the top of the role profile page before you create it.

   When role-based authentication is enabled, the LDAP authentication module can be left as the default, as there is no need to configure Membership.

   ---

Service-based Authentication

This method of authentication allows a user to authenticate to a specific service or application registered to an realm or sub realm. The service is configured as a Service Instance within the Authentication Configuration Service and is associated with an Instance Name. For authentication to be successful, the user must authenticate to each module defined in the Authentication Configuration service instance configured for the service. For each instance of service-based authentication, the following attributes can be specified:

Authentication Configuration. This defines the authentication modules configured for the service’s authentication process.

Login Success URL. This defines the URL to which a user is redirected on successful authentication.

Login Failed URL. This defines the URL to which a user is redirected on failed authentication.

Authentication Post Processing Classes. This defines the post-authentication interface.

Service-based Authentication Login URLs

Service-based authentication can be specified in the User Interface Login URL by defining a service Parameter. After calling the service, the authentication module(s) to which the user will authenticate are retrieved from the Authentication Configuration service instance defined for the service.

The login URLs used to specify and initiate this service-based authentication are:

http://server_name.domain_name:port/amserver/UI/
Login?service=auth-chain-name

and

http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name&service=auth-chain-name
e

If there is no configured org parameter, the realm will be determined from the server host and domain specified in the login URL itself.

Service-based Authentication Redirection URLs

Upon a successful or failed service-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Service-based Authentication Redirection URLs

The redirection URL for successful service-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the service to which the user has authenticated.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

7. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

8. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

9. A URL set in the iplanet-am-auth-login-success-url attribute of the service to which the user has authenticated.

10. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

11. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

12. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Service-based Authentication Redirection URLs

The redirection URL for failed service-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s profile ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the service to which the user has authenticated.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

7. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

8. A URL set in the iplanet-am-user-failure-url attribute of the user’s profile (amUser.xml).

9. A URL set in the iplanet-am-auth-login-failure-url attribute of the service to which the user has authenticated.

10. A URL set in the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

11. A URL set in the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

12. A URL set in the iplanet-am-auth-login-failure-url attribute as a global default.

To Configure Service-Based Authentication

Authentication modules are set for services after adding the Authentication Configuration service. To do so:

1. Chose the realm to which you wish to configure service-based authentication.

2. Click the Authentication tab.

3. Create the authentication module instances.

4. Create the authentication chains.

5. Click Save.

6. To access service-based authentication for the realm, enter the following address:

   http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name&service=auth-chain-name

User-based Authentication

This method of authentication allows a user to authenticate to an authentication process configured specifically for the user. The process is configured as a value of the User Authentication Configuration attribute in the user’s profile. For authentication to be successful, the user must authenticate to each module defined.

User-based Authentication Login URLs

User-based authentication can be specified in the User Interface Login URL by defining a user Parameter. After calling the correct user, the authentication module(s) to which the user will authenticate are retrieved from the User Authentication Configuration instance defined for the user.

The login URLs used to specify and initiate this role-based authentication are:

http://server_name.domain_name:port/amserver/UI/Login?user=user_name
http://server_name.domain_name:port/amserver/UI/Login?org=org_name&user=user_name

If there is no configured realm Parameter, the realm to which the role belongs will be determined from the server host and domain specified in the login URL itself.

User Alias List Attribute

On receiving a request for user-based authentication, the Authentication service first verifies that the user is a valid user and then retrieves the Authentication Configuration data for them. In the case where there is more then one valid user profile associated with the value of the user Login URL parameter, all profiles must map to the specified user. The User Alias Attribute (iplanet-am-user-alias-list ) in the User profile is where other profiles belonging to the user can be defined. If mapping fails, the user is denied a valid session. The exception would be if one of the users is a top-level admin whereby the user mapping validation is not done and the user is given top—level Admin rights.

User-based Authentication Redirection URLs

Upon a successful or failed user-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful User-based Authentication Redirection URLs

The redirection URL for successful user-based authentication is determined by checking the following places in order of precedence:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

7. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

8. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

9. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

10. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed User-based Authentication Redirection URLs

The redirection URL for failed user-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a gotoOnFail Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

7. A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).

8. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

9. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

10. A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.

To Configure User-Based Authentication

1. Navigate to the realm in which you wish to configure authentication for the user.

2. Click the Subjects tab and click Users.

3. Click the name of the user you wish to modify

   The User Profile is displayed.

   ---

   Note –

   If you are creating a new user, the Authentication Configuration service is not automatically assigned to the user. Make sure that you select the Authentication Configuration service option in the Service profile before you create the user. If this option is not selected, the user will not inherit the authentication configuration defined at for the role.

   ---

4. In the User Authentication Configuration attribute, select the authentication chain you wish to apply.

5. Click Save.

Authentication Level-based Authentication

Each authentication module can be associated with an integer value for its authentication level. Authentication levels can be assigned by clicking the authentication module’s Properties arrow in Service Configuration, and changing the corresponding value for the module’s Authentication Level attribute. Higher authentication levels define a higher level of trust for the user once that user has authenticated to one or more authentication modules.

The authentication level will be set on a user’s SSO token after the user has successfully authenticated to the module. If the user is required to authenticate to multiple authentication modules, and does so successfully, the highest authentication level value will be set in user’s SSO token.

If a user attempts to access a service, the service can determine if the user is allowed access by checking the authentication level in user’s SSO token. It then redirects the user to go through the authentication modules with a set authentication level.

Users can also access authentication modules with specific authentication level. For example, a user performs a login with the following syntax:

http://hostname:port/deploy_URI/UI/Login?authlevel=
auth_level_value

All modules whose authentication level is larger or equal to auth_level_value will be displayed as an authentication menu for the user to choose. If only one matching module is found, then the login page for that authentication module will be directly displayed.

This method of authentication allows an administrator to specify the security level of the modules to which identities can authenticate. Each authentication module has a separate Authentication Level attribute and the value of this attribute can be defined as any valid integer. With Authentication Level-based authentication, the Authentication Service displays a module login page with a menu containing the authentication modules that have authentication levels equal to or greater then the value specified in the Login URL parameter. Users can select a module from the presented list. Once the user selects a module, the remaining process is based on Module-based Authentication.

Authentication Level-based Authentication Login URLs

Authentication level-based authentication can be specified in the User Interface Login URL by defining the authlevel Parameter. After calling the login screen with the relevant list of modules, the user must choose one with which to authenticate. The login URLs used to specify and initiate authentication level-based authentication are:

http://server_name.domain_name:port/amserver/UI/Login?authlevel=authentication_level

and

http://server_name.domain_name:port/amserver/UI/
Login?realm=realm_name&authlevel=authentication_level

If there is no configured realm parameter, the realm to which the user belongs will be determined from the server host and domain specified in the login URL itself.

Authentication Level-based Authentication Redirection URLs

Upon a successful or failed authentication level-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Authentication Level-based Authentication Redirection URLs

The redirection URL for successful authentication level-based authentication is determined by checking the following places in order of precedence:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

7. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

8. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

9. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

10. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Authentication Level-based Authentication Redirection URLs

The redirection URL for failed authentication level-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a gotoOnFail Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

7. A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).

8. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

9. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

10. A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.

Module-based Authentication

Users can access a specific authentication module using the following syntax:

http://hostname:port/deploy_URI/UI/Login?module=
module_name

Before the authentication module can be accessed, the Core authentication service attribute realm Authentication Modules must be modified to include the authentication module name. If the authentication module name is not included in this attribute, the “authentication module denied” page will be displayed when the user attempts to authenticate.

This method of authentication allows a user to specify the module to which they will authenticate. The specified module must be registered to the realm or sub-realm that the user is accessing. This is configured in the realm Authentication Modules attribute of the realm’s Core Authentication Service. On receiving this request for module-based authentication, the Authentication Service verifies that the module is correctly configured as noted, and if the module is not defined, the user is denied access.

Module-based Authentication Login URLs

Module-based authentication can be specified in the User Interface Login URL by defining a module Parameter. The login URLs used to specify and initiate module-based authentication are:

http://server_name.domain_name:port/amserver/UI/Login?module=authentication_module_name
http://server_name.domain_name:port/amserver/UI/
Login?org=org_name&module=authentication_module_name

If there is no configured org parameter, the realm to which the user belongs will be determined from the server host and domain specified in the login URL itself.

Module-based Authentication Redirection URLs

Upon a successful or failed module-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Module-based Authentication Redirection URLs

The redirection URL for successful module-based authentication is determined by checking the following places in order of precedence:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

7. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

8. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

9. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

10. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Module-based Authentication Redirection URLs

The redirection URL for failed module-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a gotoOnFail Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

7. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

8. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

9. A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.