test

Sun Java System Access Manager 7.1 Technical Overview

User Authentication

When the browser sends a GET request to the Distributed Authentication User Interface, the events in the following illustration occur. The accompanying text describes the process.

User authentication process. Details are provided in the accompanying body text.

  1. Using the parameters in the GET request, the Distributed Authentication User Interface contacts the Authentication Service installed on the Access Manager server.

  2. The Authentication Service determines the appropriate authentication module to use based upon Access Manager configuration and the request parameters passed by the Distributed Authentication User Interface using the Authentication client APIs.

    For example, if Access Manager is configured to use the LDAP Authentication type of module, the Authentication Service determines that the LDAP Authentication login page will be used.

  3. The Authentication Service determines which presentation callbacks should be presented, and sends to the Distributed Authentication User Interface all necessary credentials, requirements, and callbacks for use by the presentation framework layer.

  4. The Client Detection Service determines which protocol, such as HTML or WML, to use to display the login page.

  5. The Distributed Authentication User Interface returns to the Web browser a dynamic presentation extraction page along with the session cookie.

    The presentation extraction page contains the appropriate credentials request and callbacks info obtained from the Access Manager server.

  6. The user’s browser displays the login page.

    The user enters information in the Username and Password fields of the login page.

  7. The browser replies to the Distributed Authentication User Interface with a POST that contains the required credentials.

  8. The Distributed Authentication User Interface uses the Authentication client APIs to pass credentials to the Access Manager server.

  9. The Authentication Service uses the appropriate authentication module type to validate the user’s credentials.

    For example, if the LDAP authentication module type is used, the Authentication Service verifies that the username and password provided exist in the LDAP directory. Other authentication module types have different requirements.

  10. Assuming authentication is successful, the Authentication Service activates the session by calling the appropriate methods in the Session Service.

    The Authentication Service stores information such as Login time, Authentication Scheme, and Authentication Level in the session data structure.

  11. Once the session is activated, the Session Service changes the state of the session token to valid.

  12. The Distributed Authentication User Interface replies to the protected resource with an SSOToken in a set-cookie header.

  13. Now, the browser makes another request to the original resource protected by a policy agent.

    This time, the request includes a valid session token, created during the authentication process.

The next part of the user session is Session Validation.