Authentication Service Overview

The function of the Authentication Service is to request information from an authenticating party, and validate it against the configured identity repository using the specified authentication module. After successful authentication, the user session is activated and can be validated across all web applications participating in an SSO environment. For example, when a user or application attempts to access a protected resource, credentials are requested by one (or more) authentication modules. Gaining access to the resource requires that the user or application be allowed based on the submitted credentials. From the user perspective, a company employee wants to look up a colleague’s phone number. The employee uses a browser to access the company’s online phone book. To log in to the phone book service, the employee provides a user name and password. OpenSSO Enterprise compares the user’s input with data stored in the appropriate identity repository. If OpenSSO Enterprise finds a match for the user name, and if the given password matches the stored password, the user’s identity is authenticated.

The Basic User Session section in the previous chapter contains a detailed description of the authentication process itself.

The Authentication Service can be accessed by a user with a web browser, by an application using the Client SDK, or by any other client that correctly implements the Authentication Service messaging interfaces. The Authentication Service framework has a pluggable architecture for authentication modules that have different user credential requirements. Together with the Session Service, the Authentication Service establishes the fundamental infrastructure for SSO. Generally speaking, the Authentication Service:

• Identifies a requester's credential requirements.

• Generates a dynamic user interface based on the requirements of the authentication module being called.

• Supports custom, pluggable authentication modules.

• Provides pre- and post-processing SPI.

• Populates and manages system domain cookies.

• Generates time dependent alerts and session termination notifications.

• Provides a remote user interface application for distributed deployments.

• Implements a clean logout interface which destroys the session.

Every time a request is used to access the Authentication Service, the session token identifier is retrieved and used to get the associated session data structure from the Session Service. Additionally, the Authentication Service interfaces with the Session Service to:

• Initiate or create user sessions.

• Maintain session state information.

• Activate sessions after successful authentication.

• Populate the valid session data structure with all user-authenticated identity data and properties.

• Destroy sessions after logout.

The following diagram illustrates how the two services work together.

Figure 7–1 Authentication Service and Session Service Interfaces

The Authentication Service also interfaces with other OpenSSO Enterprise services including the Naming Service, the Identity Repository Service, the Logging Service, and the Monitoring Service. It also interfaces with the configuration data store and policy agents protecting system resources. (A policy agent must authenticate itself using the Client SDK authentication interfaces, and users with no valid session must be authenticated.)