User Authentication

User authentication allows a user to authenticate using an authentication chain specifically defined as a value of the User Authentication Configuration attribute in the user’s profile. For authentication to be successful, the user must authenticate to each module defined in the chain. The following sections contain more information.

• Configuring User Authentication

• Initiating User Authentication with the Login URL

• Redirecting Users After User Authentication

Configuring User Authentication

To authenticate using user authentication, simply create an authentication chain in the appropriate realm and select it in the user's profile.

1. Add authentication module instances to the realm. (See To Add an Authentication Module Instance to a Realm or Sub Realm.)

2. Create an authentication chain in the realm. (See Creating Authentication Chains.)

3. Select the authentication chain as the value for the User Authentication Configuration attribute in the user's profile. (See To Configure A User Authentication Process.)

4. Create a login URL. (See Initiating Service Authentication with the Login URL.)

To Configure A User Authentication Process

1. Log in to the OpenSSO Enterprise console as the administrator.

   By default, amadmin.

2. Click the Access Control tab.

3. Click the name of the realm that contains the user for whom you are configuring an authentication process.

4. Click the Subjects tab.

5. Under the User tab, click the user's Name.

6. Select the appropriate authentication chain as a value for the User Authentication Configuration attribute.

7. Click Save.

Initiating User Authentication with the Login URL

To initiate the authentication process defined for a particular user, append the user=Universal-ID parameter to the base login URL as in:

http://OpenSSO-machine-name.domain:port/opensso/UI/Login?user=awhite

Additionally, you can append the realm=realm-name parameter to the base login URL as in:

http://OpenSSO-machine-name.domain:port/opensso/UI/Login
?realm=bankrealm?user=awhite

If there is no defined realm parameter, the realm will be determined from the server host and domain specified in the login URL.

The User Alias List attribute in the User profile is where the disparate Universal IDs defined for one user are mapped. On receiving a request for user authentication, the Authentication Service first verifies that the Universal ID passed with the login URL maps to a valid user. It then retrieves the specified Authentication Configuration data from the user's profile. In the case, for example, where there is more than one module in the authentication chain and a different Universal ID is defined for the user, all user profiles must map to the Universal ID specified in the URL or the user will be denied a validated SSOToken. An exception would be if one of the Universal IDs belongs to a top level administrator whereby the user mapping validation is not done and the user is given top level administrator rights.

Redirecting Users After User Authentication

Upon a successful or failed user authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

• Successful User Authentication Redirection URL Precedence

• Failed User Authentication Redirection URL Precedence

Successful User Authentication Redirection URL Precedence

The redirection URL for successful user authentication is determined by checking the following places in order of precedence:

1. A URL set by the authentication module.

2. A URL set by a goto login URL parameter.

3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

5. The value of the Default Success Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

6. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

7. The value of the Success URL attribute in the user's profile.

8. The value of the Success URL attribute in the role entry of the user's profile.

9. The value of the Default Success Login URL attribute in the realm entry of the user's profile.

10. The value of the Default Success Login URL attribute in the top-level realm.

Failed User Authentication Redirection URL Precedence

The redirection URL for failed user authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a gotoOnFail login URL parameter.

3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

7. The value of the Failure URL attribute in the user's profile.

8. The value of the Failure URL attribute in the role entry of the user's profile.

9. The value of the Failure URL attribute in the realm entry of the user's profile.

10. The value of the Default Failure Login URL attribute in the top-level realm.