Service Authentication

Service authentication allows a user to authenticate to a specified authentication chain configured in a realm or sub realm. For authentication to be successful, the user must authenticate to each module defined in the chain. The following sections contain more information.

• Configuring Service Authentication

• Initiating Service Authentication with the Login URL

• Redirecting Users After Service Authentication

Configuring Service Authentication

To authenticate using service authentication, simply create an authentication chain in the appropriate realm.

1. Add authentication module instances to the realm. (See To Add an Authentication Module Instance to a Realm or Sub Realm.)

2. Create an authentication chain in the realm. (See Creating Authentication Chains.)

3. Create a login URL. (See Initiating Service Authentication with the Login URL.)

Initiating Service Authentication with the Login URL

To initiate the authentication process defined for a particular service, append the service=auth-chain-name parameter to the base login URL as in:

http://OpenSSO-machine-name.domain:port/opensso/UI/Login?service=bankauth

Additionally, you can append the realm=realm-name parameter to the base login URL as in:

http://OpenSSO-machine-name.domain:port/opensso/UI/Login
?realm=bankrealm?service=bankauth

If there is no defined realm parameter, the realm will be determined from the server host and domain specified in the login URL.

Redirecting Users After Service Authentication

Upon a successful or failed service authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

• Successful Service Authentication Redirection URL Precedence

• Failed Service Authentication Redirection URL Precedence

Successful Service Authentication Redirection URL Precedence

The redirection URL for successful service authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a goto login URL parameter.

3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

4. The value of the Success URL attribute in the service to which the user is authenticated specific to the client type from which the request was received.

5. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

6. The value of the Default Success Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

7. The value of the Default Success Login URL attribute of the top level realm specific to the client type from which the request was received.

8. The value of the Success URL attribute in the user's profile.

9. The value of the Success URL attribute in the service to which the user is authenticated.

10. The value of the Success URL attribute in the role entry of the user's profile.

11. The value of the Default Success Login URL attribute in the realm entry of the user's profile.

12. The value of the Default Success Login URL attribute of the top level realm.

Failed Service Authentication Redirection URL Precedence

The redirection URL for failed service authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a goto login URL parameter.

3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

4. The value of the Failure URL attribute of the service to which the user has authenticated specific to the client type from which the request was received.

5. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

6. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

7. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

8. The value of the Failure URL attribute in the user's profile.

9. The value of the Failure URL attribute of the service to which the user has authenticated.

10. The value of the Failure URL attribute in the role entry of the user's profile.

11. The value of the Default Failure Login URL attribute in the realm entry of the user's profile

12. The value of the Default Failure Login URL attribute in the top level realm.