Sun OpenSSO Enterprise 8.0 Administration Guide

Role Authentication (Legacy Mode)

Role authentication allows a user to authenticate as a member of a specified role (either static or filtered) configured within a realm or sub realm. Role authentication is only available when the Access Manager SDK (AMSDK) Identity Repository Plug-in is enabled. See Chapter 15, Enabling the Access Manager SDK (AMSDK) Identity Repository Plug-in, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide for requirements and procedures to enable this legacy feature.

For role authentication to be initiated, the user must belong to the role and authenticate to each module defined in the authentication chain specified for that role. The following sections contain more information.

Configuring Role Authentication

The authentication method for a role is set by adding the legacy Authentication Configuration Service to the role and choosing the appropriate authentication chain from the displayed choices.

ProcedureTo Configure An Authentication Process for a Role

  1. Log in to the OpenSSO Enterprise console as the administrator.

    By default, amadmin.

  2. Click the Access Control tab.

  3. Click the name of the realm that contains the role for which you are configuring an authentication process.

  4. Click the Subjects tab.

  5. Click the Roles tab.

  6. Click the name of the role you are configuring.

  7. Click the Services tab.

  8. Click Add.

  9. Select Authentication Configuration and click Next.

  10. Select the appropriate authentication chain from those displayed.

    See Creating Authentication Chains.

  11. Click Finish.

Initiating Role Authentication with the Login URL

To initiate the authentication process defined for a particular role, append the role=role-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login?role=manager

A user who is not a member of the specified role will receive an error message when they attempt to authenticate using this parameter.

Redirecting Users After Role Authentication

Upon a successful or failed role authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Role Authentication Redirection URL Precedence

The redirection URL for successful role authentication is determined by checking the following places in order of precedence:

  1. A URL set by the authentication module.

  2. A URL set by a goto login URL parameter.

  3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Success URL attribute in another role entry of the user's profile specific to the client type from which the request was received. (This option is a fallback if the previous redirection URL fails.)

  6. The value of the Default Success Login URL attribute in the realm to which the user is a member specific to the client type from which the request was received.

  7. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

  8. The value of the Success URL attribute in the user's profile.

  9. The value of the Success URL attribute in the role entry of the user's profile.

  10. The value of the Success URL attribute in another role entry of the user's profile. (This option is a fallback if the previous redirection URL fails.)

  11. The value of the Default Success Login URL attribute in the realm to which the user is a member.

  12. The value of the Default Success Login URL attribute in the top level realm.

Failed Role Authentication Redirection URL Precedence

The redirection URL for failed role authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail login URL parameter.

  3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Failure URL attribute in the user's profile.

  8. The value of the Failure URL attribute in the role entry of the user's profile.

  9. The value of the Default Failure Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Failure Login URL attribute in the top level realm.

  11. The value of the Success URL attribute in the role entry of the user's profile.

  12. The value of the Success URL attribute in another role entry of the user's profile. (This option is a fallback if the previous redirection URL fails.)