test

Sun OpenSSO Enterprise 8.0 Administration Guide

Initiating the Authentication Type

Authentication Service User Interface and Authentication Types give high level views of the types of authentication available with OpenSSO Enterprise and how the authentication type is initiated: by appending an appropriate parameter to the login URL (or programmatically using the authentication API). The base of the login URL is:


http://OpenSSO-machine-name.domain:port/service_deploy_uri/UI/Login
Note –

During installation, the service_deploy_uri is configured as opensso. This default service deployment URI will be used throughout this section.

The following sections contain more information about the specific authentication types.

More information on these authentication types and the URL parameters with which they work can be found in Accessing the Authentication Service User Interface with a Login URL. Information on initiating the authentication type using the programmatic interfaces is in the Sun OpenSSO Enterprise 8.0 Developer’s Guide.

Realm Authentication

Realm authentication is the default authentication type for OpenSSO Enterprise. It allows a member of a realm to authenticate using the authentication process configured for that particular realm (or sub realm). The following sections contain more information.

Configuring Realm Authentication

The authentication process for a realm is defined by selecting the appropriate authentication chain in the realm or sub realm's configuration.

ProcedureTo Configure A Realms’s Authentication Process

  1. Log in to the OpenSSO Enterprise console as the administrator.

    By default, amadmin.

  2. Click the Access Control tab.

  3. Click the name of the realm under which you configuring an authentication process.

  4. Click the Authentication tab.

  5. Select the appropriate authentication chain as a value for the Default Authentication Chain attribute.

    See Creating Authentication Chains for information.

  6. (Optional) Select the appropriate authentication chain as a value for the Administrator Authentication Chain attribute.

    This authentication chain is used if the authentication process for administrators needs to be different from the process for end users.

  7. Click Save.

Initiating Realm Authentication with the Login URL

To initiate authentication for a member of a particular realm, append the domain=realm-name parameter or the realm=realm-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login?realm=sun
Note –

If there is no defined parameter, the realm will be determined from the server host and domain specified in the login URL. The base login URL will initiate authentication for the top level realm without the realm parameter.

The realm of a request for authentication is determined from the following, in order of precedence:

  1. The domain parameter.

  2. The realm parameter.

  3. The value of the Realm/DNS Alias Names attribute.

    After calling the correct realm, the authentication module(s) to which the user will authenticate are retrieved from the Default Authentication Chain attribute or the Administrator Authentication Chain attribute.

Caution – Caution –

If User1 is authenticated to realmA and then tries to access realmB, a warning page is displayed that asks the user to authenticate to realmB with the authentication process specified for realmB, or return to the existing authenticated session with realmA. If the user chooses to authenticate to realmB, only the values of the realm and module (if specified) parameters are passed and honored for determining the new authentication process.

Redirecting Users After Realm Authentication

Upon a successful or failed realm authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Realm Authentication Redirection URL Precedence

The redirection URL for successful realm authentication is determined by checking the following places in order of precedence.

  1. A URL set by the authentication module.

  2. A URL set by a goto login URL parameter.

  3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Success Login URL attribute in the realm to which the user is a member specific to the client type from which the request was received.

  6. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Success URL attribute in the user's profile.

  8. The value of the Success URL attribute in the role entry of the user's profile.

  9. The value of the Success URL attribute in the realm to which the user is a member.

  10. The value of the Default Success Login URL attribute in the top level realm.

Failed Realm Authentication Redirection URL Precedence

The redirection URL for failed realm authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail login URL parameter.

  3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Failure URL attribute in the user's profile.

  8. The value of the Failure URL attribute in the role entry of the user's profile.

  9. The value of the Default Failure Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Failure Login URL attribute in the top level realm.

Service Authentication

Service authentication allows a user to authenticate to a specified authentication chain configured in a realm or sub realm. For authentication to be successful, the user must authenticate to each module defined in the chain. The following sections contain more information.

Configuring Service Authentication

To authenticate using service authentication, simply create an authentication chain in the appropriate realm.

  1. Add authentication module instances to the realm. (See To Add an Authentication Module Instance to a Realm or Sub Realm.)

  2. Create an authentication chain in the realm. (See Creating Authentication Chains.)

  3. Create a login URL. (See Initiating Service Authentication with the Login URL.)

Initiating Service Authentication with the Login URL

To initiate the authentication process defined for a particular service, append the service=auth-chain-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login?service=bankauth

Additionally, you can append the realm=realm-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login
?realm=bankrealm?service=bankauth
Note –

If there is no defined realm parameter, the realm will be determined from the server host and domain specified in the login URL.

Redirecting Users After Service Authentication

Upon a successful or failed service authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Service Authentication Redirection URL Precedence

The redirection URL for successful service authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a goto login URL parameter.

  3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Success URL attribute in the service to which the user is authenticated specific to the client type from which the request was received.

  5. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Success Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  7. The value of the Default Success Login URL attribute of the top level realm specific to the client type from which the request was received.

  8. The value of the Success URL attribute in the user's profile.

  9. The value of the Success URL attribute in the service to which the user is authenticated.

  10. The value of the Success URL attribute in the role entry of the user's profile.

  11. The value of the Default Success Login URL attribute in the realm entry of the user's profile.

  12. The value of the Default Success Login URL attribute of the top level realm.

Failed Service Authentication Redirection URL Precedence

The redirection URL for failed service authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a goto login URL parameter.

  3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Failure URL attribute of the service to which the user has authenticated specific to the client type from which the request was received.

  5. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  7. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

  8. The value of the Failure URL attribute in the user's profile.

  9. The value of the Failure URL attribute of the service to which the user has authenticated.

  10. The value of the Failure URL attribute in the role entry of the user's profile.

  11. The value of the Default Failure Login URL attribute in the realm entry of the user's profile

  12. The value of the Default Failure Login URL attribute in the top level realm.

User Authentication

User authentication allows a user to authenticate using an authentication chain specifically defined as a value of the User Authentication Configuration attribute in the user’s profile. For authentication to be successful, the user must authenticate to each module defined in the chain. The following sections contain more information.

Configuring User Authentication

To authenticate using user authentication, simply create an authentication chain in the appropriate realm and select it in the user's profile.

  1. Add authentication module instances to the realm. (See To Add an Authentication Module Instance to a Realm or Sub Realm.)

  2. Create an authentication chain in the realm. (See Creating Authentication Chains.)

  3. Select the authentication chain as the value for the User Authentication Configuration attribute in the user's profile. (See To Configure A User Authentication Process.)

  4. Create a login URL. (See Initiating Service Authentication with the Login URL.)

ProcedureTo Configure A User Authentication Process

  1. Log in to the OpenSSO Enterprise console as the administrator.

    By default, amadmin.

  2. Click the Access Control tab.

  3. Click the name of the realm that contains the user for whom you are configuring an authentication process.

  4. Click the Subjects tab.

  5. Under the User tab, click the user's Name.

  6. Select the appropriate authentication chain as a value for the User Authentication Configuration attribute.

  7. Click Save.

Initiating User Authentication with the Login URL

To initiate the authentication process defined for a particular user, append the user=Universal-ID parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login?user=awhite

Additionally, you can append the realm=realm-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login
?realm=bankrealm?user=awhite

If there is no defined realm parameter, the realm will be determined from the server host and domain specified in the login URL.

Tip –

The User Alias List attribute in the User profile is where the disparate Universal IDs defined for one user are mapped. On receiving a request for user authentication, the Authentication Service first verifies that the Universal ID passed with the login URL maps to a valid user. It then retrieves the specified Authentication Configuration data from the user's profile. In the case, for example, where there is more than one module in the authentication chain and a different Universal ID is defined for the user, all user profiles must map to the Universal ID specified in the URL or the user will be denied a validated SSOToken. An exception would be if one of the Universal IDs belongs to a top level administrator whereby the user mapping validation is not done and the user is given top level administrator rights.

Redirecting Users After User Authentication

Upon a successful or failed user authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful User Authentication Redirection URL Precedence

The redirection URL for successful user authentication is determined by checking the following places in order of precedence:

  1. A URL set by the authentication module.

  2. A URL set by a goto login URL parameter.

  3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Success Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Success URL attribute in the user's profile.

  8. The value of the Success URL attribute in the role entry of the user's profile.

  9. The value of the Default Success Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Success Login URL attribute in the top-level realm.

Failed User Authentication Redirection URL Precedence

The redirection URL for failed user authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail login URL parameter.

  3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Failure URL attribute in the user's profile.

  8. The value of the Failure URL attribute in the role entry of the user's profile.

  9. The value of the Failure URL attribute in the realm entry of the user's profile.

  10. The value of the Default Failure Login URL attribute in the top-level realm.

Authentication Level-based Authentication

Authentication Level—based authentication allows an administrator to specify the security level of the authentication modules used in a particular authentication process. Each authentication module can be assigned an authentication level — an integer defined as the value of the module's Authentication Level attribute. A user that has successfully authenticated to an authentication module with a higher authentication level is deemed to have a higher level of trust. If successfully authenticate, the authentication level of the module will be set in the user’s SSOToken. (If the user has successfully authenticated to multiple authentication modules, the highest authentication level will be set in the user’s SSOToken.) Now when the user attempts to access a service which demands authentication trust at a particular level, the service can use the authentication level to determine if the user is meets the criteria. If not, the user is redirected to authenticate to an authentication module with the appropriate authentication level. The following sections contain more information.

Configuring Authentication Levels

To set an authentication level for an authentication module, simply define an integer in the Authentication Level attribute of the desired authentication module.

Initiating Authentication Level-based Authentication with the Login URL

When Authentication Level-based authentication is initiated, the Authentication Service displays a login page with a menu containing the authentication modules that have authentication levels equal to or greater then the value specified in the login URL's parameter. Users can select a module from the presented list. Once the user selects a module, the remaining process is based on Module Authentication. (See Module Authentication.)

To initiate Authentication Level-based authentication, append the authlevel=auth-level-value parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login?authlevel=8

Additionally, you can append the realm=realm-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login
?realm=bankrealm?authlevel=8

If there is no defined realm parameter, the realm will be determined from the server host and domain specified in the login URL.

All modules whose authentication level is larger or equal to auth-level-value will be displayed in an authentication menu. After the authentication menu with the relevant list of modules is displayed, the user must choose one with which to authenticate. If only one matching module is found, then the login page for that authentication module will be directly displayed.

Redirecting Users After Authentication Level-based Authentication

Upon a successful or failed authentication level-based authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Authentication Level-based Authentication Redirection URL Precedence

The redirection URL for successful authentication level-based authentication is determined by checking the following places in order of precedence:

  1. A URL set by the authentication module.

  2. A URL set by a goto login URL parameter.

  3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Success Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Success URL attribute in the user's profile.

  8. The value of the Success URL attribute in the role entry of the user's profile.

  9. The value of the Default Success Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Success Login URL attribute in the top level realm.

Failed Authentication Level-based Authentication Redirection URL Precedence

The redirection URL for failed authentication level-based authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail login URL parameter.

  3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Failure URL attribute in the user's profile.

  8. The value of the Failure URL attribute in the role entry of the user's profile.

  9. The value of the Default Failure Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Failure Login URL attribute in the top level realm.

Module Authentication

Module authentication allows a user to specify the authentication module with which they will authenticate. The specified module must be added as a module instance in the realm or sub realm that the user is accessing. On receiving a request for module authentication, the Authentication Service verifies that the module is correctly configured as noted; if the module is not defined, the user is denied access. The following sections contain more information.

Configuring Module Authentication

To use module authentication, simply create an instance of the authentication module in the appropriate realm. See To Add an Authentication Module Instance to a Realm or Sub Realm.

Initiating Module Authentication with the Login URL

To initiate the authentication using a particular authentication module, append the module=auth-module-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login?module=DataStore

Additionally, you can append the realm=realm-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login
?realm=bankrealm?module=LDAP

If there is no defined realm parameter, the realm will be determined from the server host and domain specified in the login URL.

Redirecting Users After Module Authentication

Upon a successful or failed module authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Module Authentication Redirection URL Precedence

The redirection URL for successful module authentication is determined by checking the following places in order of precedence:

  1. A URL set by the authentication module.

  2. A URL set by a goto login URL parameter.

  3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Success Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Success URL attribute in the user's profile.

  8. The value of the Success URL attribute in the role entry of the user's profile.

  9. The value of the Default Success Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Success Login URL attribute in the top level realm.

Failed Module Authentication Redirection URL Precedence

The redirection URL for failed module authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail login URL parameter.

  3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Failure URL attribute in the user's profile.

  8. The value of the Failure URL attribute in the role entry of the user's profile.

  9. The value of the Default Failure Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Failure Login URL attribute in the top level realm.

Role Authentication (Legacy Mode)

Role authentication allows a user to authenticate as a member of a specified role (either static or filtered) configured within a realm or sub realm. Role authentication is only available when the Access Manager SDK (AMSDK) Identity Repository Plug-in is enabled. See Chapter 15, Enabling the Access Manager SDK (AMSDK) Identity Repository Plug-in, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide for requirements and procedures to enable this legacy feature.

For role authentication to be initiated, the user must belong to the role and authenticate to each module defined in the authentication chain specified for that role. The following sections contain more information.

Configuring Role Authentication

The authentication method for a role is set by adding the legacy Authentication Configuration Service to the role and choosing the appropriate authentication chain from the displayed choices.

ProcedureTo Configure An Authentication Process for a Role

  1. Log in to the OpenSSO Enterprise console as the administrator.

    By default, amadmin.

  2. Click the Access Control tab.

  3. Click the name of the realm that contains the role for which you are configuring an authentication process.

  4. Click the Subjects tab.

  5. Click the Roles tab.

  6. Click the name of the role you are configuring.

  7. Click the Services tab.

  8. Click Add.

  9. Select Authentication Configuration and click Next.

  10. Select the appropriate authentication chain from those displayed.

    See Creating Authentication Chains.

  11. Click Finish.

Initiating Role Authentication with the Login URL

To initiate the authentication process defined for a particular role, append the role=role-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login?role=manager

A user who is not a member of the specified role will receive an error message when they attempt to authenticate using this parameter.

Redirecting Users After Role Authentication

Upon a successful or failed role authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Role Authentication Redirection URL Precedence

The redirection URL for successful role authentication is determined by checking the following places in order of precedence:

  1. A URL set by the authentication module.

  2. A URL set by a goto login URL parameter.

  3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Success URL attribute in another role entry of the user's profile specific to the client type from which the request was received. (This option is a fallback if the previous redirection URL fails.)

  6. The value of the Default Success Login URL attribute in the realm to which the user is a member specific to the client type from which the request was received.

  7. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

  8. The value of the Success URL attribute in the user's profile.

  9. The value of the Success URL attribute in the role entry of the user's profile.

  10. The value of the Success URL attribute in another role entry of the user's profile. (This option is a fallback if the previous redirection URL fails.)

  11. The value of the Default Success Login URL attribute in the realm to which the user is a member.

  12. The value of the Default Success Login URL attribute in the top level realm.

Failed Role Authentication Redirection URL Precedence

The redirection URL for failed role authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail login URL parameter.

  3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Failure URL attribute in the user's profile.

  8. The value of the Failure URL attribute in the role entry of the user's profile.

  9. The value of the Default Failure Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Failure Login URL attribute in the top level realm.

  11. The value of the Success URL attribute in the role entry of the user's profile.

  12. The value of the Success URL attribute in another role entry of the user's profile. (This option is a fallback if the previous redirection URL fails.)