Sharing User Credentials Among Authentication Modules (Shared State)
The Java Authentication and Authorization Service (on which the Authentication Service is built) has an option to enable shared state which allows for sharing of both the user ID and password between authentication modules. For example, assume an authentication chain is configured as follows:
-
LDAP authentication is REQUIRED and shared state is enabled.
-
Data Store authentication is REQUIRED and shared state is enabled. Additionally, the shared state behavior is configured to use the first pass.
For this authentication process, the user would be presented with an LDAP login page to enter a user ID and password. Assuming successful LDAP authentication, these credentials would then be passed to the Data Store module on the backend; the user would not see a Data Store login page. If Data Store authentication is successful, the user would be redirected to the appropriate page.
The shared state is enabled by entering the appropriate options to the authentication module as you configure an authentication chain. The options are:
- iplanet-am-auth-shared-state-enabled
-
This option enables the use of a shared state map.
- iplanet-am-auth-store-shared-state-enabled
-
This option enables the storage of credentials to a shared state map.
- iplanet-am-auth-shared-state-behavior-pattern
-
To prevent a user from having to enter the user ID and password twice for authentication, set this option to useFirstPass for all modules in the chain (except the first). tryFirstPass (the default value) would prompt for new credentials if the shared state credentials failed
After a commit, an abort or a logout, the shared state will be cleared. To add shared state options to an authentication module in an authentication chain, see Creating Authentication Chains.
- © 2010, Oracle Corporation and/or its affiliates