Authentication Level-based Authentication

Authentication Level—based authentication allows an administrator to specify the security level of the authentication modules used in a particular authentication process. Each authentication module can be assigned an authentication level — an integer defined as the value of the module's Authentication Level attribute. A user that has successfully authenticated to an authentication module with a higher authentication level is deemed to have a higher level of trust. If successfully authenticate, the authentication level of the module will be set in the user’s SSOToken. (If the user has successfully authenticated to multiple authentication modules, the highest authentication level will be set in the user’s SSOToken.) Now when the user attempts to access a service which demands authentication trust at a particular level, the service can use the authentication level to determine if the user is meets the criteria. If not, the user is redirected to authenticate to an authentication module with the appropriate authentication level. The following sections contain more information.

• Configuring Authentication Levels

• Initiating Authentication Level-based Authentication with the Login URL

• Redirecting Users After Authentication Level-based Authentication

Configuring Authentication Levels

To set an authentication level for an authentication module, simply define an integer in the Authentication Level attribute of the desired authentication module.

• To set a global authentication level for a module, see To Define Global Values for an Authentication Module.

• To set the authentication level for an authentication module instance within a realm, see To Add an Authentication Module Instance to a Realm or Sub Realm.

Initiating Authentication Level-based Authentication with the Login URL

When Authentication Level-based authentication is initiated, the Authentication Service displays a login page with a menu containing the authentication modules that have authentication levels equal to or greater then the value specified in the login URL's parameter. Users can select a module from the presented list. Once the user selects a module, the remaining process is based on Module Authentication. (See Module Authentication.)

To initiate Authentication Level-based authentication, append the authlevel=auth-level-value parameter to the base login URL as in:

http://OpenSSO-machine-name.domain:port/opensso/UI/Login?authlevel=8

Additionally, you can append the realm=realm-name parameter to the base login URL as in:

http://OpenSSO-machine-name.domain:port/opensso/UI/Login
?realm=bankrealm?authlevel=8

If there is no defined realm parameter, the realm will be determined from the server host and domain specified in the login URL.

All modules whose authentication level is larger or equal to auth-level-value will be displayed in an authentication menu. After the authentication menu with the relevant list of modules is displayed, the user must choose one with which to authenticate. If only one matching module is found, then the login page for that authentication module will be directly displayed.

Redirecting Users After Authentication Level-based Authentication

Upon a successful or failed authentication level-based authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

• Successful Authentication Level-based Authentication Redirection URL Precedence

• Failed Authentication Level-based Authentication Redirection URL Precedence

Successful Authentication Level-based Authentication Redirection URL Precedence

The redirection URL for successful authentication level-based authentication is determined by checking the following places in order of precedence:

1. A URL set by the authentication module.

2. A URL set by a goto login URL parameter.

3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

5. The value of the Default Success Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

6. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

7. The value of the Success URL attribute in the user's profile.

8. The value of the Success URL attribute in the role entry of the user's profile.

9. The value of the Default Success Login URL attribute in the realm entry of the user's profile.

10. The value of the Default Success Login URL attribute in the top level realm.

Failed Authentication Level-based Authentication Redirection URL Precedence

The redirection URL for failed authentication level-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a gotoOnFail login URL parameter.

3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

7. The value of the Failure URL attribute in the user's profile.

8. The value of the Failure URL attribute in the role entry of the user's profile.

9. The value of the Default Failure Login URL attribute in the realm entry of the user's profile.

10. The value of the Default Failure Login URL attribute in the top level realm.