test

Sun OpenSSO Enterprise 8.0 Administration Guide

Module Authentication

Module authentication allows a user to specify the authentication module with which they will authenticate. The specified module must be added as a module instance in the realm or sub realm that the user is accessing. On receiving a request for module authentication, the Authentication Service verifies that the module is correctly configured as noted; if the module is not defined, the user is denied access. The following sections contain more information.

Configuring Module Authentication

To use module authentication, simply create an instance of the authentication module in the appropriate realm. See To Add an Authentication Module Instance to a Realm or Sub Realm.

Initiating Module Authentication with the Login URL

To initiate the authentication using a particular authentication module, append the module=auth-module-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login?module=DataStore

Additionally, you can append the realm=realm-name parameter to the base login URL as in:


http://OpenSSO-machine-name.domain:port/opensso/UI/Login
?realm=bankrealm?module=LDAP

If there is no defined realm parameter, the realm will be determined from the server host and domain specified in the login URL.

Redirecting Users After Module Authentication

Upon a successful or failed module authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Module Authentication Redirection URL Precedence

The redirection URL for successful module authentication is determined by checking the following places in order of precedence:

  1. A URL set by the authentication module.

  2. A URL set by a goto login URL parameter.

  3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Success Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Success URL attribute in the user's profile.

  8. The value of the Success URL attribute in the role entry of the user's profile.

  9. The value of the Default Success Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Success Login URL attribute in the top level realm.

Failed Module Authentication Redirection URL Precedence

The redirection URL for failed module authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail login URL parameter.

  3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

  4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

  5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

  6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

  7. The value of the Failure URL attribute in the user's profile.

  8. The value of the Failure URL attribute in the role entry of the user's profile.

  9. The value of the Default Failure Login URL attribute in the realm entry of the user's profile.

  10. The value of the Default Failure Login URL attribute in the top level realm.