Realm Authentication

Realm authentication is the default authentication type for OpenSSO Enterprise. It allows a member of a realm to authenticate using the authentication process configured for that particular realm (or sub realm). The following sections contain more information.

• Configuring Realm Authentication

• Initiating Realm Authentication with the Login URL

• Redirecting Users After Realm Authentication

Configuring Realm Authentication

The authentication process for a realm is defined by selecting the appropriate authentication chain in the realm or sub realm's configuration.

To Configure A Realms’s Authentication Process

1. Log in to the OpenSSO Enterprise console as the administrator.

   By default, amadmin.

2. Click the Access Control tab.

3. Click the name of the realm under which you configuring an authentication process.

4. Click the Authentication tab.

5. Select the appropriate authentication chain as a value for the Default Authentication Chain attribute.

   See Creating Authentication Chains for information.

6. (Optional) Select the appropriate authentication chain as a value for the Administrator Authentication Chain attribute.

   This authentication chain is used if the authentication process for administrators needs to be different from the process for end users.

7. Click Save.

Initiating Realm Authentication with the Login URL

To initiate authentication for a member of a particular realm, append the domain=realm-name parameter or the realm=realm-name parameter to the base login URL as in:

http://OpenSSO-machine-name.domain:port/opensso/UI/Login?realm=sun

If there is no defined parameter, the realm will be determined from the server host and domain specified in the login URL. The base login URL will initiate authentication for the top level realm without the realm parameter.

The realm of a request for authentication is determined from the following, in order of precedence:

1. The domain parameter.

2. The realm parameter.

3. The value of the Realm/DNS Alias Names attribute.

   After calling the correct realm, the authentication module(s) to which the user will authenticate are retrieved from the Default Authentication Chain attribute or the Administrator Authentication Chain attribute.

If User1 is authenticated to realmA and then tries to access realmB, a warning page is displayed that asks the user to authenticate to realmB with the authentication process specified for realmB, or return to the existing authenticated session with realmA. If the user chooses to authenticate to realmB, only the values of the realm and module (if specified) parameters are passed and honored for determining the new authentication process.

Redirecting Users After Realm Authentication

Upon a successful or failed realm authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

• Successful Realm Authentication Redirection URL Precedence

• Failed Realm Authentication Redirection URL Precedence

Successful Realm Authentication Redirection URL Precedence

The redirection URL for successful realm authentication is determined by checking the following places in order of precedence.

1. A URL set by the authentication module.

2. A URL set by a goto login URL parameter.

3. The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.

4. The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

5. The value of the Default Success Login URL attribute in the realm to which the user is a member specific to the client type from which the request was received.

6. The value of the Default Success Login URL attribute in the top level realm specific to the client type from which the request was received.

7. The value of the Success URL attribute in the user's profile.

8. The value of the Success URL attribute in the role entry of the user's profile.

9. The value of the Success URL attribute in the realm to which the user is a member.

10. The value of the Default Success Login URL attribute in the top level realm.

Failed Realm Authentication Redirection URL Precedence

The redirection URL for failed realm authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a gotoOnFail login URL parameter.

3. The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.

4. The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.

5. The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.

6. The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.

7. The value of the Failure URL attribute in the user's profile.

8. The value of the Failure URL attribute in the role entry of the user's profile.

9. The value of the Default Failure Login URL attribute in the realm entry of the user's profile.

10. The value of the Default Failure Login URL attribute in the top level realm.