Identity Manager uses pass-through authentication to grant users and administrators access through one or more different passwords. Identity Manager manages pass-through authentication through the implementation of:
Login applications (collection of login module groups)
Login module groups (ordered set of login modules)
Login modules (sets authentication for each assigned resource and specify one of several success requirements for authentication)
You configure a custom adapter to support pass-through authentication by
Implementing the authenticate() method appropriately
Including the account.LOGIN feature in the getFeatures() method map (com.waveset.adapter.ResourceAdapter.ACCOUNT_LOGIN)
Including the <LoginConfigEntry> section in the resource’s prototypeXML
When configuring a custom resource adapter to support an interactive login, you must enable the adapter to request additional information from a user during log in and after that user submits the initial login page.
The adapter authenticate() method controls whether the login becomes interactive. The authenticate() method’s return values trigger the interactive login so the authenticate() is called again with the results of the next login page until the authenticate() method decides the login
Fails by throwing an exception
Succeeds by returning the account ID of the authenticated account in the WavesetResult as usual
To be interactive, the adapter must return a WavesetResult that
Does not contain ResultItems with a Constants.AUTHENTICATED_GUID type or Constants.AUTHENTICATED_IDENTITY type
Does contain ResultItems that are used to dynamically build a form for the next page of the login
Each ResultItem corresponds to a field in the form. ResultItems must have the Constants.CONTINUE_AUTHENTICATION_ATTR type with values in the following format:
label|attrName|displayType|prompt|’isId’
Where
label is a string containing a label or none.
attrName is the login attribute name that is passed into the next authenticate() method call as a key in the loginInfo HashMap.
displayType describes the type of form field to use. displayType values include
text
secret
label
checkbox
prompt corresponds to the title or label of the form field.
isId is an optional string.
If you use the isId string, the value of the form field is added to the loginInfo HashMap with the key Constants.ACCOUNT_ID and the value of the field.
The following ResultItem types are also “round-tripped” and returned in the loginInfo HashMap on the next authenticate() call:
Constants.CONTINUE_AUTHENTICATION_ACCOUNT_HANDLE keep track of which user or account is in the process of being authenticated.
Constants.CONTINUE_AUTHENTICATION_PREVIOUS_ATTR remove previous authentication attributes from the loginInfo, so the loginInfo does not contain an “old” authentication attr.