Service authentication allows a user to authenticate to a specified authentication chain configured in a realm or sub realm. For authentication to be successful, the user must authenticate to each module defined in the chain. The following sections contain more information.
To authenticate using service authentication, simply create an authentication chain in the appropriate realm.
Add authentication module instances to the realm. (See To Add an Authentication Module Instance to a Realm or Sub Realm.)
Create an authentication chain in the realm. (See Creating Authentication Chains.)
Create a login URL. (See Initiating Service Authentication with the Login URL.)
To initiate the authentication process defined for a particular service, append the service=auth-chain-name parameter to the base login URL as in:
http://OpenSSO-machine-name.domain:port/opensso/UI/Login?service=bankauth |
Additionally, you can append the realm=realm-name parameter to the base login URL as in:
http://OpenSSO-machine-name.domain:port/opensso/UI/Login ?realm=bankrealm?service=bankauth |
If there is no defined realm parameter, the realm will be determined from the server host and domain specified in the login URL.
Upon a successful or failed service authentication, OpenSSO Enterprise looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.
The redirection URL for successful service authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a goto login URL parameter.
The value of the Success URL attribute in the user's profile specific to the client type from which the request was received.
The value of the Success URL attribute in the service to which the user is authenticated specific to the client type from which the request was received.
The value of the Success URL attribute in the role entry of the user's profile specific to the client type from which the request was received.
The value of the Default Success Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.
The value of the Default Success Login URL attribute of the top level realm specific to the client type from which the request was received.
The value of the Success URL attribute in the user's profile.
The value of the Success URL attribute in the service to which the user is authenticated.
The value of the Success URL attribute in the role entry of the user's profile.
The value of the Default Success Login URL attribute in the realm entry of the user's profile.
The value of the Default Success Login URL attribute of the top level realm.
The redirection URL for failed service authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a goto login URL parameter.
The value of the Failure URL attribute in the user's profile specific to the client type from which the request was received.
The value of the Failure URL attribute of the service to which the user has authenticated specific to the client type from which the request was received.
The value of the Failure URL attribute in the role entry of the user's profile specific to the client type from which the request was received.
The value of the Default Failure Login URL attribute in the realm entry of the user's profile specific to the client type from which the request was received.
The value of the Default Failure Login URL attribute in the top level realm specific to the client type from which the request was received.
The value of the Failure URL attribute in the user's profile.
The value of the Failure URL attribute of the service to which the user has authenticated.
The value of the Failure URL attribute in the role entry of the user's profile.
The value of the Default Failure Login URL attribute in the realm entry of the user's profile
The value of the Default Failure Login URL attribute in the top level realm.