test

Sun Java System Access Manager 7 2005Q4 Administration Guide

Service-based Authentication

This method of authentication allows a user to authenticate to a specific service or application registered to an realm or sub realm. The service is configured as a Service Instance within the Authentication Configuration Service and is associated with an Instance Name. For authentication to be successful, the user must authenticate to each module defined in the Authentication Configuration service instance configured for the service. For each instance of service-based authentication, the following attributes can be specified:

Authentication Configuration. This defines the authentication modules configured for the service’s authentication process.

Login Success URL. This defines the URL to which a user is redirected on successful authentication.

Login Failed URL. This defines the URL to which a user is redirected on failed authentication.

Authentication Post Processing Classes. This defines the post-authentication interface.

Service-based Authentication Login URLs

Service-based authentication can be specified in the User Interface Login URL by defining a service Parameter. After calling the service, the authentication module(s) to which the user will authenticate are retrieved from the Authentication Configuration service instance defined for the service.

The login URLs used to specify and initiate this service-based authentication are:

http://server_name.domain_name:port/amserver/UI/
Login?service=auth-chain-name

and

http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name&service=auth-chain-name
e

If there is no configured org parameter, the realm will be determined from the server host and domain specified in the login URL itself.

Service-based Authentication Redirection URLs

Upon a successful or failed service-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Service-based Authentication Redirection URLs

The redirection URL for successful service-based authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a goto Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the service to which the user has authenticated.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

  7. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

  8. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

  9. A URL set in the iplanet-am-auth-login-success-url attribute of the service to which the user has authenticated.

  10. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

  11. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

  12. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Service-based Authentication Redirection URLs

The redirection URL for failed service-based authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a goto Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s profile ( amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the service to which the user has authenticated.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

  7. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

  8. A URL set in the iplanet-am-user-failure-url attribute of the user’s profile (amUser.xml).

  9. A URL set in the iplanet-am-auth-login-failure-url attribute of the service to which the user has authenticated.

  10. A URL set in the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

  11. A URL set in the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

  12. A URL set in the iplanet-am-auth-login-failure-url attribute as a global default.

ProcedureTo Configure Service-Based Authentication

Authentication modules are set for services after adding the Authentication Configuration service. To do so:

  1. Chose the realm to which you wish to configure service-based authentication.

  2. Click the Authentication tab.

  3. Create the authentication module instances.

  4. Create the authentication chains.

  5. Click Save.

  6. To access service-based authentication for the realm, enter the following address:

    http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name&service=auth-chain-name