test

Sun Java System Access Manager 7 2005Q4 Administration Guide

Authentication Level-based Authentication

Each authentication module can be associated with an integer value for its authentication level. Authentication levels can be assigned by clicking the authentication module’s Properties arrow in Service Configuration, and changing the corresponding value for the module’s Authentication Level attribute. Higher authentication levels define a higher level of trust for the user once that user has authenticated to one or more authentication modules.

The authentication level will be set on a user’s SSO token after the user has successfully authenticated to the module. If the user is required to authenticate to multiple authentication modules, and does so successfully, the highest authentication level value will be set in user’s SSO token.

If a user attempts to access a service, the service can determine if the user is allowed access by checking the authentication level in user’s SSO token. It then redirects the user to go through the authentication modules with a set authentication level.

Users can also access authentication modules with specific authentication level. For example, a user performs a login with the following syntax:

http://hostname:port/deploy_URI/UI/Login?authlevel=
auth_level_value

All modules whose authentication level is larger or equal to auth_level_value will be displayed as an authentication menu for the user to choose. If only one matching module is found, then the login page for that authentication module will be directly displayed.

This method of authentication allows an administrator to specify the security level of the modules to which identities can authenticate. Each authentication module has a separate Authentication Level attribute and the value of this attribute can be defined as any valid integer. With Authentication Level-based authentication, the Authentication Service displays a module login page with a menu containing the authentication modules that have authentication levels equal to or greater then the value specified in the Login URL parameter. Users can select a module from the presented list. Once the user selects a module, the remaining process is based on Module-based Authentication.

Authentication Level-based Authentication Login URLs

Authentication level-based authentication can be specified in the User Interface Login URL by defining the authlevel Parameter. After calling the login screen with the relevant list of modules, the user must choose one with which to authenticate. The login URLs used to specify and initiate authentication level-based authentication are:

http://server_name.domain_name:port/amserver/UI/Login?authlevel=authentication_level

and

http://server_name.domain_name:port/amserver/UI/
Login?realm=realm_name&authlevel=authentication_level

If there is no configured realm parameter, the realm to which the user belongs will be determined from the server host and domain specified in the login URL itself.

Authentication Level-based Authentication Redirection URLs

Upon a successful or failed authentication level-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Authentication Level-based Authentication Redirection URLs

The redirection URL for successful authentication level-based authentication is determined by checking the following places in order of precedence:

  1. A URL set by the authentication module.

  2. A URL set by a goto Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

  7. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

  8. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

  9. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

  10. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Authentication Level-based Authentication Redirection URLs

The redirection URL for failed authentication level-based authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

  7. A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).

  8. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

  9. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

  10. A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.