test

Sun Java System Access Manager 7 2005Q4 Administration Guide

Role-based Authentication Redirection URLs

Upon a successful or failed role-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Role-based Authentication Redirection URLs

The redirection URL for successful role-based authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a goto Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the role to which the user has authenticated.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

  7. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

  8. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

  9. A URL set in the iplanet-am-auth-login-success-url attribute of the role to which the user has authenticated.

  10. A URL set in the iplanet-am-auth-login-success-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)

  11. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

  12. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Role-based Authentication Redirection URLs

The redirection URL for failed role-based authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a goto Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s profile ( amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the role to which the user has authenticated.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

  7. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

  8. A URL set in the iplanet-am-user-failure-url attribute of the user’s profile (amUser.xml).

  9. A URL set in the iplanet-am-auth-login-failure-url attribute of the role to which the user has authenticated.

  10. A URL set in the iplanet-am-auth-login-failure-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)

  11. A URL set in the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

  12. A URL set in the iplanet-am-auth-login-failure-url attribute as a global default.

ProcedureTo Configure Role-Based Authentication

  1. Navigate to the realm (or organization) to which you will add the authentication configuration service.

  2. Click the Subjects tab.

  3. Filtered Roles or Roles.

  4. Select the role for which to set the authentication configuration.

    If the Authentication Configuration service has not been added to the role, click Add, select Authentication Service and click Next.

  5. Select the Default Authentication Chain that you wish to enable from the pull down menu.

  6. Click Save.

    Note –

    If you are creating a new role, the Authentication Configuration service is not automatically assigned to it. Make sure that you select the Authentication Configuration service option at the top of the role profile page before you create it.

    When role-based authentication is enabled, the LDAP authentication module can be left as the default, as there is no need to configure Membership.