test

Sun Java System Access Manager 7 2005Q4 Administration Guide

Organization-based Authentication

This authentication type only applies to Access Manager deployments that have been installed in Legacy mode.

This method of authentication allows a user to authenticate to an organization or sub-organization. It is the default method of authentication for Access Manager . The authentication method for an organization is set by registering the Core Authentication module to the organization and defining the Organization Authentication Configuration attribute.

Organization-based Authentication Login URLs

The organization for authentication can be specified in the User Interface Login URL by defining the org Parameter or the domain Parameter. The organization of a request for authentication is determined from the following, in order of precedence:

  1. The domain parameter.

  2. The org parameter.

  3. The value of the DNS Alias Names (Organization alias names) attribute in the Administration Service.

    After calling the correct organization, the authentication module(s) to which the user will authenticate are retrieved from the Organization Authentication Configuration attribute in the Core Authentication Service. The login URLs used to specify and initiate organization-based authentication are:


    http://server_name.domain_name:port/amserver/UI/Login
http://server_name.domain_name:port/amserver/UI/Login?domain=domain_name
http://server_name.domain_name:port/amserver/UI/Login?org=org_name

    If there is no defined parameter, the organization will be determined from the server host and domain specified in the login URL.

Organization-based Authentication Redirection URLs

Upon a successful or failed organization-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Organization-based Authentication Redirection URLs

The redirection URL for successful organization-based authentication is determined by checking the following places in order of precedence:

  1. A URL set by the authentication module.

  2. A URL set by a goto Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s organization entry.

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

  7. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

  8. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

  9. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s organization entry.

  10. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Organization-based Authentication Redirection URLs

The redirection URL for failed organization-based authentication is determined by checking the following places in the following order:

  1. A URL set by the authentication module.

  2. A URL set by a gotoOnFail Login URL parameter.

  3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).

  4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

  5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s organization entry.

  6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

  7. A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).

  8. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

  9. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s organization entry.

  10. A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.

To Configure Organization-Based Authentication

Authentication modules are set for an organization by first adding the Core Authentication service to the organization.

ProcedureTo Configure The Organizations’s Authentication Attributes

  1. Navigate to the organization for which you wish to add the Authentication Chain.

  2. Click the Authentication tab.

  3. Select the Default Authentication Chain from the pull down menu.

  4. Select the Administrator Authentication Chain from the pull down menu. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The default authentication module is LDAP.

  5. Once you have defined the authentication chains, click Save.