Sun Java System Access Manager 7 2005Q4 Federation and SAML Administration Guide

The Pre-login URL

The pre-login process is the entry point for applications participating in Liberty-based single sign-on. As described in Process of Federation, the principal would be redirected to the location defined by the pre-login URL if no Access Manager session token is found. This default process, though, can be modified based on the values of URL query parameters passed to Access Manager by the service provider.

Note –

A URL parameter is a name/value pair appended to the end of a URL. The parameter starts with a question mark (?) and takes the form name=value. A number of parameters can be combined in one URL although if more than one parameter exists, they are separated by an ampersand (&).

In order to modify the pre-login URL, edit the property in either the AMConfig.properties file or the AMAgent.properties file, dependant on your deployment. Use the format http://hostname:port/deploy-uri/preLogin?metaAlias=metaAlias. Query parameters can be appended to the URL as &param1=value1&param2=value2 and so on. These parameters and their usage and values are described in the following table.

Table 3–2 Pre-login URL Parameters for Federation


Parameter	Description
`actionOnNoFedCookie`	The `actionOnNoFedCookie` parameter provides the flexibility to redirect a user when the `fedCookie` is not present in the browser, and when there is only one identity provider. It takes the following values: `commonlogin` will redirect to a common login page. `locallogin` will redirect to the local Access Manager login page. `passive` will issue a request to the identity provider by setting the `isPassive` parameter of the `AuthnRequest` element to `true`. `active` will issue a normal single sign-on request to the identity provider.
`anonymousOnetime`	The `anonymousOnetime` parameter can be used by service providers that authenticate users with anonymous, one time federation sessions. A value of `true` enables the service provider to issue a one time federation request and generate an anonymous session after successful verification of the authentication assertion from the identity provider. This feature is useful when the service provider doesn't have a user repository (for example, `http://www.weather.com`) but would like to depend on an identity provider for authentication. When the service provider receives a successful authentication assertion from an identity provider, they would generate an anonymous, temporary session.
`authlevel`	The `authlevel` parameter takes as a value a positive number that maps to an authentication level defined in the Access Manager Authentication Framework. The authentication level indicates how much to trust a method of authentication. Note – More information on the authentication framework can be found in Sun Java System Access Manager 7 2005Q4 Administration Guide. In this framework, each service provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.
`gotoOnFedCookieNo`	The `gotoOnFedCookieNo` parameter takes as a value a URL to which the principal is redirected if a `fedCookie` with a value of `no` is found. The default behavior is to redirect the user to the Access Manager login page.