Module-based Authentication

Users can access a specific authentication module using the following syntax:

http://hostname:port/deploy_URI/UI/Login?module=
module_name

Before the authentication module can be accessed, the Core authentication service attribute realm Authentication Modules must be modified to include the authentication module name. If the authentication module name is not included in this attribute, the “authentication module denied” page will be displayed when the user attempts to authenticate.

This method of authentication allows a user to specify the module to which they will authenticate. The specified module must be registered to the realm or sub-realm that the user is accessing. This is configured in the realm Authentication Modules attribute of the realm’s Core Authentication Service. On receiving this request for module-based authentication, the Authentication Service verifies that the module is correctly configured as noted, and if the module is not defined, the user is denied access.

Module-based Authentication Login URLs

Module-based authentication can be specified in the User Interface Login URL by defining a module Parameter. The login URLs used to specify and initiate module-based authentication are:

http://server_name.domain_name:port/amserver/UI/Login?module=authentication_module_name
http://server_name.domain_name:port/amserver/UI/
Login?org=org_name&module=authentication_module_name

If there is no configured org parameter, the realm to which the user belongs will be determined from the server host and domain specified in the login URL itself.

Module-based Authentication Redirection URLs

Upon a successful or failed module-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.

Successful Module-based Authentication Redirection URLs

The redirection URL for successful module-based authentication is determined by checking the following places in order of precedence:

1. A URL set by the authentication module.

2. A URL set by a goto Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.

7. A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).

8. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.

9. A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.

10. A URL set in the iplanet-am-auth-login-success-url attribute as a global default.

Failed Module-based Authentication Redirection URLs

The redirection URL for failed module-based authentication is determined by checking the following places in the following order:

1. A URL set by the authentication module.

2. A URL set by a gotoOnFail Login URL parameter.

3. A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).

4. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

5. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

6. A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.

7. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.

8. A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.

9. A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.