Authentication Chaining (Sun Java System Access Manager 7.1 Technical Overview)

Sun Java System Access Manager 7.1 Technical Overview

Authentication Chaining

You can configure one or more authentication module instances so that a user must pass authentication credentials to all of them before the user is allowed access. This feature is called authentication chaining. Access Manager uses the Java Authentication and Authorization Service (JAAS) framework (already integrated in the Authentication Service) to implement authentication chaining. The JAAS framework validates all user IDs used during the authentication process, and maps them all to one user. (The mapping is based on the configuration of the User Alias List attribute in the user's profile.) If all the maps are correct, then a valid session token is issued to the user. If all the maps are not correct, the user is denied a valid session token. Once authentication to all modules in the chain succeeds or fails, control is returned to the Authentication Service from the JAAS framework.

You can configure authentication chaining by realm, user, role, or service. Determining access is based upon control flags you specify for the chain. Authentication modules use one of the following control flags to indicate requirements for successful authentication.

Requisite.: The LoginModule is required to succeed. If it succeeds, authentication continues down the LoginModule list. If it fails, control immediately returns to the application (authentication does not proceed down the LoginModule list).
Required.: Authentication to this module is required to succeed. If any of the required modules in the chain fails, the whole authentication chain will fail and the user will be notified of this.
Sufficient.: The LoginModule is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the LoginModule list). If it fails, authentication continues down the LoginModule list.
Optional.: The LoginModule is not required to succeed. Whether it succeeds or fails, authentication still continues to proceed down the LoginModule list.

For more information, see Authentication Chaining in Sun Java System Access Manager 7.1 Administration Guide.