Requirements for a Distributed Authentication UI server deployment include:
The Distributed Authentication UI server must be installed in one of these web containers:
Sun Java System Application Server
Sun Java System Web Server
BEA WebLogic Server
IBM WebSphere Application Server
For the specific versions supported of each web container, see the Sun Java System Access Manager 7.1 Release Notes.
A Distributed Authentication UI server must use the same password encryption key as the Access Manager server instances in the deployment.
Several other considerations for a Distributed Authentication UI server include:
If you are deploying multiple Distributed Authentication UI servers behind a load balancer, stickiness is not required for the load balancer to talk to only one Distributed Authentication UI server for authentication process completion.
The HTTP Basic and MSISDN authentication modules are not supported through the Distributed Authentication UI.
The following figure shows a Distributed Authentication UI server deployment scenario.
In a typical deployment scenario using one or more Distributed Authentication UI servers, an end-user request follows this flow:
An end user sends an HTTP or HTTPS request from a Web browser to access a protected resource.
If the request does not have a cookie containing an SSO token, the Access Manager policy agent issues a redirect to its authentication URL, which is the URL of the Distributed Authentication UI server in the DMZ (usually through a load balancer).
The end user follows the redirect and sends a request to the Distributed Authentication UI server.
The Distributed Authentication UI server communicates the request to an Access Manager instance behind the second firewall to determine the appropriate authentication method.
The Access Manager instance determines the appropriate authentication method and then returns the presentation framework to the Distributed Authentication UI server.
Using the information from the Access Manager instance, the Distributed Authentication UI server returns a login page to the user's Web browser.
The end user replies with the login credentials (such as user name and password) to the Distributed Authentication UI server.
The Distributed Authentication UI server uses the Access Manager Client SDK to send the end user's credentials to the Access Manager instance behind the second firewall.
Access Manager tries to authenticate the end user using the appropriate authentication method:
If the authentication is successful, Access Manager returns the SSO token, and the Distributed Authentication UI server redirects the end user to the protected resource.
If the authentication is not successful, Access Manager returns the appropriate error information.