Flow for a Distributed Authentication End-User Request
In a typical deployment scenario using one or more Distributed Authentication UI servers, an end-user request follows this flow:
-
An end user sends an HTTP or HTTPS request from a Web browser to access a protected resource.
-
If the request does not have a cookie containing an SSO token, the Access Manager policy agent issues a redirect to its authentication URL, which is the URL of the Distributed Authentication UI server in the DMZ (usually through a load balancer).
-
The end user follows the redirect and sends a request to the Distributed Authentication UI server.
-
The Distributed Authentication UI server communicates the request to an Access Manager instance behind the second firewall to determine the appropriate authentication method.
-
The Access Manager instance determines the appropriate authentication method and then returns the presentation framework to the Distributed Authentication UI server.
-
Using the information from the Access Manager instance, the Distributed Authentication UI server returns a login page to the user's Web browser.
-
The end user replies with the login credentials (such as user name and password) to the Distributed Authentication UI server.
-
The Distributed Authentication UI server uses the Access Manager Client SDK to send the end user's credentials to the Access Manager instance behind the second firewall.
-
Access Manager tries to authenticate the end user using the appropriate authentication method:
-
If the authentication is successful, Access Manager returns the SSO token, and the Distributed Authentication UI server redirects the end user to the protected resource.
-
If the authentication is not successful, Access Manager returns the appropriate error information.
-
- © 2010, Oracle Corporation and/or its affiliates