Sun OpenSSO Enterprise 8.0 Technical Overview

User Authentication

When the browser sends the HTTP request to the Distributed Authentication User Interface, the events illustrated in Figure 6–2 occur.

Figure 6–2 User Authentication

User authentication process described in accompanying
body text.

  1. Using the parameters in the HTTP request from the browser (which includes the URL of the requested application), the Distributed Authentication User Interface contacts the OpenSSO Enterprise Authentication Service (which, in turn, communicates with the Session Service).

  2. The Authentication Service determines what should be presented to the user based upon configuration data and retrieves the appropriate authentication module(s) and callback(s) information.

    For example, if configured to use LDAP Authentication, the Authentication Service determines that the LDAP Authentication login page should be displayed.

  3. The collected information is passed to the Distributed Authentication User Interface using the Client SDK.

  4. The Client Detection Service determines which protocol, such as HTML or WML, to use to display the login page.

  5. The Distributed Authentication User Interface generates a dynamic presentation extraction page that contains the appropriate credentials request and callbacks information obtained from OpenSSO Enterprise.

    The session cookie will be included in this communication.

  6. The user’s browser displays the login page.

  7. The user enters information in the fields of the login page.

  8. The browser sends the credentials in an HTTP POST to the Distributed Authentication User Interface.

  9. The Distributed Authentication User Interface uses the Client SDK to pass the credentials to the Authentication Service.

  10. The Authentication Service uses the appropriate authentication module to validate the user’s credentials.

    For example, if LDAP authentication is used, the LDAP authentication module verifies that the username and password provided exist in the LDAP directory.

  11. Assuming authentication is successful, the Authentication Service activates the session by calling the appropriate methods in the Session Service.

    The Authentication Service stores information such as login time, Authentication Scheme, and Authentication Level in the session data structure.

  12. Once the session is activated, the Session Service changes the state of the session token to valid.

  13. The Distributed Authentication User Interface sends an HTTP response back to the browser with a validated SSOToken and location change.

  14. The browser follows the redirect by sending another HTTP request to the original resource protected by a policy agent. This time, the request includes the valid session token created during the authentication process.

The next part of the user session is Session Validation.