Sun OpenSSO Enterprise 8.0 Technical Overview

Authentication Modules

An authentication module is a plug-in that collects user information such as a user ID and password, and compares the information against entries in a database. If a user provides information that meets the authentication criteria, the user is validated and, assuming the appropriate policy configuration, granted access to the requested resource. If the user provides information that does not meet the authentication criteria, the user is not validated and denied access to the requested resource. OpenSSO Enterprise is deployed with a number of authentication modules. Table 7–1 provides a brief description of each.

Table 7–1 Authentication Service Modules

Authentication Module Name 


Active Directory

Uses an Active Directory operation to associate a user identifier and password with a particular Active Directory entry. You can define multiple Active Directory authentication configurations for a realm. Allows both LDAP and Active Directory to coexist under the same realm. 


Enables a user to log in without specifying credentials. You can create an Anonymous user so that anyone can log in as Anonymous without having to provide a password. Anonymous connections are usually customized by the OpenSSO Enterprise administrator so that Anonymous users have limited access to the server. 


Enables a user to log in through a personal digital certificate (PDC). The user is granted or denied access to a resource based on whether or not the certificate is valid. The module can optionally require the use of the Online Certificate Status Protocol (OCSP) to determine the state of a certificate. 

Data Store 

Enables authentication against one or more configuration data stores within a realm. 


Used by the service provider during federation (using SAML v1.x, SAML v2, WS-Federation, Liberty ID-FF) to create a session after validating the assertion. This authentication module can not be invoked like the other modules as it is invoked directly by the SAMLAwareServlet.

HTTP Basic 

Enables authentication to occur with no data encryption. Credentials are validated internally using either the LDAP or Data Store authentication module. 

Java Database Connectivity (JDBC)

Enables authentication through any Structured Query Language (SQL) databases that provide JDBC-enabled drivers. The SQL database connects either directly through a JDBC driver or through a JNDI connection pool. 


Enables authentication using LDAP bind, a directory server operation which associates a user identifier and password with a particular LDAP entry. You can define multiple LDAP authentication configurations for a realm. 


Enables user to self-register a user entry. The user creates an account, personalizes it, and accesses it as a registered user without the help of an administrator. Implemented similarly to personalized sites such as


The Mobile Station Integrated Services Digital Network (MSISDN) authentication module enables authentication using a mobile subscriber ISDN associated with a device such as a cellular telephone. It is a non-interactive module. The module retrieves the subscriber ISDN and validates it against the user repository to find a user that matches the number. 


Uses an external Remote Authentication Dial-In User Service (RADIUS) server to verify identities. 

Security Assertion Markup Language (SAML) 

Receives and validates SAML assertions on a target server by using either a web artifact or a POST response. 


Uses Secure Computing’s SafeWord PremierAccessTM server software and SafeWord tokens to verify identities.


Uses RSA ACE/Server software and RSA SecurID authenticators to verify identities. 


Solaris and Linux modules use a user’s UNIX identification and password to verify identities. 

Windows Desktop Single Sign-On (SSO) 

Allows a user who has already authenticated with a key distribution center to be authenticated by OpenSSO Enterprise without having to provide the login information again. Leverages Kerberos authentication and is supported wherever Kerberos is supported (including Windows, Solaris, Linux, and Macintosh). 

Windows NT 

Uses a Microsoft Windows NTTM server to verify identities.

You can use the OpenSSO Enterprise console to enable and configure the authentication modules. You can also create and configure multiple instances of a particular authentication module. (An authentication module instance is a child entity that extends the schema of a parent authentication module and adds its own subschema.) Finally, you can write your own custom authentication module (or plug-in) to connect to the OpenSSO Enterprise authentication framework. See Chapter 3, Configuring Authentication, in Sun OpenSSO Enterprise 8.0 Administration Guide for detailed information about enabling and configuring default authentication modules and authentication module instances. See Chapter 1, Using the Authentication Service API and SPI, in Sun OpenSSO Enterprise 8.0 Developer’s Guide for more information about writing custom authentication modules.