Sun OpenSSO Enterprise 8.0 Technical Overview

Configuring for Authentication

The authentication framework includes the following places where you can configure for authentication:

Explanations of the authentication attributes can be found in the Online Help and the Sun OpenSSO Enterprise 8.0 Administration Reference.

Core Authentication Module and Realm Configuration

The Core Authentication Module contains general authentication properties that can be defined globally using the OpenSSO Enterprise console (under the Configuration tab) or more specifically for each configured realm (under the Access Control tab). Core authentication properties are added and enabled for the top-level realm during installation. As new realms are configured under the top-level realm, these properties (and the values defined globally for them) are dynamically added to each new realm when it is created. Once added, new values can be defined and configured values can be modified by the realm's administrator. The values are then used if no overriding value is defined in the specified authentication module instance or authentication chain. The default values for the Core Authentication Module are defined in the amAuth.xml file and stored in the configuration data store. For more information, see Chapter 3, Configuring Authentication, in Sun OpenSSO Enterprise 8.0 Administration Guide and the Sun OpenSSO Enterprise 8.0 Administration Reference.

Authentication Configuration Service

The Authentication Configuration Service describes all the dynamic attributes for service-based authentication. This service is used for configuring roles. When you assign a service to a role, you can also assign other attributes such as a success URL or an authentication post-processing class to the role.

Login URLs and Redirection URLs

In the last phase of the authentication process, OpenSSO Enterprise either grants or denies access to the user. If access is granted, OpenSSO Enterprise uses a login URL to display a page in the browser. If access is denied, OpenSSO Enterprise uses a redirection URL to display an alternate page in the browser. A typical alternate page contains a brief message indicating the user has been denied access.

Each authentication type (as discussed in Authentication Types) uses a login URL or redirection URL based on a specific order of precedence, and on whether the authentication succeeded or failed. For a detailed description of how OpenSSO Enterprise proceeds through the order of precedence, see Chapter 3, Configuring Authentication, in Sun OpenSSO Enterprise 8.0 Administration Guide.