Sun Java System Access Manager 7 2005Q4 Technical Overview

User Authentication

When the browser sends a GET request to the Distributed Authentication User Interface, the following events occur.

  1. Using the parameters in the GET request, the Distributed Authentication User Interface contacts the Authentication Service installed on the Access Manager Server.

  2. Authentication Service determines the appropriate authentication module to use based upon Access Manager configuration and the request parameters passed by the Distributed Authentication User Interface through the Authentication client APIs.

    For example, if Access Manager is configured to use the LDAP Authentication type of module, the Authentication Service determines that the LDAP Authentication login page will be used.

  3. Authentication Service determines which presentation callbacks should be presented, and sends to the Distributed Authentication User Interface all necessary credentials, requirements, and callbacks to be in used the presentation framework layer.

  4. Client Detection Service determines which protocol, such as HTML or WML, to use to display the login page.

  5. The Distributed Authentication User Interface returns to the Web browser a dynamic presentation extraction page along with the session cookie.

    The presentation extraction page contains the appropriate credentials request and callbacks info obtained from the Access Manager Server.

  6. The user’s browser displays the login page.

    The user enters information in the Username and Password fields of the login page.

    Details are provided in the following body text.
  7. The browser replies to the Distributed Authentication User Interface with a POST that contains the required credentials.

  8. The Distributed Authentication User Interface uses the Authentication client APIs to pass credentials to the Access Manager Server.

  9. The Authentication Service uses the appropriate authentication module type to validate the user’s credentials.

    For example, if the LDAP authentication module type is used, Authentication Service verifies that the username and password provided exist in the LDAP directory. Other authentication module types have different requirements.

  10. When authentication is successful, Authentication Service activates the session by calling the appropriate methods in the Session Service.

    Authentication Service stores information such as Login time, Authentication Scheme, and Authentication Level in the session data structure.

  11. Once the session is activated, Session Service changes the state of the session token to valid.

  12. The Distributed Authentication User Interface replies to the protected resource with an SSOToken in a set-cookie header.

  13. The browser makes a request to the originally requested resource protected by an Agent.

This time, the request includes the valid session data structure and session token that were created during the authentication process. The next part of the user session is Session Validation.