The Authentication Service provides different ways in which authentication can be applied. These different authentication methods can be accessed by specifying Login URL parameters, or through the authentication APIs (see Chapter 5, Using Authentication APIs and SPIs, in Sun Java System Access Manager 7 2005Q4 Developer’s Guide in the Developer's Guide for more information). Before an authentication module can be configured, the Core authentication service attribute realm Authentication Modules must be modified to include the specific authentication module name.
The Authentication Configuration service is used to define authentication modules for any of the following authentication types:
Once an authentication module is defined for one of these authentication types, the module can be configured to supply redirect URLs, as well as a post-processing Java class specification, based on a successful or failed authentication process.
For each of these methods, the user can either pass or fail the authentication. Once the determination has been made, each method follows this procedure. Step 1 through Step 3 follows a successful authentication; Step 4 follows both successful and failed authentication.
Access Manager confirms whether the authenticated user(s) is defined in the Directory Server data store and whether the profile is active.
The User Profile attribute in the Core Authentication module can be defined as Required, Dynamic, Dynamic with User Alias, or Ignored. Following a successful authentication, Access Manager confirms whether the authenticated user(s) is defined in the Directory Server data store and, if the User Profile value is Required, confirms that the profile is active. (This is the default case.) If the User Profile is Dynamically Configured, the Authentication Service will create the user profile in the Directory Server data store. If the User Profile is set to Ignore, the user validation will not be done.
Execution of the Authentication Post Processing SPI is accomplished.
The Core Authentication module contains an Authentication Post Processing Class attribute which may contain the authentication post-processing class name as its value. AMPostAuthProcessInterface is the post-processing interface. It can be executed on either successful or failed authentication or on logout.
The following properties are added to, or updated in, the session token and the user’s session is activated.
realm. This is the DN of the realm to which the user belongs.
Principal. This is the DN of the user.
Principals. This is a list of names to which the user has authenticated. (This property may have more then one value defined as a pipe separated list.)
UserId. This is the user’s DN as returned by the module, or in the case of modules other than LDAP or Membership, the user name. (All Principals must map to the same user. The UserID is the user DN to which they map.)
This property may be a non-DN value.
UserToken. This is a user name. (All Principals must map to the same user. The UserToken is the user name to which they map.)
Host. This is the host name or IP address for the client.
authLevel. This is the highest level to which the user has authenticated.
AuthType. This is a pipe separated list of authentication modules to which the user has authenticated (for example, module1|module2|module3).
clientType. This is the device type of the client browser.
Locale. This is the locale of the client.
CharSet. This is the determined character set for the client.
Role. Applicable for role-based authentication only, this is the role to which the user belongs.
Service. Applicable for service-based authentication only, this is the service to which the user belongs.
Access Manager looks for information on where to redirect the user after either a successful or failed authentication.
URL redirection can be to either an Access Manager page or a URL. The redirection is based on an order of precedence in which Access Manager looks for redirection based on the authentication method and whether the authentication has been successful or has failed. This order is detailed in the URL redirection portions of the following authentication methods sections.
In the Authentication Configuration service, you can assign URL redirection for successful or unsuccessful authentication. The URLs, themselves, are defined in the Login Success URL and Login Failure URL attributes in this service. In order to enable URL redirection, you must add the Authentication Configuration service to your realm to make it available to configure for a role, realm, or user. Make sure that you add an authentication module, such as LDAP - REQUIRED, when adding the Authentication Configuration service.
This method of authentication allows a user to authenticate to an realm or sub-realm. It is the default method of authentication for Access Manager . The authentication method for an realm is set by registering the Core Authentication module to the realm and defining the realm Authentication Configuration attribute.
The realm for authentication can be specified in the User Interface Login URL by defining the realm Parameter or the domain Parameter. The realm of a request for authentication is determined from the following, in order of precedence:
The domain parameter.
The realm parameter.
The value of the DNS Alias Names attribute in the Administration Service.
After calling the correct realm, the authentication module(s) to which the user will authenticate are retrieved from the realm Authentication Configuration attribute in the Core Authentication Service. The login URLs used to specify and initiate realm-based authentication are:
| http://server_name.domain_name:port/amserver/UI/Login http://server_name.domain_name:port/amserver/UI/Login?domain=domain_name http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name | 
If there is no defined parameter, the realm will be determined from the server host and domain specified in the login URL.
Upon a successful or failed organization-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.
The redirection URL for successful realm-based authentication is determined by checking the following places in order of precedence:
A URL set by the authentication module.
A URL set by a goto Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.
A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the iplanet-am-auth-login-success-url attribute as a global default.
The redirection URL for failed realm-based authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a gotoOnFail Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.
A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.
Authentication modules are set for realms by first adding the Core Authentication service to the realm.
 To Configure The Realms’s Authentication Attributes
To Configure The Realms’s Authentication AttributesNavigate to the realm for which you wish to add the Authentication Chain.
Click the Authentication tab.
Select the Default Authentication Chain from the pull down menu.
Select the Administrator Authentication Chain from the pull down menu. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The default authentication module is LDAP.
Once you have defined the authentication chains, click Save.
This authentication type only applies to Access Manager deployments that have been installed in Legacy mode.
This method of authentication allows a user to authenticate to an organization or sub-organization. It is the default method of authentication for Access Manager . The authentication method for an organization is set by registering the Core Authentication module to the organization and defining the Organization Authentication Configuration attribute.
The organization for authentication can be specified in the User Interface Login URL by defining the org Parameter or the domain Parameter. The organization of a request for authentication is determined from the following, in order of precedence:
The domain parameter.
The org parameter.
The value of the DNS Alias Names (Organization alias names) attribute in the Administration Service.
After calling the correct organization, the authentication module(s) to which the user will authenticate are retrieved from the Organization Authentication Configuration attribute in the Core Authentication Service. The login URLs used to specify and initiate organization-based authentication are:
| http://server_name.domain_name:port/amserver/UI/Login http://server_name.domain_name:port/amserver/UI/Login?domain=domain_name http://server_name.domain_name:port/amserver/UI/Login?org=org_name | 
If there is no defined parameter, the organization will be determined from the server host and domain specified in the login URL.
Upon a successful or failed organization-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.
The redirection URL for successful organization-based authentication is determined by checking the following places in order of precedence:
A URL set by the authentication module.
A URL set by a goto Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s organization entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.
A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s organization entry.
A URL set in the iplanet-am-auth-login-success-url attribute as a global default.
The redirection URL for failed organization-based authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a gotoOnFail Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s organization entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.
A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s organization entry.
A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.
Authentication modules are set for an organization by first adding the Core Authentication service to the organization.
 To Configure The Organizations’s Authentication
Attributes
To Configure The Organizations’s Authentication
AttributesNavigate to the organization for which you wish to add the Authentication Chain.
Click the Authentication tab.
Select the Default Authentication Chain from the pull down menu.
Select the Administrator Authentication Chain from the pull down menu. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The default authentication module is LDAP.
Once you have defined the authentication chains, click Save.
This method of authentication allows a user to authenticate to a role (either static or filtered) within an realm or sub realm.
The Authentication Configuration Service must first be registered to the realm before it can be registered as an instance to the role.
For authentication to be successful, the user must belong to the role and they must authenticate to each module defined in the Authentication Configuration Service instance configured for that role. For each instance of role-based authentication, the following attributes can be specified:
Conflict Resolution Level. This sets a priority level for the Authentication Configuration Service instance defined for different roles that both may contain the same user. For example, if User1 is assigned to both Role1 and Role2, a higher conflict resolution level can be set for Role1 so when the user attempts authentication, Role1 will have the higher priority for success or failure redirects and post-authentication processes.
Authentication Configuration. This defines the authentication modules configured for the role’s authentication process.
Login Success URL. This defines the URL to which a user is redirected on successful authentication.
Login Failed URL. This defines the URL to which a user is redirected on failed authentication.
Authentication Post Processing Classes. This defines the post-authentication interface.
Role-based authentication can be specified in The User Interface Login URL by defining a role Parameter. After calling the correct role, the authentication module(s) to which the user will authenticate are retrieved from the Authentication Configuration Service instance defined for the role.
The login URLs used to specify and initiate this role-based authentication are:
http://server_name.domain_name:port/amserver/UI/Login?role=role_name http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name&role=role_name
If the realm Parameter is not configured, the realm to which the role belongs is determined from the server host and domain specified in the login URL itself.
Upon a successful or failed role-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.
The redirection URL for successful role-based authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a goto Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the role to which the user has authenticated.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.
A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).
A URL set in the iplanet-am-auth-login-success-url attribute of the role to which the user has authenticated.
A URL set in the iplanet-am-auth-login-success-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the iplanet-am-auth-login-success-url attribute as a global default.
The redirection URL for failed role-based authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a goto Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s profile ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the role to which the user has authenticated.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.
A URL set in the iplanet-am-user-failure-url attribute of the user’s profile (amUser.xml).
A URL set in the iplanet-am-auth-login-failure-url attribute of the role to which the user has authenticated.
A URL set in the iplanet-am-auth-login-failure-url attribute of another role entry of the authenticated user. (This option is a fallback if the previous redirection URL fails.)
A URL set in the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set in the iplanet-am-auth-login-failure-url attribute as a global default.
 To Configure Role-Based Authentication
To Configure Role-Based AuthenticationNavigate to the realm (or organization) to which you will add the authentication configuration service.
Click the Subjects tab.
Filtered Roles or Roles.
Select the role for which to set the authentication configuration.
If the Authentication Configuration service has not been added to the role, click Add, select Authentication Service and click Next.
Select the Default Authentication Chain that you wish to enable from the pull down menu.
Click Save.
If you are creating a new role, the Authentication Configuration service is not automatically assigned to it. Make sure that you select the Authentication Configuration service option at the top of the role profile page before you create it.
When role-based authentication is enabled, the LDAP authentication module can be left as the default, as there is no need to configure Membership.
This method of authentication allows a user to authenticate to a specific service or application registered to an realm or sub realm. The service is configured as a Service Instance within the Authentication Configuration Service and is associated with an Instance Name. For authentication to be successful, the user must authenticate to each module defined in the Authentication Configuration service instance configured for the service. For each instance of service-based authentication, the following attributes can be specified:
Authentication Configuration. This defines the authentication modules configured for the service’s authentication process.
Login Success URL. This defines the URL to which a user is redirected on successful authentication.
Login Failed URL. This defines the URL to which a user is redirected on failed authentication.
Authentication Post Processing Classes. This defines the post-authentication interface.
Service-based authentication can be specified in the User Interface Login URL by defining a service Parameter. After calling the service, the authentication module(s) to which the user will authenticate are retrieved from the Authentication Configuration service instance defined for the service.
The login URLs used to specify and initiate this service-based authentication are:
http://server_name.domain_name:port/amserver/UI/ Login?service=auth-chain-name
and
http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name&service=auth-chain-name e
If there is no configured org parameter, the realm will be determined from the server host and domain specified in the login URL itself.
Upon a successful or failed service-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.
The redirection URL for successful service-based authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a goto Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the service to which the user has authenticated.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.
A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).
A URL set in the iplanet-am-auth-login-success-url attribute of the service to which the user has authenticated.
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the iplanet-am-auth-login-success-url attribute as a global default.
The redirection URL for failed service-based authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a goto Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s profile ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the service to which the user has authenticated.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.
A URL set in the iplanet-am-user-failure-url attribute of the user’s profile (amUser.xml).
A URL set in the iplanet-am-auth-login-failure-url attribute of the service to which the user has authenticated.
A URL set in the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set in the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set in the iplanet-am-auth-login-failure-url attribute as a global default.
 To Configure Service-Based Authentication
To Configure Service-Based AuthenticationAuthentication modules are set for services after adding the Authentication Configuration service. To do so:
Chose the realm to which you wish to configure service-based authentication.
Click the Authentication tab.
Create the authentication module instances.
Create the authentication chains.
Click Save.
To access service-based authentication for the realm, enter the following address:
http://server_name.domain_name:port/amserver/UI/Login?realm=realm_name&service=auth-chain-name
This method of authentication allows a user to authenticate to an authentication process configured specifically for the user. The process is configured as a value of the User Authentication Configuration attribute in the user’s profile. For authentication to be successful, the user must authenticate to each module defined.
User-based authentication can be specified in the User Interface Login URL by defining a user Parameter. After calling the correct user, the authentication module(s) to which the user will authenticate are retrieved from the User Authentication Configuration instance defined for the user.
The login URLs used to specify and initiate this role-based authentication are:
http://server_name.domain_name:port/amserver/UI/Login?user=user_name http://server_name.domain_name:port/amserver/UI/Login?org=org_name&user=user_name
If there is no configured realm Parameter, the realm to which the role belongs will be determined from the server host and domain specified in the login URL itself.
On receiving a request for user-based authentication, the Authentication service first verifies that the user is a valid user and then retrieves the Authentication Configuration data for them. In the case where there is more then one valid user profile associated with the value of the user Login URL parameter, all profiles must map to the specified user. The User Alias Attribute (iplanet-am-user-alias-list ) in the User profile is where other profiles belonging to the user can be defined. If mapping fails, the user is denied a valid session. The exception would be if one of the users is a top-level admin whereby the user mapping validation is not done and the user is given top—level Admin rights.
Upon a successful or failed user-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.
The redirection URL for successful user-based authentication is determined by checking the following places in order of precedence:
A URL set by the authentication module.
A URL set by a goto Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.
A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the iplanet-am-auth-login-success-url attribute as a global default.
The redirection URL for failed user-based authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a gotoOnFail Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.
A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.
 To Configure User-Based Authentication
To Configure User-Based AuthenticationNavigate to the realm in which you wish to configure authentication for the user.
Click the Subjects tab and click Users.
Click the name of the user you wish to modify
The User Profile is displayed.
If you are creating a new user, the Authentication Configuration service is not automatically assigned to the user. Make sure that you select the Authentication Configuration service option in the Service profile before you create the user. If this option is not selected, the user will not inherit the authentication configuration defined at for the role.
In the User Authentication Configuration attribute, select the authentication chain you wish to apply.
Click Save.
Each authentication module can be associated with an integer value for its authentication level. Authentication levels can be assigned by clicking the authentication module’s Properties arrow in Service Configuration, and changing the corresponding value for the module’s Authentication Level attribute. Higher authentication levels define a higher level of trust for the user once that user has authenticated to one or more authentication modules.
The authentication level will be set on a user’s SSO token after the user has successfully authenticated to the module. If the user is required to authenticate to multiple authentication modules, and does so successfully, the highest authentication level value will be set in user’s SSO token.
If a user attempts to access a service, the service can determine if the user is allowed access by checking the authentication level in user’s SSO token. It then redirects the user to go through the authentication modules with a set authentication level.
Users can also access authentication modules with specific authentication level. For example, a user performs a login with the following syntax:
http://hostname:port/deploy_URI/UI/Login?authlevel= auth_level_value
All modules whose authentication level is larger or equal to auth_level_value will be displayed as an authentication menu for the user to choose. If only one matching module is found, then the login page for that authentication module will be directly displayed.
This method of authentication allows an administrator to specify the security level of the modules to which identities can authenticate. Each authentication module has a separate Authentication Level attribute and the value of this attribute can be defined as any valid integer. With Authentication Level-based authentication, the Authentication Service displays a module login page with a menu containing the authentication modules that have authentication levels equal to or greater then the value specified in the Login URL parameter. Users can select a module from the presented list. Once the user selects a module, the remaining process is based on Module-based Authentication.
Authentication level-based authentication can be specified in the User Interface Login URL by defining the authlevel Parameter. After calling the login screen with the relevant list of modules, the user must choose one with which to authenticate. The login URLs used to specify and initiate authentication level-based authentication are:
http://server_name.domain_name:port/amserver/UI/Login?authlevel=authentication_level
and
http://server_name.domain_name:port/amserver/UI/ Login?realm=realm_name&authlevel=authentication_level
If there is no configured realm parameter, the realm to which the user belongs will be determined from the server host and domain specified in the login URL itself.
Upon a successful or failed authentication level-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.
The redirection URL for successful authentication level-based authentication is determined by checking the following places in order of precedence:
A URL set by the authentication module.
A URL set by a goto Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.
A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the iplanet-am-auth-login-success-url attribute as a global default.
The redirection URL for failed authentication level-based authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a gotoOnFail Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.
A URL set for the iplanet-am-user-failure-url attribute in the user’s entry (amUser.xml).
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.
Users can access a specific authentication module using the following syntax:
http://hostname:port/deploy_URI/UI/Login?module= module_name
Before the authentication module can be accessed, the Core authentication service attribute realm Authentication Modules must be modified to include the authentication module name. If the authentication module name is not included in this attribute, the “authentication module denied” page will be displayed when the user attempts to authenticate.
This method of authentication allows a user to specify the module to which they will authenticate. The specified module must be registered to the realm or sub-realm that the user is accessing. This is configured in the realm Authentication Modules attribute of the realm’s Core Authentication Service. On receiving this request for module-based authentication, the Authentication Service verifies that the module is correctly configured as noted, and if the module is not defined, the user is denied access.
Module-based authentication can be specified in the User Interface Login URL by defining a module Parameter. The login URLs used to specify and initiate module-based authentication are:
http://server_name.domain_name:port/amserver/UI/Login?module=authentication_module_name http://server_name.domain_name:port/amserver/UI/ Login?org=org_name&module=authentication_module_name
If there is no configured org parameter, the realm to which the user belongs will be determined from the server host and domain specified in the login URL itself.
Upon a successful or failed module-based authentication, Access Manager looks for information on where to redirect the user. Following is the order of precedence in which the application will look for this information.
The redirection URL for successful module-based authentication is determined by checking the following places in order of precedence:
A URL set by the authentication module.
A URL set by a goto Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-success-url attribute of the user’s profile ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-success-url attribute as a global default.
A URL set in the iplanet-am-user-success-url attribute of the user’s profile (amUser.xml).
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s role entry.
A URL set in the iplanet-am-auth-login-success-url attribute of the user’s realm entry.
A URL set in the iplanet-am-auth-login-success-url attribute as a global default.
The redirection URL for failed module-based authentication is determined by checking the following places in the following order:
A URL set by the authentication module.
A URL set by a gotoOnFail Login URL parameter.
A URL set in the clientType custom files for the iplanet-am-user-failure-url attribute of the user’s entry ( amUser.xml).
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set in the clientType custom files for the iplanet-am-auth-login-failure-url attribute as a global default.
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s role entry.
A URL set for the iplanet-am-auth-login-failure-url attribute of the user’s realm entry.
A URL set for the iplanet-am-auth-login-failure-url attribute as the global default.