Authenticating Based on Resource

In a typical authentication scenario, if a user attempts access to a web resource without authentication credentials, the policy agent redirects the user to the default OpenSSO Enterprise authentication module login page even if the resource is protected by a different authentication module. Thus, the user must authenticate to both modules. The Gateway servlet provides resource authentication which allows the user to bypass the default authentication module and authenticate against the module protecting the resource only.

The Gateway servlet has the following limitations:

• The web resource being protected can not be defined in more than one policy. For example, if abc.html is defined in one policy as requiring LDAP authentication, it can not be defined in a second policy as requiring Certificate authentication.

• Level and scheme are the only conditions that can be defined in the policy protecting the resource.

• It does not work across different DNS domains.

To use resource authentication, you must make ensure certain configurations on the web container installed on the resource server machine as well as make configurations to OpenSSO Enterprise and the policy agent.

To Configure Resource Authentication

Once both OpenSSO Enterprise and a policy agent have been installed and profile has been created for the policy agent, resource-based authentication can be configured. To do this, it is necessary to point OpenSSO Enterprise to the Gateway servlet.

Before You Begin

Ensure the following configurations on the web container installed on the resource's server machine. Check your container's documentation for more information.

• Check that a certificate for the server (Server-Cert) and a certificate for the trusted Certificate Authority are installed.

• Add a listen socket for simple Secure Sockets Layer (SSL) and one for SSL client authentication.

• Ensure that the listener port configuration requires SSL for client authentication.

1. Log in to the OpenSSO Enterprise console as administrator; by default, amadmin.

2. Under the Configuration tab, click Authentication.

3. Click the Certificate Service Name.

4. Enable Match Certificate in LDAP by checking the box.

5. Select Subject UID as the value for Certificate Field Used to Access User Profile.

6. Enter 54430 as a value for SSL Port Number.

   This port number must match the port number used for the web container's SSL client authentication listener port.

7. Type 2 as the value for the Authentication Level attribute.

   The value used must be greater that the level defined for LDAP authentication.

8. Click Save.

9. Click Back to Service Configuration.

10. Under the Access Control tab, click the name of the realm to which the policy agent belongs.

11. Click the Policies tab and add policies as follows.

    • Policy 1 has a condition of LDAP authentication only for http://agent-machine.domain/banner.html.

    • Policy 2 has a condition of Certificate authentication only for http://agent-machine.domain/banner2.html

    • Policy 3 has a condition of LDAP authentication and a level of Certificate authentication for http://agent-machine.domain/banner3.html.

12. Click the Agents tab.

13. Click on the Web or J2EE tab depending on the agent being used.

14. Click on the Agent Profile name of the policy agent.

15. Under OpenSSO Services, enter the following URL as the value of the OpenSSO Login URL attribute:

    http://OpenSSO Enterprise_host.domain:port/opensso/gateway

16. Add the following line to the file:

    com.sun.am.policy.am.loginURL = http://OpenSSO Enterprise_host.domain:port/opensso/gateway

    ---

    Note –

    The gateway servlet is developed using the Policy Evaluation APIs and can be used to write a custom mechanism to accomplish resource-based authentication. See the Sun OpenSSO Enterprise 8.0 Developer’s Guide.

    ---