The following use case scenarios are used to explore custom authentication flow:
Table 21 details the EPM System user directory configuration and search order used in this scenario. This scenario assumes that the custom authentication module uses an RSA infrastructure to authenticate users.
Table 21. Setup for Scenario 1
| User Directory Type and Name | Search Order | Custom Authentication | Sample User Names | Password[1] |
|---|---|---|---|---|
| Native Directory | 1 | Disabled | test_user_1 test_user_2 test_user_3 | password |
LDAP-Enabled SunONE_West | 2 | Disabled | test_ldap1 test_ldap_2 test_user_3 test_ldap_4 | ldappassword |
LDAP-Enabled SunONE_East | 3 | Enabled | test_ldap1 test_ldap_2 test_user_3 | ldappassword on SunONE and RSA PIN in custom module |
To initiate the authentication process, a user enters a user name and password in the logon screen of an EPM System product.
In this scenario, the custom authentication module performs the following actions:
Accepts a user name and RSA PIN as the user credentials
Returns a user name in username@providername format, for example, test_ldap_2@SunONE_East, to EPM System security.
Table 22. User interaction and results
| User Name and Password | Authentication Result | Login User Directory |
|---|---|---|
| test_user_1/password | Success | Native Directory |
| test_user_3/password | Success | Native Directory |
| test_user_3/ldappassword | Success | SunONE_West (search order 2)[1] |
| test_user_3/RSA PIN | Success | SunONE_East (search order 3)[2] |
| test_ldap_2/ldappassword | Success | SunONE_West (search order 2) |
| test_ldap_4/RSA PIN | Failure EPM System displays an authentication error.[3] |
1 The custom authentication cannot authenticate this user because the user entered EPM System credentials. EPM System can identify this user only in a user directory that is not enabled for custom authentication. The user is not in Native Directory (search order number 1)but is identified in SunONE West (search order number 2).
2 EPM System does not find this user in Native Directory (search order number 1) or SunONE West (search order number 2). The custom authentication module validates the user against RSA Server and returns test_user_3@SunONE_EAST to EPM System. EPM System locates the user in SunONE East (search order number 3), which is a custom authentication–enabled user directory.
3 Oracle recommends that all users authenticated by the custom module be present in a custom authentication–enabled user directory included in the search order. Login fails if the user name that is returned by the custom authentication module is not present in a custom authentication–enabled user directory included in the search order.
Table 23 details the EPM System user directory configuration and search order used in this scenario. This scenario assumes that the custom authentication module uses an RSA infrastructure to authenticate users.
In this scenario, the custom authentication module performs the following actions:
Accepts a user name and RSA PIN as the user credentials
Returns a user name, for example, test_ldap_2, to EPM System security
Table 23. A sample search order
| User Directory | Search Order | Custom Authentication | Sample User Names | Password[1] |
|---|---|---|---|---|
| Native Directory | 1 | Disabled | test_user_1 test_user_2 test_user_3 | password |
| LDAP-Enabled, for example, SunONE | 2 | Enabled | test_ldap1 test_ldap2 test_user_3 | ldappassword on SunONE and RSA PIN in custom module |
To initiate the authentication process, a user enters a user name and password on the login screen of an EPM System product.
Table 24. User interaction and results
| User Name and Password | Login Result | Login User Directory |
|---|---|---|
| test_user_1/password | Success | Native Directory |
| test_user_3/password | Success | Native Directory |
| test_user_3/ldappassword | Failure | SunONE[1] |
| test_user_3/RSA PIN | Success | SunONE[2] |
1 Authentication of user against Native Directory fails because of password mismatch. Authentication of user using the custom authentication module fails because the password used is not a valid RSA PIN. EPM System does not try to authenticate this user in SunONE (search order 2), because custom authentication settings override EPM System authentication in this directory.
Table 25 details the EPM System user directory configuration and search order used in this scenario. This scenario assumes that the custom authentication module uses an RSA infrastructure to authenticate users.
For clarity in such scenarios, Oracle recommends that your custom authentication module return the user name in username@providername format; for example, test_ldap_4@SunONE.
Table 25. A sample search order
| User Directory | Search Order | Custom Authentication | Sample User Names | Password[1] |
|---|---|---|---|---|
| Native Directory | 1 | Enabled | test_user_1 test_user_2 test_user_3 | RSA_PIN |
| LDAP-Enabled, for example, MSAD | 2 | Disabled | test_ldap1 test_ldap4 test_user_3 | ldappassword |
| LDAP-Enabled, for example, SunONE | 3 | Enabled | test_ldap1 test_ldap4 test_user_3 | ldappassword on SunONE and RSA PIN in custom module |
To initiate the authentication process, a user enters a user name and password in the logon screen of an EPM System product.
Table 26. User interaction and results
| User Name and Password | Authentication Result | Login User Directory |
|---|---|---|
| test_user_1/password | Success | Native Directory |
| test_user_3/RSA_PIN | Success | Native Directory |
| test_user_3/ldappassword | Success | MSAD (search order 2) |
| test_ldap_4/ldappassword | Success | MSAD (search order 2) |
| test_ldap_4/RSA PIN | Success | SunONE (search order 3) |