The authentication service can be used directly by applications to enable authentication or it can be used in conjunction with the Reverse Proxy found in the Access Manager. Regardless of how it is called, its provides the ability to carry out authentication based on Passwords and Security Tokens. The service may be extended to allow for use with other forms of authentication. This is done through the use of Login modules.
Password Authentication may also be used in conjunction with various repositories such as LDAP, Active Directory or a Relational database. The sections below describe how to configure the service for LDAP based authentication.
Password Authentication
During password authentication, the following steps are taken:
- Service validate the login id
- Determines which login module to use. The login module determines which backend to use for authentication
- Checks the authentication against the repository
- If successful, the systems returns a response object containing a security token
- If not successful, the system determines the cause of the failure and returns a response object containing the error code.
SSO Token Based Authentication
A SSO token or security token is an encrypted token that is generated during the authentication process and is refreshed on each request. This is not a OTP. Since the security token is userId equivalent, its important that the tokens integrity be maintained. This is carried out by the reverse proxy using the steps below:
- Service validate the Security Token
- Validates the signature used to sign the assertion
- Validates the token has not expired
- Validates the token structure against the token stored in OpenIAM repository for that user
- If successful, the systems returns a response object containing a refreshed security token
- If not successful, the system determines the cause of the failure and returns a response object containing the error code.
The factors used to construct the token and the encryption algorithm are described in the Interface Design document.