Monday Jan 12, 2009
Give Him OpenSSO Resource-based Authentication
Policy agents deployed to web containers and web proxy servers protect content from unauthorized intrusions. Access to this content (services, for example) are controlled through policies configured with OpenSSO. Here is a description of the interactions that occur when a policy agent interacts with OpenSSO.
- A policy agent intercepts the user's request and validates any authentication credentials contained within it. If the existing authentication level is insufficient, the OpenSSO Authentication Service will present a login page for an authentication upgrade. The login page prompts the user for the credentials appropriate to the configured module.
- The Authentication Service verifies that the user credentials are valid. For example, the LDAP authentication module verifies that the user name and password are the same as those stored in the LDAP identity data store. If other authentication modules are passed to the user (such as RADIUS or Certificate), the credentials are verified with the appropriately configured identity data store.
- Assuming the user's credentials are properly authenticated, the policy agent examines the policies assigned to the user.
- Based on the aggregate of the user's configured policies, the individual is either allowed or denied access to the resource.
NOTE: In this scenario, if the user attempts access to a web resource without authentication credentials, the agent redirects the user to the login page of the default authentication module. (Even if the resource is protected by a different authentication module, the user must first authenticate using the default authentication module.)
Because some customers require a scenario in which the user authenticates against a particular module based on the resource being accessed, the Gateway servlet provides resource-based authentication; there is no need for the user to authenticate to the default authentication module to access the protected web resource. When using the Gateway servlet:- A web resource can not be defined in more than one policy. For example, if
abc.htmlis defined in a policy definition as requiring LDAP authentication,abc.htmlcan not be defined in a second policy definition as requiring Certificate authentication. - You can use the level and scheme conditions only when defining policies that the servlet will examine.
- Check that the following certificates are installed:
- A certificate for the server (Server-Cert).
- A certificate for the trusted Certificate Authority.
- Add a listen socket for simple Secure Sockets Layer (SSL) and one for SSL client authentication.
- Ensure that the listener port configuration requires SSL for client authentication.
- Log in to the OpenSSO console as the administrator.
- Click the Configuration tab and the Authentication tab under it.
- Click the Certificate Service Name link.
- Enable Match Certificate in LDAP by checking the box.
- Select Subject UID as the value for Certificate Field Used to Access User Profile.
- Enter 54430 as a value for SSL Port Number.
This port number must match the port number used for the web container's SSL client authentication listener port in the previous procedure. - Type 2 as the value for the Authentication Level attribute.
The value used must be greater that the level defined for LDAP authentication. - Click Save.
- Click Back to Service Configuration.
- Under the appropriate realm, add policies for three URL resources:
- policy1 has a condition of LDAP authentication only for
http://agent-machine.domain/banner.html. - policy2 has a condition of Cert authentication only for
http://agent-machine.domain/banner2.html. - policy3 has a condition of LDAP authentication and a level of Certificate authentication for
http://agent-machine.domain/banner3.html.
- policy1 has a condition of LDAP authentication only for
- Go to the installation directory for the agent protecting the resource on the web container host machine. For example, on Application Server, change to
AppSvr-Directory/agents/j2ee_agents/appserver_v9_agent/Agent_001/config/. - Change the value for
com.sun.am.policy.am.loginURLfromhttp://machine-name.domain:port/opensso/UI/Logintohttp://machine-name.domain:port/opensso/gatewayinOpenSSOAgentBootstrap.properties. It is the only change to the policy agent configuration.
- Access to resource A is permitted only after successful LDAP authentication.
- Access to resource B is permitted only after successful Certificate-based authentication.
- Access to resource C is permitted only after both successful LDAP and Certificate-based authentication.
Posted at 08:53AM Jan 12, 2009 by Michael Teger in Sun | Comments[4]
Hi Mike,
good post, i would suggest you should add that this feature is supported only with certain policy conditions or a pointer to the docs.sun.com which lists this limitation.
thanks
Bina
Posted by bina keshava on January 22, 2009 at 03:00 AM PST #
Thanks for pointing it out, Bina. Here is a link to the OpenSSO doc that lists the policy limitations:
http://docs.sun.com/app/docs/doc/820-3885/adsfx?a=view
Posted by Michael Teger on January 23, 2009 at 02:41 PM PST #
Thanks .The post looks complete now.
Posted by Bina Keshava on February 01, 2009 at 11:30 PM PST #
Hi,
* Can desktop SSO be used as one of the authentication modules?
e.g.
policy 1 - http://www.abc.com -> desktop SSO
policy 2 - http://www.abc.com/secured -> LDAP
policy 3 - http://www.abc.com/very_secure -> securID
------------
* Can module based authentication be used to accomplish something similar?
regards
- Paras
Posted by Paras Jethwani on July 27, 2009 at 02:37 AM PDT #