A module-based authentication can be invoked using the module parameter along with the authentication URL. The value for the module could be any valid authentication instance name that has already been created in the server. A URL of this form http://opensso.packt-services.net:8080/opensso/UI/Login?module=packt-radius invokes the RADIUS authentication service to authenticate the user. packt-radius is the instance created from the RADIUS generic service provided by the OpenSSO. On successful authentication the session properties AuthType with value packt-radius (representing the instance name of the module) and IndexType with a value module_instance (identifying the session is created with module-based authentication) will be set. There are other properties in the session along with these two properties. Please refer to the section titled 'Session Properties found later in this chapter.

While creating the authentication module instances there is a configuration property that takes a numeric value as the authentication level. This can be considered as the authentication strength for each module and can be set to a higher value for strong authentication modules such as RSA SecurID. Classified data can be protected with higher authentication levels. For example, an employee and a financial manager can have access to the corporate documents with a minimum-strength authentication level. When the financial manager wants to access the company's confidential financial data, he will be forced to authenticate to a higher authentication level. In such scenarios, level-based authentication would be appropriate. It uses the parameter authlevel to invoke the level-based authentication using the URL of the form: http://opensso.packt-services.net:8080/opensso/UI/Login?authelevel=22. When the current session is already on the higher strength then any attempt to authenticate to a lower strength will not be honored using the same session. When there are multiple modules configured with the same strength, then the client will be presented with the list of options to choose from.

A service-based authentication relies on the authentication chain configuration. An authentication chain can be created with one or more authentication module instances. Authenticating using the authentication chain requires all the module instances in the chain to be satisfied unless the OPTIONAL keyword is specified. If any one of them fails, then the whole authentication process will be halted. A service-based authentication can be performed by appending the service parameter along with the login URL and a valid authentication chain name. A URL of http://opensso.packt-services.net:8080/opensso/UI/Login?service=mychain form will invoke the service-based authentication using the authentication chain named mychain. In this type of authentication, the session property IndexType will be set to service to denote the type of authentication.

It is yet another flexibility provided by the authentication service to fine tune the authentication types to the user identity level. A realm administrator can configure specific module instances for each of the users by leveraging the user-based authentication feature of the server. A user-based authentication can be invoked by supplying the user parameter along with a valid OpenSSO user identity's name. Assuming the user jsmith configured to access the LDAP authentication module instance, this user will invoke the http://opensso.packt-services.net:8080/opensso/UI/Login?user=jsmith to get in to the system. In this type of authentication the session property IndexType will be set to user to denote the type of authentication. This property can be leveraged by the remote applications to determine what kind of authentication mechanism is used by the client to obtain the session.

A role based authentication is pretty much the same as of the user-based authentication except that instead of user parameter, role will be used in the URL. In lieu of a username, a role identity name will be used at the time of invoking the authentication service. This type of authentication is supported only in the legacy mode of the OpenSSO server, that is you should configure the Access Manager Repository to perform a role based authentication. If you have configured a proper authentication chain for the role manager, a role-based authentication for the manager role can be performed using http://opensso.packt-services.net:8080/opensso/UI/Login?role=manager. In this type of authentication the session property IndexType will be set to role to denote the type of authentication.

If you have noticed in the URLs that we have used so far, it does not mention in which realm the users need to be authenticated. However, the server knows what needs to be done if no realm parameter is present in the URL. It will assume the root realm on seeing no realm in the URL or it will use realm aliases. The realm parameter is used to tell the server the realm that the client is trying to authenticate to. An invocation of http://opensso.packt-services.net:8080/opensso/UI/Login?realm=/sales&module=sales_ldap will present the LDAP authentication page for the user to authenticate into the sub realm sales, provided a valid sales_ldap instance exists. The domain and org parameters are meant to be used in the legacy Access Manager Repository's co-existence mode in the same manner as the realm parameter.

All the authentication types that we have discussed in the preceding sections are predetermined, in the sense that the invoking client knows what kind of credentials are required for the page being requested. Every time the same kind of authentication modules will be presented. In certain deployments, customers might want to dynamically (at the runtime) choose a particular authentication type based on the clients' environment properties. For example, a banking institution may enforce a strong authentication when the client is accessing the application from a different geographic location than its usual place. To address the dynamic selection of authentication module resource-based authentication can be leveraged. A resource-based authentication works in concurrence with the OpenSSO policy service. It is a policy services that advises the authentication service what kind of authentication module to invoke after evaluating the clients environment parameters.

Resource authentication is based on the client environment variables defined in the HTTP request parameters and/or HTTP request header. After receiving a request for access, the authentication service passes the resource name and appropriate environment parameters to the policy service to determine the authentication type to be used. The policy service returns an advice message to indicate the appropriate authentication type to call. The client is then prompted for the appropriate credentials for the authentication type. The key here is that the policy that protects the resource (typically a URL) should contain the logic to determine what type of authentication is to be used based on the clients' environment parameters such as IP address. [http://developers.sun.com/identity/reference/techart/ipresenvauthopensso2.html#uc2]

A resource-based authentication can be invoked either via supplying resourceURL=<resourceName> or resource=true&goto=<resourceName> parameters. For example, if the resource http://www.google.com is configured with appropriate resource conditions, then any one of the following URLs initiate a resource-based authentication http://opensso.packt-services.net:8080/opensso/UI/Login?resource=true&goto=http://www.google.com or http://opensso.packt-services.net:8080/opensso/UI/Login?resourceURL=http://www.google.com. Without a goto parameter, resource=true alone will not initiate the resource based authentication.

The IDToken parameter is used to map the credentials from the authentication page from the field values that user's enter through the browser. This parameter enables a user or application (an agent identity) to pass authentication credentials using the login URL, allowing authentication without accessing the authentication service user interface. As described above, the zero-page login leverages this parameter to obtain a session. This is very useful to quickly validate whether the agent identity can authenticate to the server using http://opensso.packt-services.net:8080/opensso/UI/Login?module=Application&IDToken1=myagent&IDToken2=myagent. Note that the IDToken0 is used for the username as opposed to IDToken1. This is applicable only for the agent identity authentication (module=Application). For security reasons you should always consider using the HTTP/POST for submitting user credentials over the wire. OpenSSO 8.0 Update 2 release made some security fixes that disabled the GET method for submitting the credentials.

In an enterprise deployment, OpenSSO can be used as a trusted authentication authority to issue the Single Sign-On tokens. Users can use this token to access the other applications such as calendar, e-mail, and so on from a corporate portal. On successful authentication users needs to be sent back to a secure portal, and this can be accomplished by using the goto parameter along with the authentication URL. The OpenSSO policy agents extensively use goto to redirect the client back to the protected resource after authentication.

Akin to the successful login, it is also possible to use goto after a successful logout from the system. Some financial institutions recommend closing the browser after logout and this can be achieved by using the goto parameter to send the user's browser to the post logout page where the message about closing the browser can be displayed.

Unlike the goto parameter, the gotoOnFail parameter can be used to send the client to a page after an authentication attempt has failed. For instance clients can be redirected to a password reset page or a self-registration page in case of authentication failure.

In general these authentication success and failure URLs can be configured at different levels for a user identity. The order of precedence would be the goto to the URL, user, role, realm, and Global. First it will look for the success (or failure) URL in the url goto (gotoOnFailure) parameter, if not available it will check in the authenticated identity's profile for the attribute iplanet-am-auth-login-success-url (iplanet-am-auth-login-failure-url), which if not available will be checked in the service role and so on, and so forth.

OpenSSO has the capability of displaying screens that are translated into languages other than English. These localized screens can be configured for the authentication process as well as for the console itself. The locale=language-locale parameter allows the specified locale to take precedence over any other defined locales for the authentication process.

The login locale will be determined in this order:

The locale derived from this logic is stored in the user's session and the server uses it for loading the localized authentication module only. After successful authentication, the locale defined in the preferredlocale attribute of the user's profile is used.

Clients can use this parameter to force the browser to kill any existing sessions for the server and create a new session based on the credentials submitted. This will be useful if you are already logged into a realm but wanting to authenticate to a different realm. Without the arg parameter you will be prompted with a page for confirmation to kill the existing session.

This parameter is used to instruct the server to create a persistent cookie, provided the persistent cookie is enabled (Persistent Cookie Mode) in the core authentication properties. If the persistence cookie is not enabled at the server side, then sending this parameter does not make any difference. A persistent cookie is one that continues to exist even after the browser window is closed. If the user is successfully authenticated and the browser is closed, the user can login with a new browser session and will be directed to the console without having to authenticate again. By default this cookie is valid for 25 days, but it can be configured for a lesser value too. This stays valid until it expires or the user explicitly logs out from the server by clicking on the logout link. Just closing the browser does not remove this persistent cookie. To view the cookie you have to look into your browser cookie database with name, DProPCookie. Note that it is different from the session (SSO token) cookie, iPlanetDirectoryPro. A persistent cookie will create a session cookie every time the browser is reopened with the login URL with iPSPCookie=yes as a parameter.

The ForceAuth=true query parameter forces the user to authenticate even if the user currently has a valid session. This parameter is useful in the following case.

When the user is performing the session upgrade with this parameter then the existing session ID and the session property values such as the max user session are retained with the existing session's value. Only the moduleAuthTime and AuthType properties are updated. This is useful if the admin wants to control the max session time of a user by allowing to upgrade the session without extending the current session. Without the ForceAuth=true parameter, whenever a user does a session upgrade after a successful upgrade, the user's max session time (for that matter all the session-related properties) will be reset to the original value configured in the session service of the realm to which the user authenticated.

In an authenticated session, the cookie is lost if the browser is restarted. There have been OpenSSO deployment requests to make it persistent so that the cookie would be saved on disk and survive browser restart. This is different from the persistent cookie DProPCookie. With persistent cookie a new session is created because of DProPCookie, not the original one that we lost due to browser restart.

The PeristentAMCookie parameter is about retrieving the same session instead of creating a new one. It is just a handle to the current and active session. The expiry time for this persistent cookie would be much shorter and should be set less than idle session time that is configured for the current session.

The PersistAMCookie parameter will save the OpenSSO Enterprise session cookie to the memory disk, thereby allowing an application (other than the browser) on the same machine to read it and create an SSO token. You need to set a valid numeric value (N) in minutes for the com.iplanet.am.cookie.timeToLive property in the OpenSSO server to enable the cookie to be stored in the disk for N minutes.