Administration Guide › Set Up Authentication › How User Authentication Is Conveyed between DSAs
How User Authentication Is Conveyed between DSAs
In a networked system of DSAs, a user can bind to a DSA, and then request information that is held on another DSA. You can use the Trust conveyed originator option to permit the first DSA to convey the user's authentication to the second DSA.
The following steps provide a high-level overview of how user authentication is conveyed between DSAs:
- A user binds to a DSA. The bind request includes the user's DN, and the user's credentials.
- The DSA authenticates the user.
- The user makes another request that the current DSA cannot fulfill.
- The DSA passes the request to another DSA that can fulfill the request. The request includes the user's DN and authentication.
- The receiving DSA must decide whether to trust the user's authentication. To do this, it looks at the configuration of the first DSA for the Trust conveyed originator option.
- If the receiving DSA finds the Trust conveyed originator option, it accepts the request. Even though the user was authenticated on the first DSA, it is treated as if it had been authenticated on the second.
- The receiving DSA uses the DN of the originating user to determine what access controls to apply to the request.
Example: Convey User Authentication
In this example, a client is connecting to one DSA and requesting information from a second DSA. Rather than repeat user authentication, the UNSPSC DSA can be configured to trust all user authentication being passed by the Democorp DSA.
To do this, the UNSPSC DSA's configuration includes the Trust conveyed originator option.