Previous Topic: Program Flow at the Relying Party Using the Legacy Cookie

Next Topic: Delegated Authentication Using the Legacy Cookie

Java SDK GuideUsing the Federation Manager Java SDKDelegated Authentication Using the Open Format Cookie

Delegated Authentication Using the Open Format Cookie

Delegated authentication lets a third-party access management system authenticate a user and then share the user credentials with Federation Manager deployed at the asserting party. These credentials are shared either through a cookie, or in a query string.

Note: This guide discusses delegated authentication using the cookie and the Java SDK. See the CA Federation Manager Guide for information about delegated authentication using a query string.

If the third-party access manager and the asserting party intend to use a cookie to communicate the authenticated user ID, the access control application can follow these steps:

  1. Implement the Federation Manager Java SDK.
  2. Construct an implementation class for the IFederationOpenIdentity interface.
  3. Call the createCookie method.

To construct the implementation class, the access control manager must know the cookie zone and password configured in Federation Manager. These values are communicated out-of-band. The third-party access management system must be in the same cookie domain as the asserting party.

The constructor from the IdentityFactory.java class to use when creating a cookie for delegated authentication is listed following.

   /** 
    * Gets an implementation of the IFederationOpenIdentity interface.
    *
    * @param cryptoInstance A cryptographic string; supported values are
    *  listed in IdentityCrypto.java.
    * @param bUseHmac A Boolean value that indicates whether to use HMAC. 
    */
     public static IFederationOpenIdentity getInstance(cryptoInstance, bUseHmac)

The access control manager can encrypt the cookie itself using password-based encryption, or it can use one of the FIPS-compliant cryptographic strings. If you chose a FIPS-compliant string, use the encryption provided by the Java SDK.

Here is a code snippet example of the cookie creation:

IFederationOpernIdentity openID = IdentityFactory.getInstance(IdentityCrypto.AES128, false);

String domain = ".moon.com";
String zone = "FED";
String name = "CryptoID"
String password = "";

openID.initCookieInfo(domain, zone, name, password);

openID.setLoginID = "TomJones";

openID.createCookie(HttpResponse);

The createCookie method uses the login ID to create a cookie value that is encrypted and added to the HttpSevletResponse object. After the request is redirected, the servlet container automatically passes the cookie.