|
|
|
Delegated authentication lets a third-party access management system authenticate a user and then share the credentials with Federation Manager deployed on the asserting party. These credentials are shared either through a cookie, or in a query string. The cookie is generated using the Federation Manager Java SDK so that Federation Manager can decrypt it.
Note: This guide discusses delegated authentication using the cookie and the Java SDK. See the CA Federation Manager Guide for information about delegated authentication using a query string.
If the third-party access manager intends to use a cookie to communicate the authenticated user ID, the access control application must follow these steps:
To construct the implementation class, the access control manager must know the Cookie Zone and Password through an out-of-band communication. The third-party access management system must be in the same cookie domain as the asserting party.
The constructor to use when creating a cookie for delegated authentication is following.
/**
* This constructor loads customized parameters for the cookie.
*
* @param zoneName Cookie zone name (the default is FED)
* @param password String used for cookie encryption
* @param domain string used to indicate the cookie domain
* @param obj the object of FedSdkLogger class
*/
public FederationIdentityImpl(String zoneName, String password, String domain,
FedSdkLogger obj) throws JavaSDKException
Note: The last parameter is a FedSdkLogger object. If the third-party access management system implements its own logger, the reference is passed here. Otherwise, null is passed, and the SDK uses the default logging implementation.
To call the createProfileCookie method, the third-party access control application must know the ID of the Remote Entity Service Provider configured in the Asserting Party‑>Relying Party partnership.
The createProfileCookie method signature is following.
/**
* Creates a <ZONE>PROFILE cookie and populates it with the passed in values.
* The zone to use was configured when this object was constructed.
* @param providerID - the provider for whom to create the cookie
* @param loginID - the user ID
* @param cookieVersion - the value to set the cookie version to.
* @param response - the response object
* @throws JavaSDKException
*/
public void createProfileCookie(String providerID,
String loginID,
HttpServletResponse response) throws JavaSDKException;
Here is a code snippet example of the cookie creation:
String zone = request.getParameter("FED");
String domain = request.getParameter(".ca.com");
String password = request.getParameter("password");
FederationIdentity fedIdentity =
new FederationIdentityImpl(zone, password, domain, null);
fedIdentity.createProfileCookie("ServiceProviderID", "JaneDoe", httpServletResponse);
The createProfileCookie method uses the provider ID and user ID to create a cookie value that is encrypted and added to the HttpSevletResponse object. After the request is redirected, the servlet container automatically passes the cookie.
| Copyright © 2012 CA. All rights reserved. |
|