|
|
|
When you configure single sign-on for a federation partnership, one of your configuration decisions is determining how users are authenticated.
Federation Manager offers two authentication choices:
Federation Manager can perform local authentication; however, Basic and HTML forms are the only available authentication schemes.
Delegated authentication lets Federation Manager use a third-party web access management (WAM) system to perform the authentication of any user who requests a protected federated resource. The third-party WAM system performs the authentication and then forwards the federated user identity to Federation Manager. After Federation Manager receives the user identity information, it locates the user in its own user directory and starts the federation process with the relying party.
A delegated authentication request takes place at the asserting party and it can be initiated at the third-party WAM system or at Federation Manager. An authentication request can initiate at the relying party; however this is not considered delegated authentication.
Authentication can be initiated as follows:
Federation Manager can initiate an authentication request at an asserting party. If the request is made to Federation Manager, it is recognized as a delegated authentication request. Federation Manager then redirects the user to the third-party WAM system.
When a user logs in to a WAM system at the asserting party, an authentication request is initiated. After the WAM system successfully authenticates the user, the identity information is then forwarded to Federation Manager.
The relying party can initiate an authentication request, but this scenario is not considered delegated authentication. Delegated authentication occurs only at the asserting party.
A request for a federated resource is made directly to the relying party, who then sends an AuthnRequest to Federation Manager at the asserting party. Federation Manager recognizes it as a delegated authentication request and redirects the user to the third-party WAM system at the asserting party. The user logs in to the WAM system, which initiates an authentication request. After the WAM system successfully authenticates the user, the identity information is then forwarded to Federation Manager.
After the third-party WAM system receives the authentication request, it passes the user identity to Federation Manager. The method the WAM system uses to pass the user identity depends on whether the delegated authentication method is cookie-based or a query string-based.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |