Policies must contain rules. Rules can include authentication and authorization events. Based on how rules are configured, one of four authentication events can occur when the Policy Server attempts to identify a user based on credentials.
The authentication is successful.
The authentication fails because the user is not found in any directory in the policy domain's search order.
The user is found in a directory, but the authentication fails because the credentials supplied by the user are incorrect. If this occurs, the Policy Server looks in the next directory in policy domain's directory search order. If the user's credentials cannot be verified in any of the directories in the search order, the Policy Server processes OnAuthReject events.
The user must be found in a directory for an OnAuthReject rule to fire. If the user is not found in any directory, an OnAuthReject rule will not fire.
The authentication server has a valid session ticket, yet it cannot find the user directory. This situation should only occur in a single sign-on environment that uses multiple directories, though it may take place if a user was idle long enough to be removed from the Agent's cache, and the user was removed from the directory. When this event occurs, the Policy Server evaluates the user's existence in the directory rather than relying on the session ticket.
The Policy Server attempts to authenticate users based on the longest matching realm. For example, if a user attempts to access /home/employees/managers/manager.html, the Policy Server uses the /managers realms to determine the required credentials. In the example in the previous figure, the user must complete a browser-based form required by the HTML Forms authentication scheme associated with the realm.
Note: The longest matching realm also determines the timeouts for the user's session. If a timeout is associated with the realm in which the user successfully authenticated, that timeout is used. You can use responses to override a realm timeout for a specific resource or group of resources.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |