Scripting and Programming GuidesDeveloper's Guide for JavaAuthentication and Authorization APIsCreate a Custom Authentication SchemeExtend the SAML and WS-Federation Authentication Schemes › The Role of the MessageConsumerPlugin

Previous Topic: Extend the SAML and WS-Federation Authentication Schemes

Next Topic: Use the Authorization API
The Role of the MessageConsumerPlugin

The following list describes the MessageConsumerPlugin in an elaborated process of user authentication:

  1. The Federation Web Services (FWS) application forwards a request for user authentication to the Policy Server.
  2. The Policy Server invokes the authentication scheme to disambiguate the user.
  3. The authentication scheme disambiguates the user as follows:
    1. The authentication scheme metadata is obtained from the Policy store.
    2. The authentication scheme attempts to obtain the LoginID. If LoginID is not found, the authentication scheme invokes the MessageConsumerPlugin as described in Step 4.
    3. If the LoginID is obtained successfully, the authentication scheme searches the current user directory with a predefined SearchSpec. If the user is not found, the postDisambiguate() method is called as described in Step 4. If the user is found, the Policy Server proceeds with credential validation, as described in Step 6 and following.
    4. When the authentication scheme does not provide the user store SearchSpec, the Policy Server core searches for the user with the search string defined with the User Directory object. The MessageConsumerPlugin is not called.
  4. The postDisambiguateUser() method searches a user directory to determine whether a particular LoginID exists. The result is returned to the authentication scheme. The method might be called several times if more than one user directory is configured. This method can also be used to add data for new federation users from the assertion to a user store.
  5. When the user has been successfully disambiguated by the Policy Server, the authentication scheme, or the plug-in, the Policy Server returns the user DN to the Policy Server and proceeds to credential validation (Step 8 and following).
  6. If the user has not been successfuly disambiguated for this user directory by either the Policy Server, the authentication scheme, or MessageConsumerPlugin, the FWS application checks the next user directory and repeats Steps 2 - 6 before proceeding with credential validation.
  7. When a user has been disambiguated, the Policy Server again calls the authentication scheme to determine whether the user has the proper credentials for the authentication request. The authentication scheme determines whether the response message is acceptable.
  8. After the the authentication scheme has attempted to authenticate the disambiguated user with the response message, the Policy Server calls the postAuthenticateUser() method from the MessageConsumerPlugin. The Policy Server always calls this method when a user is disambiguated, even when the Policy Server core performs the user disambiguation.
  9. You can use postAuthenticateUser() to add any other procedures for federation credential validation required by your implementation.
  10. The final result is passed back to the Policy Server by the authenticaiton scheme.
  11. If necessary, the FWS application can process any failure and redirect the user to an appropriate URL.