Scripting and Programming Guides › Developer's Guide for Java › Authentication and Authorization APIs › Create a Custom Authentication Scheme › User Disambiguation and Authentication › User Disambiguation

User Disambiguation

SiteMinder first calls authenticate() at the beginning of the user disambiguation phase.

Either SiteMinder or the custom authentication scheme can disambiguate the user. The authentication scheme indicates whether it has performed the disambiguation through a combination of the following:

• One of the status codes listed below
• Whether a value is passed to SiteMinder in the setUserText() method of SmAuthenticationContext

The status codes are set in the SmAuthStatus object. This object is passed in the status parameter of the SmAuthenticationResult constructor. SmAuthenticationResult is returned from authenticate():

• SMAUTH_NO_USER_CONTEXT

  The authentication scheme asks SiteMinder to disambiguate the user.

  When returning this status code, the authentication scheme should also return an empty string through the setUserText() method. SiteMinder gets the login ID from the Agent, constructs the DN or search expression based on the login ID and the information defined in the SiteMinder User Directory Properties dialog box, and disambiguates the user by looking up the user in the user store.

• SMAUTH_SUCCESS

  The authentication scheme asks SiteMinder to disambiguate the user.

  The authentication scheme passes the login ID to SiteMinder through setUserText(). SiteMinder uses that value to construct the DN or search expression and disambiguate the user in the user store. This approach gives the authentication scheme the opportunity to modify the login ID before SiteMinder disambiguates the user.

  Note: If the authentication scheme passes an empty string in setUserText(), SiteMinder uses the login ID provided by the Agent (the same behavior as with return code SMAUTH_NO_USER_CONTEXT).

• SMAUTH_SUCCESS_USER_DN

  The authentication scheme disambiguates the user by constructing the complete DN or search expression and looking up the user in the user store. The authentication scheme passes the user’s complete DN or ODBC database ID to SiteMinder in setUserText(). Only one DN or database ID can be passed in setUserText().

• SMAUTH_ATTEMPT.

  The user cannot be found in the directory.

• SMAUTH_FAILURE

  This is returned if an error condition exists. Error text is returned to SiteMinder through the setUserText() method.