Scripting and Programming GuidesDeveloper's Guide for JavaAuthentication and Authorization APIsCreate a Custom Authentication Scheme › User Disambiguation and Authentication

Previous Topic: Supported Credentials

Next Topic: User Disambiguation
User Disambiguation and Authentication

The authentication process includes two phases—user disambiguation and user authentication.

Before a user can be authenticated, the user’s profile information must be retrieved from the user store so that the user’s stored credentials can be compared with the credentials supplied at login. Looking up the user in a user store (such as an LDAP user directory or an ODBC database) is called user disambiguation. Either SiteMinder or the authentication scheme can disambiguate the user.

SiteMinder calls SmAuthScheme.authenticate() at least once during the disambiguation phase and at least once during the authentication phase:

The basic steps are as follows:

  1. User login. The user supplies a login ID (such as jsmith) for authentication purposes.
  2. Disambiguation phase. Before the user lookup in the data store can begin, a complete DN or a search expression must be constructed based upon the supplied login ID. For example, if the login ID is jsmith, the DN used to search the user store might be constructed as follows: 
    uid=jsmith,ou=marketing,o=myorg.org

    An LDAP search expression can also be used to search an LDAP user directory, and a SQL query is used to search an ODBC database—for example:

    (&(objectclass=inetOrgPerson)(uid=jsmith))

    select Name from SmUser where Name = 'jsmith'

    Multiple results are possible, given that the LDAP DN or the ID stored in the ODBC database might apply to different users who have different passwords.

  3. Authentication phase. The custom authentication scheme compares the known credentials of each disambiguated user with the credentials supplied during login—for example, by comparing the hash of the supplied password against the hash in the user store.