Authorization

The authorization component in OpenASelect is the first part of the WebSSO sequence. Its role is to alter the authentication session's parameters based on information known before user authentication (known as pre-authorization) or after authentication (post-authentication). Its position in the authentication chain can be found in the picture below.

Pre-authorization is directed by the WebSSO manager, via a manager of itself, which is called the pre-authorization Manager. This component manages the different components that make up the pre-authorization functionality. The components essentially can be grouped into three parts; The pre-authorization profiles, the methods and the actions.

Profiles

Pre-authorization profiles consist of one or more methods and can be assigned to a requestorpool, or can be set as the global profile. On entering the pre-authorization stage, the manager determines which profile or profiles applies or apply to the current situation, and executes these profile(s) sequentially. The global profile is executed first, followed by the requestorpool specific profile. Both the global profile as well as the profile for a requestorpool are optional. Therefore, pre-authorization can be left out of the authentication process by defining no profiles at all.

Between the execution of the methods, the user session is verified. Since actions can alter the session, it is possible that an action has invalidated a session. In that case the authentication process stops and the user is presented an error.

Methods

The methods act as the deciding entity in the pre-authorization process. A method's input is the request the user placed at the Profile. The parameters of the request are compared to the configured criteria and the method returns with a decision on whether or not the request the user placed fits meets the set criteria or not. The pre-authorization manager performs the action attached to the method, if the method indicates a match.

Actions

Actions are allowed to alter the authentication session of the user. When called, they perform a specific task on one or more parameters of the user's session. For example, the session can be made invalid so that the user cannot continue to the authentication phase. No other methods are executed after the session is invalidated.

Flow

Profile, method and action conceptual relations are displayed in the following figure:

Example

Pre-authorization enables the OpenASelect server to block certain ranges of IP addresses to be blocked from authenticating, regardless of what requestor initialized the authentication session. The associated components need to be configured as follows:

• The profile is set as the global pre-authorization profile and consists of the deny action attached to the IP method;
• The method is configured as an IP method, which is configured to return a match when the request's IP address falls in the range set;
• The action is configured as the deny action, which invalidates the session upon calling.

OpenASelect built-in methods and actions

The OpenASelect package includes the following methods and actions:

Methods

• IP method - Decides based on the IP address of the user's request;

Actions

• Deny action - Denies access to the rest of the authentication process by invalidating the user authentication session;
• Force profile action - Forces an authentication profile into the authentication session, thereby overruling the authentication profile set for the requestorpool.