Authentication methods

This document explains how to develop an authentication method for OpenASelect. See Authentication methods for more information about authentication within OpenASelect.

Design

Authentication methods comply to the following interface:

com.alfaariss.oa.sso.authentication.web.IWebAuthenticationMethod

The main method specified by this interface is the authenticate method, which should perform the actual authentication. The following figure shows a basic authentication method:

How it works

The default type of authentication methods, which are described in this document, are web methods. Web authentication methods are called during the authentication process. They perform the actual authentication. Authentication results can be found in com.alfaariss.oa.UserEvent enumeration.

The following results can be used:

Result	Description
AUTHN_METHOD_SUCCESSFUL	Authentication method successfully finished: user authenticated.
AUTHN_METHOD_FAILED	Authentication method failed: user not authenticated.
AUTHN_METHOD_IN_PROGRESS	The authentication method has performed user interaction and the request is finished.
AUTHN_METHOD_NOT_REGISTERED	Authentication method not registered for user.
AUTHN_METHOD_NOT_SUPPORTED	Authentication method not supported for user.
USER_UNKNOWN	Authenticated user not found.
USER_DISABLED	Authenticated user disabled.
USER_CANCELLED	Authenticated cancelled by user.

If an authentication method requires user interaction and a page or other response is sent to the user, the method should return AUTHN_METHOD_IN_PROGRESS. The AUTHN_METHOD_NOT_SUPPORTED is a specific state which is used differently for different kind of authentication methods. See How to create an authentication method for more details

The concept of executing an authentication method is shown in the following figure:

Event logging

The authentication method is an Authority and should therefore log all state changes to the OpenASelect event logging. The IAuthority interface specifies one method which should return the unique authority name of the authentication method:

public String getAuthority();

How to create an authentication method

There are multiple types of authentication methods:

• Non-identifying authentication methods.
• Identifying authentication methods.
• Federated authentication methods.

Identifying methods must embed functionality to identify the user. Non-identifying methods can only be used after a identifying method using a changed authentication profile is used. Federated methods delegate the actual authentication to a trusted external IDP. See Federated authentication for details on federated authentication.

Non identifying authentication methods

The concept of executing a non identifying authentication method is shown in the following figure:

In case of a forced user the following additional checks must be performed before authentication:

• Check if user exists
• Check if user is enabled

Identifying authentication methods

The concept of executing an identifying authentication method is shown in the following figure:

The best way to start developing an identifying authentication method is to take a look at the Indentifying method, which contains all the principles of identifying authentication methods.

Federated authentication methods

The concept of executing an federated authentication method is shown in the following figure:

Some remote protocols may not support forcing a username. In this case a forced user should result in an AUTHN_METHOD_NOT_SUPPORTED failure. In case of a session user this username must be maintained as the identifying username. If no user is available in the session the authentication method must identify the user by its remote username.

The best way to start developing an federated authentication method is to extend the AbstractRemoteMethod and take a look at the remote A-Select method.