IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
IBM Tivoli Access Manager for e-business: WebSEAL Administration ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
4.<br />
After<br />
successful<br />
login,<br />
the<br />
MAS<br />
builds<br />
a<br />
credential<br />
<strong>for</strong><br />
the<br />
user,<br />
stores<br />
it<br />
in<br />
the<br />
cache,<br />
and<br />
redirects<br />
the<br />
browser<br />
back<br />
to<br />
the<br />
originally<br />
requested<br />
URL<br />
on<br />
<strong>WebSEAL</strong><br />
1<br />
with<br />
an<br />
encrypted<br />
″vouch<br />
<strong>for</strong>″<br />
token.<br />
In<br />
addition,<br />
a<br />
domain<br />
A-specific<br />
e-community<br />
cookie<br />
is<br />
placed<br />
on<br />
the<br />
browser<br />
to<br />
identify<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
<strong>for</strong><br />
this<br />
domain<br />
(in<br />
this<br />
case,<br />
the<br />
MAS).<br />
If<br />
the<br />
login<br />
attempt<br />
is<br />
unsuccessful,<br />
the<br />
MAS<br />
returns<br />
a<br />
″vouch<br />
<strong>for</strong>″<br />
token<br />
that<br />
indicates<br />
a<br />
failure<br />
status.<br />
This<br />
token<br />
is<br />
constructed<br />
to<br />
be<br />
indistinguishable<br />
from<br />
a<br />
success<br />
status<br />
″vouch<br />
<strong>for</strong>″<br />
token.<br />
The<br />
requesting<br />
server<br />
reacts<br />
to<br />
a<br />
failure<br />
status<br />
token<br />
as<br />
if<br />
the<br />
user<br />
had<br />
failed<br />
local<br />
authentication.<br />
5.<br />
<strong>WebSEAL</strong><br />
1<br />
decrypts<br />
the<br />
token<br />
and<br />
builds<br />
its<br />
own<br />
credential<br />
<strong>for</strong><br />
the<br />
user.<br />
Note:<br />
Identity<br />
mapping<br />
should<br />
not<br />
be<br />
required<br />
within<br />
the<br />
same<br />
domain.<br />
If<br />
identity<br />
mapping<br />
is<br />
required,<br />
<strong>WebSEAL</strong><br />
1<br />
must<br />
use<br />
the<br />
Cross-domain<br />
Mapping<br />
Framework<br />
(CDMF).<br />
6.<br />
The<br />
authorization<br />
service<br />
permits<br />
or<br />
denies<br />
the<br />
request.<br />
(2)<br />
FIRST<br />
e-Community<br />
Remote<br />
(Domain<br />
B)<br />
<strong>Access</strong>:<br />
<strong>WebSEAL</strong><br />
3<br />
1.<br />
User<br />
requests<br />
a<br />
resource<br />
protected<br />
by<br />
<strong>WebSEAL</strong><br />
3<br />
(remote<br />
domain<br />
B).<br />
The<br />
browser<br />
contains<br />
no<br />
e-community<br />
cookie<br />
<strong>for</strong><br />
this<br />
domain.<br />
<strong>WebSEAL</strong><br />
3<br />
has<br />
no<br />
cached<br />
credentials<br />
<strong>for</strong><br />
the<br />
user.<br />
2.<br />
<strong>WebSEAL</strong><br />
3<br />
configuration<br />
has<br />
e-community<br />
authentication<br />
enabled<br />
and<br />
specifies<br />
the<br />
location<br />
of<br />
the<br />
MAS.<br />
<strong>WebSEAL</strong><br />
3<br />
redirects<br />
the<br />
browser<br />
to<br />
a<br />
special<br />
″vouch<br />
<strong>for</strong>″<br />
URL<br />
on<br />
the<br />
MAS.<br />
3.<br />
The<br />
MAS<br />
receives<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
request<br />
and,<br />
failing<br />
to<br />
find<br />
credentials<br />
<strong>for</strong><br />
that<br />
user,<br />
prompts<br />
the<br />
user<br />
to<br />
login.<br />
4.<br />
After<br />
successful<br />
login,<br />
the<br />
MAS<br />
builds<br />
a<br />
credential<br />
<strong>for</strong><br />
the<br />
user,<br />
stores<br />
it<br />
in<br />
the<br />
cache,<br />
and<br />
redirects<br />
the<br />
browser<br />
back<br />
to<br />
the<br />
originally<br />
requested<br />
URL<br />
on<br />
<strong>WebSEAL</strong><br />
3<br />
with<br />
an<br />
encrypted<br />
″vouch<br />
<strong>for</strong>″<br />
token.<br />
In<br />
addition,<br />
a<br />
domain<br />
A-specific<br />
e-community<br />
cookie<br />
is<br />
placed<br />
on<br />
the<br />
browser<br />
to<br />
identify<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
<strong>for</strong><br />
this<br />
domain<br />
(in<br />
this<br />
case,<br />
the<br />
MAS).<br />
If<br />
the<br />
login<br />
attempt<br />
is<br />
unsuccessful,<br />
the<br />
MAS<br />
returns<br />
a<br />
″vouch<br />
<strong>for</strong>″<br />
token<br />
that<br />
indicates<br />
a<br />
failure<br />
status.<br />
This<br />
token<br />
is<br />
constructed<br />
to<br />
be<br />
indistinguishable<br />
from<br />
a<br />
success<br />
status<br />
″vouch<br />
<strong>for</strong>″<br />
token.<br />
If<br />
the<br />
user<br />
fails<br />
authentication<br />
at<br />
the<br />
MAS,<br />
then<br />
the<br />
user<br />
is<br />
prompted<br />
<strong>for</strong><br />
a<br />
local<br />
authentication<br />
at<br />
<strong>WebSEAL</strong><br />
3.<br />
If<br />
the<br />
user’s<br />
account<br />
exists<br />
on<br />
this<br />
server,<br />
authentication<br />
then<br />
succeeds.<br />
5.<br />
<strong>WebSEAL</strong><br />
3<br />
decrypts<br />
the<br />
token<br />
and<br />
builds<br />
its<br />
own<br />
credential<br />
<strong>for</strong><br />
the<br />
user.<br />
6.<br />
<strong>WebSEAL</strong><br />
3<br />
creates<br />
and<br />
sets<br />
a<br />
second<br />
e-community<br />
cookie<br />
(valid<br />
<strong>for</strong><br />
domain<br />
B)<br />
on<br />
the<br />
browser,<br />
identifying<br />
<strong>WebSEAL</strong><br />
3<br />
as<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
server<br />
<strong>for</strong><br />
domain<br />
B.<br />
7.<br />
The<br />
authorization<br />
service<br />
permits<br />
or<br />
denies<br />
the<br />
request.<br />
(3)<br />
NEXT<br />
e-Community<br />
Local<br />
(Domain<br />
A)<br />
<strong>Access</strong>:<br />
<strong>WebSEAL</strong><br />
2<br />
1.<br />
User<br />
requests<br />
a<br />
resource<br />
protected<br />
by<br />
<strong>WebSEAL</strong><br />
2<br />
(within<br />
the<br />
same<br />
domain<br />
as<br />
MAS).<br />
The<br />
browser<br />
contains<br />
a<br />
domain<br />
A<br />
e-community<br />
cookie<br />
identifying<br />
the<br />
MAS<br />
as<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
server.<br />
<strong>WebSEAL</strong><br />
2<br />
receives<br />
this<br />
cookie.<br />
<strong>WebSEAL</strong><br />
2<br />
has<br />
no<br />
cached<br />
credentials<br />
<strong>for</strong><br />
the<br />
user.<br />
2.<br />
<strong>WebSEAL</strong><br />
2<br />
configuration<br />
has<br />
e-community<br />
authentication<br />
enabled<br />
and<br />
specifies<br />
the<br />
location<br />
of<br />
the<br />
MAS.<br />
The<br />
presence<br />
of<br />
the<br />
domain<br />
A<br />
e-community<br />
cookie<br />
overrides<br />
the<br />
<strong>WebSEAL</strong><br />
2<br />
configuration<br />
<strong>for</strong><br />
the<br />
MAS<br />
location.<br />
The<br />
cookie<br />
provides<br />
<strong>WebSEAL</strong><br />
2<br />
with<br />
the<br />
identity<br />
of<br />
the<br />
″vouch<br />
<strong>for</strong>″<br />
server.<br />
(If<br />
scenario<br />
2<br />
occurred<br />
first,<br />
there<br />
would<br />
also<br />
be<br />
a<br />
domain<br />
B<br />
cookie<br />
maintained<br />
on<br />
the<br />
browser<br />
that<br />
would<br />
not<br />
be<br />
sent<br />
to<br />
a<br />
domain<br />
A<br />
server.)<br />
260<br />
<strong>IBM</strong><br />
<strong>Tivoli</strong><br />
<strong>Access</strong><br />
<strong>Manager</strong><br />
<strong>for</strong><br />
e-<strong>business</strong>:<br />
<strong>WebSEAL</strong><br />
<strong>Administration</strong><br />
Guide