Friday, August 12, 2016

OAM - Failover URL, Primary/Secondary, Chained Authentication

In this post, I will talk about the different strategies to configure the failover URL for authentication in case the primary mode of authentication fails.
This also allows you to configure a kind of chained authentication.

1) Failure URL: Via the Application Domain through the authentication policies
The standard way to redirect to a particular URL on authentication or authorization failure is to set the Failure URL value in the Application Domain Protected Resource Policy for authentication (or authorization).


2) Custom Plugin: Via the Authentication Module-> Steps-> Oechestration-> Authentication Plugin -> Java Code.

In Authentication policy with LDAPScheme you have to configure the Failure URL to point to a static JSP/HTML page/URL.
Make sure this is the absolute full address eg. http://server/index.htm.
That static HTML page/URL should be protected with another authentication policy that is configured for BasicScheme authentication.

When you attempt to access the protected page (protected by the Authentication Policy with LDAPScheme), you will get a login page. Provide incorrect username/password. Then you are redirected to failure URL. As this failure URL is protected with BasicScheme you will get a dialogbox to provide credentials. Once you provide correct credentials you will have valid ObSSOCookie set and could access to this resource.

i) In case a single Failure Redirect URL to all resources protected by the authentication scheme, but there is a requirement to redirect only for specific cases
ii) Dynamic URL

------------------------------Custom Code--------------------------------
pluginStatus = ExecutionStatus.PAUSE;

  final RedirectionContextData redirectionData = new RedirectionContextData(
  redirectURL, RedirectionMetaData.URL);

  String queryString = "queryParam1=test1;queryParam2=test2";
  final RedirectionContextData queryStringData = new RedirectionContextData(
  queryString, RedirectionMetaData.QUERY_STRING);

  RedirectionActionContext redirectionContext = new RedirectionActionContext();
  redirectionContext.getContextData().add(redirectionData);
  redirectionContext.getContextData().add(queryStringData);
  RedirectionAction action = new RedirectionAction(redirectionContext);
  pluginStatus.setAction(action);
 
  return pluginStatus;
  ------------------------------------------------------------------------------

 Redirection is made to happen within the custom authentication plug-in code using a RedirectionActionContext(API) object.

 Note that the plugin ExecutionStatus must be set appropriately. If ExecutionStatus.FAILURE is set the redirection will not occur because this status is used to indicate that the authentication attempt has failed. As a result the OAM Server will take over and attempt to re-authenticate the user once again i.e. user will be presented with the login page again.

--------------------------------------------------------------------------------------------------------------------




Authentication Scheme: scheme1 with auth level 2 : primary authentication
Authentication Scheme: scheme2 with auth level 5 : secondary authentication


Application Domain: AppDom1 : protect http://server/index.htm : Auth Scheme : scheme1 : Failure URL : http://server/authfail.htm
Application Domain: AppDom2 : protect http://server/authfail.htm :  Auth Scheme : scheme2 : Failure URL : http://server/authfail_2.htm (no need)