Using Single Login screen for a chain that has multiple authn modules

This topic contains 5 replies, has 3 voices, and was last updated by  Andy Cory 1 month, 4 weeks ago.

  • Author
    Posts
  • #25783
     Kabi Patt 
    Participant

    My authentication chain :-

    (1) Radius Module (Requisite) –> Radius-UserId / Radius-Password
    (2) Ldap Module (Sufficient) –> Ldap-UserId/ Ldap-Password.

    No usability issue for Radius Authentication, User enters Radius-Uid/ Radius-Pwd to Radius-Login screen and get authenticated.

    But for Ldap authentication, User goes thru two Login screens:-
    (i) User enters LDAP-Uid/ Ldap-Pwd to Radius-Login screen, this module fails to the next module.
    (ii) Now, User sees the second LDAP-Login screen, user enters Ldap-uid/ pwd again to get authenticated.

    I am looking for a solution where user enters the uid/credential (Radius or LDAP) once in the login screen and authentication chain takes care of the authentication transparently without invoking module specific login screen. How can this be implemented ?

    Thanks,
    Kabi

    #25784
     Andy Cory 
    Participant

    You don’t say which OpenAM version. From v6 onwards, you can probably do this with authentication trees. Prior to that, it would probably require a custom module, or at least a custom UI.

    #25785
     Kabi Patt 
    Participant

    Hi Andy,
    The AM version is 6.0.0.4.

    This chain is used for Radius authentication and attached to a Radius client. FR does not support authentication for Radius yet.

    Thanks,
    Kabi

    #25789
     bradley.tarisznyas 
    Participant

    Hi Kabi,

    You can do this via the sharedState to reuse the credentials entered from the 1st module in the 2nd module. Refer to the documentation here:

    https://backstage.forgerock.com/docs/am/6/authentication-guide/#create-authn-chain

    Look at:
    iplanet-am-auth-store-shared-state-enabled
    iplanet-am-auth-shared-state-enabled
    iplanet-am-auth-shared-state-behavior-pattern

    So in your case the the RADIUS module would have “iplanet-am-auth-store-shared-state-enabled=true”, and the LDAP module would have “iplanet-am-auth-shared-state-enabled=true” and “iplanet-am-auth-shared-state-behavior-pattern=useFirstPass”

    Kind Regards
    Brad Tarisznyas

    #25795
     Kabi Patt 
    Participant

    Thank you Brad,
    The solution worked !

    Kabi

    #25827
     Andy Cory 
    Participant

    Good call, Brad – I’d forgotten entirely about shared state!

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2019 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?