User Authentication and Authorization
Authentication definitions configure multifactor authentication using SSL client certificates, SSH keys, user IDs and passwords, client IP addresses, and RSA SecurID as factors. They also enable application outputs to allow you to map attributes, such as login credentials that are returned to a query, to outputs you specify.
The following diagram illustrates interaction between a client application, Sterling External Authentication Server components, and directories accessed through LDAP servers, followed by an explanation of the steps. End users connect securely to the application that acts as a client to Sterling External Authentication Server.
Step | Description |
---|---|
1 | A client application sends a user ID and password to Sterling External Authentication Server, from a user logging in to an application or accessing a destination service. The client authenticates itself to Sterling External Authentication Server and specifies the definitions. If the connection is made, mutual authentication and encryption secure messages through the connection. |
2 | Sterling External Authentication Server references the authentication definition specified by the client application. It includes the LDAP connection definitions, attribute query definitions, attribute assertion definitions, and/or application output definitions required to authenticate and/or authorize the connection. |
3 | Sterling External Authentication Server connects to the LDAP server specified in the authentication definition. The user ID and password from the request is validated and tasks, such as LDAP attribute queries and assertions, are performed to respond to the request. For example, attribute query definitions can include information to locate a user ID entry, validate group membership, and look up login credentials. |
4 | Sterling External Authentication Server uses results to determine if the user should be authenticated to an application or authorized for access to a destination service. When Sterling External Authentication Server authenticates a user as a continuation of certificate validation, information established during certificate validation are available for authentication. |
5 | An authentication definition can include application output definitions to specify how return attributes from a query map to outputs that are passed to the client application. When an application output definition is included, the mapping of return attributes is performed. |
6 | Sterling External Authentication Server sends a response with the results of user authentication. If authentication is successful, the response can include credentials. For example, Sterling External Authentication Server can provide the user ID and password returned from a query in an application output definition as part of the response message. |
7 | If the client application is a proxy for the destination service, it logs in to the destination service with the credentials retrieved by Sterling External Authentication Server. |