Third-party Authentication Token Finder Plug-in

DirX Access supports a third-party authentication token finder for authentication and allows deploying the authentication token finders through a plug-in interface. This plug-in allows assignment of the third-party authentication token to the subject during a successful authentication.

About the Authentication Token Finder for Authentication

Upon successful user authentication, DirX Access allows to populate the internal representation of a subject, amongst others, with arbitrary third-party authentication tokens. This ability is independent on the authentication method used. The token itself remains opaque for DirX Access. If the authentication succeeds, the response to the client contains the retrieved third-party tokens in a form of cookies.

A typical use case scenario for authentication token finder is the use of LTPA cookies.

The configuration allows mounting a single authentication token finder plug-in for authentication. This mechanism does not limit the number of tokens that can be supplied to the subject. It is the responsibility of the authentication token finder plug-in to provide all the wanted tokens at its own discretion in a form of List<ThirdPartyAuthnToken>.

Developing an Authentication Token Finder

This section describes the tasks necessary for developing a custom authentication token finder.

Externalizing Authentication Token Finding from the DirX Access Server

The DirX Access Server allows externalizing authentication token finding during authentication through a plug-in interface. This method requires creating an authentication token finder that implements the AuthnTokenFinderCallout interface (net.atos.dirx.access.authn.api.callout.AuthnTokenFinderCallout). The implementing class has to be contained within an exported package of an OSGi bundle.

Employing the Authentication Token Finder

The steps needed to employ the custom callout handler are outlined in the section Employing External Plug-in Modules.

Using the Authentication Token Finder

The following tasks need to be performed to use an authentication token finder. Before starting to configure the DirX Access Server, make sure to run through all the steps in the section Employing External Plug-in Modules.

Prerequisites

To successfully employ the custom authentication token finder, it is assumed that all the steps covered by the section Employing External Plug-in Modules are performed. Namely, the OSGi bundle exporting the package containing the callout implementation has to be installed on the DirX Access Server.

Configuring the Custom Authentication Token Finder at the DirX Access Server

  • In DirX Access Manager, go to Configuration | Extension modules.

  • Create the callout handler <CalloutIdentifier>:

    • Go to Callout handlers and click the “add” icon to create a new callout handler.

    • Identifier: <CalloutIdentifier>.

    • Description: arbitrary.

    • Type: select AuthnTokenFinderEvents.

    • Class name: enter the fully qualified Java class name of the callout implementation.

    • Click Save.

  • In DirX Access Manager, go to Servers | Cluster.

    • Select a server identifier for which the custom authentication token finder handler shall be added.

    • In the Authentication token finder callout handler identifier drop-down-box in the Authentication Service section, select <CalloutIdentifier>.

    • Click Save.