Out of support This documentation supports the 8.1 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Authentication chaining

An Authentication Chain is the object used by BMC Atrium Single Sign-On for specifying how authentication is to be performed. A chain can be a single authentication module or a combination of multiple authentication modules. Chaining allows different modules to act as a single authority.

At its simplest form, an authentication chain consists of only a single authentication module. A chain can also be a complex combination of multiple authentication modules joined to validate the credentials that are used to authenticate a user. Through chaining, different modules can be merged to appear as a single authority.

For example, if two organizations merge to form a new, single organization, then the authentication system from each organization could be used as a module within a single chain.

  • The effect of combining these modules into this single chain is that the users only provide credentials to a single authority.
  • The chain can be configured to check each of the modules until the user is authenticated.
  • This chaining creates the perception of a merged authority despite the reality of multiple, disparate systems that are actually employed.

Authentication chains allow the combination of authentication modules to process authentication requests. One of the best uses for combining modules is to merge different authentication schemes to appear as a single authentication scheme.

For example, when two departments have their own LDAP servers, these two servers could be put into a single chain and users would appear to validate against a single authority.

The processing of the chain to determine the overall status of authentication is controlled by the criteria specified for each of modules in the chain. The following figure illustrates authentication chaining where authentication modules are tried in an ordered sequence.

Authentication chaining example

Wiki_Atrium7.7.00_SSO-22.gif

The overall status is successful if all of the Required and Requisite modules pass before either the end of the chain or the first successful Sufficient module. When there are no Required or Requisite modules, then at least one Sufficient or Optional module must authenticate the user. See Managing-authentication-modules.

In the chaining process for the above example illustration, three LDAP servers combined into a single authority, would be:

  1. Check with LDAP A
    • Pass: Stop processing and accept user
    • Fail: Proceed to next
  2. Check with LDAP B
    • Pass: Stop processing and accept user
    • Fail: Proceed to next
  3. Check with LDAP C
    • Pass: Stop processing and accept user
    • Fail: Stop processing and reject user

With this configuration, the first LDAP server is presented the user credentials for authentication. If the authentication succeeds, then processing stops with the user being authenticated. If the user is not within the first LDAP server, then the credentials are passed to the second LDAP server. Each server is checked in the sequence specified until either the user passes and is considered successfully authenticated, or the user fails to authenticate and is rejected.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*