[OpenAM] Chained Authentication - single login form

Allan Foster allan.foster at forgerock.com
Tue Dec 28 20:53:14 GMT 2010


Hi Michael

So it turns out that both LDAP and Radius use the password as their key.

So if you use
Username:
Password/Token:

The Value of the apssword will be sued for password on LDAP and the
TokenID for radius

Woudl that work?

Allan

On 12/28/10 12:22, michaelg at virtuall.com wrote:
> Hi Allan,
>
> Thanks for the info.  One question though.  The LDAP authenticaiton uses a
> password but the RADIUS uses a one-time passcode generated from a hard
> token.  As I read what you sent it suggests that the two authentication
> modules utilize the same value for the password.  So what I need to get to
> is a form that prompts for:
>
> user name:  (where username is both the LDAP and the RADIUS username)
> Password:   (password for the LDAP entry)
> Passcode:   (one time pass code for the RADIUS entry)
>
>
> With that will what you suggest still work?
>
> thanks
>
>
>> Hi Michael
>>
>> Yes, you can do this. When you set up the Options for the login modules,
>> in the chain, the following two attributes control passing Credentials
>> between modules:
>>
>> *iplanet-am-auth-shared-state-enabled* - This option enables the use of
>> a shared state map.
>> *iplanet-am-auth-store-shared-state-enabled* - This option enables the
>> storage of credentials to a shared state map.
>> *iplanet-am-auth-shared-state-behavior-pattern* - To prevent a user from
>> having to enter the user identifier and password twice for
>> authentication, set this option to useFirstPass for all modules in the
>> chain (except the first). The default value tryFirstPass would prompt
>> for new credentials if the shared state credentials fail.
>>
>> You will have to enableSharedState and then set the appropriate pattern
>> for your subsequent modules
>>
>> Allan
>>
>> On 12/28/10 11:45, michaelg at virtuall.com wrote:
>>> We are using chained authentication utilizing the LDAP and RADIUS
>>> modules
>>> both requisite.  Works great but we need a single login form rather than
>>> the current two login forms.  Is there a simple configuration change
>>> that
>>> would handle this or do we need to create a custom authenticaion module
>>> that combines the two?
>>>
>>> thanks
>>> mike
>>> _______________________________________________
>>> OpenAM mailing list
>>> OpenAM at forgerock.org
>>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>> --
>> ForgeRock 	*Allan Foster* VP Technical Enablement
>> e: allan.foster at forgerock.com <mailto:allan.foster at forgerock.com>
>> t: +1.503.334.2546
>> w: www.forgerock.com <http://www.forgerock.com/>
>>
>>
>> The New home for OpenSSO -- OpenAM! It's gonna be BIG!
>>


-- 
ForgeRock 	*Allan Foster* VP Technical Enablement
e: allan.foster at forgerock.com <mailto:allan.foster at forgerock.com>
t: +1.503.334.2546
w: www.forgerock.com <http://www.forgerock.com/>


The New home for OpenSSO -- OpenAM! It's gonna be BIG!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20101228/a93861a4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ForgeRock-226x60.png
Type: image/png
Size: 7117 bytes
Desc: not available
URL: <http://lists.forgerock.org/pipermail/openam/attachments/20101228/a93861a4/attachment.png>


More information about the OpenAM mailing list