Modifying Authentication Procedures - Novell ACCESS MANAGER 3.1 SP1 - GATEWAY GUIDE Manual

1.4.4 Modifying Authentication Procedures

When a user requests access to a protected resource that is protected by a contract, the default
authentication procedure is to redirect the request to the Identity Server for the following conditions:
When a user attempts to connect to a protected resource for the first time.
When the user's session reaches a soft timeout.
When the user's session reaches a hard timeout.
The session hard timeout (Devices > Identity Servers > Edit > Session timeout) is a global setting
that applies to all users. The default value is 60 minutes. The Identity Server passes this value to the
Embedded Service Providers (Access Gateway, SSL VPN, or J2EE agent) and service providers.
When the Access Gateway receives the session hard timeout, it uses the value to calculate a separate
soft timeout that is 66% of the hard timeout. The Access Gateway uses the soft timeout as a trigger
to inform the Identity Server that the session is still active.
When the Access Gateway gets a request from a browser after the soft timeout expires, but
before the hard session timeout, the Access Gateway attempts to renew the session with the
Identity Server. This is done by redirecting the browser to the Identity Server. After the session
renewal request, the Identity Server redirects back to the Access Gateway and the session has
new soft and hard timeout values.
When the Access Gateway receives a request after the hard timeout has expired, the Access
Gateway allows the user to create a new session by redirecting the browser to the Identity
Server, where the user is prompted to re-authenticate. After this re-authentication, the browser
is redirected back to the Access Gateway and the session has new timeout values.
Some applications, such as AJAX and WebDAV applications, do not allow redirection for
authentication. You can use non-redirected login to change the default authentication behavior of
Access Manager so that redirection does not occur. When non-redirected login is enabled, the
Access Gateway prompts the user to supply basic authentication credentials. The SOAP back
channel between the Access Gateway and the Identity Server is then used to complete the
authentication on the user's behalf. The SOAP back channel, rather than a redirect, is also used for
the session renewals.
Non-redirected login has the following restrictions:
Password Expiration Services: When you modify the authentication procedures to use non-
redirected login, you cannot also use a password expiration service. Even when the Password
expiration servlet and Allow user interaction options are configured, users are not redirected
when their passwords are expiring and they are not prompted to change their passwords.
Locked Shared Secrets: When non-redirected login is enabled, users are not prompted for
their passphrase for locked shared secrets.
Session Limits: Non-redirected login can cause the user to create more than one session with
the Identity Server because the SOAP back channel uses a different process than authentication
requests that are directed to the Identity Server. Therefore, do not limit your users to one
session. Session limits are set by clicking Devices > Identity Servers > Edit.
To modify the authentication procedures:
1 Click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] >
Protected Resources > [Name of Protected Resource].
24 Novell Access Manager 3.1 SP1 Access Gateway Guide