184 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
b. WebSEAL intercepts the request and returns a redirect to a customized
login.html response page. The login.html page is customized to contain a
submit link to the external authentication application. Alternatively,
WebSEAL can be configured to redirect all requests for pages (including
the login page) directly to a page generator which is part of the EAI
application.
Note that the EAI application is assessed over a junction and must be
available to unauthenticated users. An appropriate Access Manager
security policy (for example, an ACL) needs to be configured to allow
unauthenticated users to access this page.
c. The user provides login information (user name and password) on the
form and clicks the submit link to send the data to the external
authentication application.
2. Authentication request.
The process of authentication might require a number of exchanges between
the external authentication application and the client. Exchanges are
streamed through (not intercepted) by WebSEAL.
The final authenticating request to the external authentication application
must be directed to a distinct URL. This POST URL is configured in
WebSEAL as an EAI
trigger URL because the EAI might return an
authenticated identity in response to this POST.
In this case, the EAI application does not return an EAI message. Instead it
has decided that this user must also provide some secondary authentication,
so it returns another form to the client. WebSEAL sees that this is not an EAI
message so it is forwarded to the client.
3. Authentication response.
The client completes the additional challenge and again POSTs it to the EAI
application (via WebSEAL). WebSEAL again matches a
trigger URL. This
time authentication is complete and so the EAI application responds with an
EAI message that contains the authenticated identity.
4. WebSEAL uses the authentication data to build a credential for the user.
WebSEAL spots the EAI message and processes the identity information it
contains to build an authenticated session. The user is now authenticated and
can be directed to the resource they originally requested.
5. WebSEAL sends a response to the user following the algorithm illustrated in
Figure 5-3.
a. If automatic redirection is enabled, the user is redirected to the location
specified in the WebSEAL configuration file.
b. If the initial request was cached, the request is reprocessed for the user.