IM Developer Guide – Authentication Filter

About this guide

This document gives an overview of the installation of PhenixID Identity Manager. Additional information is found on PhenixID web site or through PhenixID support.

Summary

This document explains Authentication Filter in PhenixID Identity Manager. It is assumed reader is familiar with both the Identity Manager and Identity Manager Configurator. The document is a part of a collection of documents explaining how to extend and customize Identity Manager. In addition there is also Javadoc and sample code.

Mentioning of abstract base class assumes these are used when developing custom code.
First time readers are recommended to read overview document, IM Developer Overview.

Definition

An Authentication Filter is linked to the actual authentication in IM.

Overriding the standard authentication mechanism requires developing an Authentication Filter.

Developing Authentication Filter

An Authentication Filter is a Java class. Required source level is version 8. An authentication must implement se.nordicedge.interfaces.CustomAuthenticate

A base class is provided through:

se.nordicedge.auth.CustomAuthenticateBase

Flow of Execution

  • IM first calls authenticate. Here custom logic is placed for authenticating the user
  • Then IM calls isAuthenticated
    • If user is not authenticated the getRedirect is called. Execution ends.
    • If user is authenticated, getUserFullDN is called
      • If getUserFullDN is empty getUserName is called
      • If getUserName also is empty getRedirect is called.
      • If getUserName is not empty IM tries to find the user full DN based on policies set in DSEditor.properties
        • If no user is found getRedirect is called
      • If getUserFullDN is not empty and object DN exists, administrator is logged in.
  • The logout method is called when administrator clicks logout on the screen or session is timed out

Configuration

Configuration is done by setting policy SERVLET_AUTHENTICATION_FILTER in DSEditor.properties.

SERVLET_AUTHENTICATION_FILTER=mypackage.MyCustomAuth

There can only be one Authentication Filter configured for every IM instance.