A typical Access Manager Appliance configuration includes an Identity Server with LDAP directories and an Access Gateway with a protected web server. Figure 2-3 illustrates the process flow that allows an authorized user to access the protected resource on the web server.
Figure 2-3 Accessing a Web Resource
The user requests access to a resource protected by Access Gateway.
Access Gateway redirects the user to Identity Server, which prompts the user for a username and password.
Identity Server verifies the username and password against an LDAP directory (eDirectory, Active Directory, or Sun ONE).
Identity Server returns an authentication success to the browser and the browser forwards the resource request to Access Gateway.
Access Gateway verifies that the user is authenticated and retrieves the user’s credentials from Identity Server.
Access Gateway uses an Identity Injection policy to insert the basic authentication credentials in the HTTP header of the request and sends it to the web server.
The web server grants access and sends the requested page to the user.
When you are setting up Access Gateway to protect web resources, you create and configure reverse proxies, proxy services, and protected resources. The following figure illustrates the hierarchy of these modules and the major configuration tasks you perform on each module.
Figure 2-4 Access Gateway Modules and Their Configuration Options
This hierarchy allows you to have precise control over what is required to access a particular resource, and also allows you to provide a single sign-on solution for all the resources protected by Access Gateway. The authentication contract, authentication procedure, Authorization policy, Identity Injection policy, and Form Fill policy are configured at the resource level so that you can enable exactly what the resource requires. This allows you to decide where access decisions are made:
You can configure Access Gateway to control access to the resource.
You can configure the web server for access control and configure Access Gateway to supply the required information.
You can use the first method for some resources and the second method for other resources or use both methods on the same resource.