User-password authentication overview
When CyberArk Identity authenticates a user to a user-password web application, CyberArk Identity creates an HTML response for the user session that satisfies the requirements of the web application and presents necessary information about the current user. The following figure shows user-password authentication steps. Step descriptions follow.
- The user clicks the web application in the user portal .
- The user portal notifies CyberArk Identity that the user wants a session with the web application.
Applicationobject that contains the properties of the web application as they’re defined in the web application profile. Those properties are defined using the generic user-password application template and include the application name, the URL, the icon, and others that appear in the template in the Identity Administration portal. The
Applicationobject is a read-only object. A script reads its properties through the object’s
LoginUserobject that contains information about the user identity used to log onto the service provider: the web application log-on user name (which is not necessarily the User Portal login user name) and so on. This is a read-write object that may be altered before it’s used later in the custom user-password script to set the user name and password in the HTML response.
responseobject that defines the elements of the HTML response that CyberArk Identity builds to send to the web application. The
responseobject is a read/write object that the custom user-password script sets using the object’s
CyberArk Identity determines the web application log-on user name and password as specified in the generic user-password application template.The template specifies any one of these four methods:
CyberArk Identity checks the user’s Active Directory user record through the connector and retrieves the specified attribute as the application user name. It prompts the user for the password. CyberArk Identity then assigns the user name to the
LoginUser.Usernameproperty and the password to the
CyberArk Identity caches the returned user-name attribute so that it doesn’t have to retrieve it again from Active Directory for later identical queries. CyberArk Identity also stores the password locally so the user need not enter it again for future user sessions with this application.
- CyberArk Identity reads the shared single user name and password specified in the template and assigns them to
CyberArk Identity prompts the user for the web application log-on user name and password and assigns them to
CyberArk Identity stores the user name and password locally so the user need not enter them again for future sessions with this application.
CyberArk Identity executes the user map script set in the template, which creates a user name and assigns it to
LoginUser.Username. The script may also create an optional password and assign it to
CyberArk Identity prompts the user for a password in any case. If the script doesn’t create its own password, CyberArk Identity writes the entered password to
LoginUser.Passwordand also stores the password locally so that the user need not enter it again for future sessions with this application. If the script creates its own password, CyberArk Identity ignores the user’s entered password.
CyberArk Identity executes the custom user-password script to specify an HTML response for the user session.
The script must include all the HTML response fields required by the web application and must provide appropriate values for those fields. Most applications require only a user field and a password field, but a few may require additional fields. The script uses
response.AddFormField()to define the elements in the private assertion object.
- CyberArk Identity creates an HTML response based on the properties of the
CyberArk Identity sends the HTML response to the user portal (or the browser running it). The HTML response includes a redirection that instructs the user portal to send the response to the web application at the URL specified in the web application’s profile.
The profile must contain a standard URL (set in the URL field of the generic user-password application template) and may also contain a mobile URL (set in the Mobile URL field). If the request for connection comes from a mobile device, CyberArk Identity redirects the HTML response to the mobile URL if one exists, otherwise CyberArk Identity redirects the response to the standard URL. If the request for connection is not from a mobile device, CyberArk Identity redirects the response to the standard URL.
- The user portal sends the HTML response to the specified URL.
- The web application reads the HTML response and then (if the response checks out) logs the user onto the web application.