Identity Only Authentication

Identity only verification means that the authentication mechanism only ensures that the user name for the user who is logging in exists on the Cúram Users database table. Full authentication must be completed by an alternative mechanism to be configured in the application server.

Authentication can be configured to perform identity-only verification, in place of the default verifications listed in Default Verification Process.

An example of an alternative mechanism is a Lightweight Directory Access Protocol (LDAP) directory server, which is supported as an authentication mechanism by WebSphere® Application Server, WebLogic Server, and WebSphere Liberty. Another alternative is to use a Single Sign-On (SSO) Solution for authentication, or to implement a custom login module. For custom application server solutions, the IBM or Oracle documentation needs to be consulted.

With identity-only authentication (as for default authentication), entries are added to the AuthenticationLog database table at the end of the authentication process.

For a successful login the following status is used:

  • AUTHONLY

For a failure scenario, the following status is used:

  • BADUSER

    This scenario is the only possible failure scenario where a user does not exist.

The loginFailures and lastLogin fields of the AuthenticationLog are not set. This condition is true even if customized verifications are implemented.

When the password expiry information for a user is set (on the Cúram Users database table), the password expiry warning is displayed if it is about to expire. With identity-only authentication, this warning is misleading. It is recommended that any fields that relate to the authentication verifications, such as password expiry or account enabled, are not used if identity-only authentication is enabled.

When identity-only authentication is enabled, security is not used for authentication but is still used for authorization purposes. As a result of this requirement, all users who require access to the application needs to still exist in the Cúram Users database table, and in the alternative authentication mechanism, for example, Lightweight Directory Access Protocol (LDAP).

Note: Two users must exist in both locations, that is, the SYSTEM user and the DBTOJMS user. For more information, see Security for Alternative Clients.

For more information on how to configure identity only for an application server, see Configuring Identity Only Authentication.

Figure 1. Identity Only Authentication
Identity Only Authentication Processing Flow