Stacking Login Modules to Allow for DCN in Packages Using SSO Login Modules

All DCN operations require the "SUP DCN User" logical role in the named security configuration (role mapping applies).

An additional login module with authorization, that can assign a physical role, is required. Module stacking authenticates DCN users, and grants them the DCN role. Ordering of modules and control flag settings in the security configuration can vary. For example:

  1. HttpAuthenticationLoginModule – the CertificateAuthenticationLoginModule is first in the list with the controlFlag set to "sufficient". If authentication succeeds, no other Login Modules are called unless their controlFlags are set to "required".
  2. If CertificateAuthenticationLoginModule is used to authenticate mobile users, stack another login module for the DCN user because the DCN user does not have a "certblob" credential with the X.509 certificate.
    1. Set the CertificateAuthenticationLoginModule's controlFlag to "sufficient", and order it first in the stack. This sequence allows normal device users to authenticate quickly.
    2. Choose any other username/password-based login module to stack with its controlFlag set to "optional" (or sufficient). If this login module does not include an authorizer that can retrieve roles, use the csi-userrole provider.
      For example, if a DCN includes one DCN technical user, it requires only one role mapping, from "SUP DCN User" to user:dcnTechnicalUser.