How User Authentication Is Conveyed between DSAs

In a networked system of DSAs, a user can bind to a DSA, and then request information that is held on another DSA. You can use the Trust conveyed originator option to permit the first DSA to convey the user's authentication to the second DSA.
cad1214
In a networked system of DSAs, a user can bind to a DSA, and then request information that is held on another DSA. You can use the
Trust conveyed originator
option to permit the first DSA to convey the user's authentication to the second DSA.
The following steps provide a high-level overview of how user authentication is conveyed between DSAs:
  1. A user binds to a DSA. The bind request includes the user's DN, and the user's credentials.
  2. The DSA authenticates the user.
  3. The user makes another request that the current DSA cannot fulfill.
  4. The DSA passes the request to another DSA that can fulfill the request. The request includes the user's DN and authentication.
  5. The receiving DSA must decide whether to trust the user's authentication. To do this, it looks at the configuration of the first DSA for the
    Trust conveyed originator
    option.
  6. If the receiving DSA finds the
    Trust conveyed originator
    option, it accepts the request. Even though the user was authenticated on the first DSA, it is treated as if it had been authenticated on the second.
  7. The receiving DSA uses the DN of the originating user to determine what access controls to apply to the request.
Example: Convey User Authentication
In this example, a client is connecting to one DSA and requesting information from a second DSA. Rather than repeat user authentication, the UNSPSC DSA can be configured to trust all user authentication being passed by the Democorp DSA.
To do this, the UNSPSC DSA's configuration includes the
Trust conveyed originator
option.