18.5.1. How Authentication and Authorization plugins work

If a Connection Policy has an Authentication and Authorization plugin (AA plugin) configured, then PSM executes the plugin as the last step of the connection authorization phase. PSM can request the client to perform other types of authentication before executing the plugin. Using an AA plugin in a Connection Policy is treated as gateway authentication if:

  • the plugin authenticates the user

  • authentication is successful

  • the plugin returns the gateway_user and gateway_groups elements, identifying the user it has authenticated

Other types of gateway authentication will come before authentication by the AA plugin, so information from any other type of gateway authentication (for example, the username and usergroups of this authentication) will already be available and therefore can be used by the plugin. If the Authentication and Authorization plugin does perform gateway authentication, you can use a Credential Store as well.

In the SSH and Telnet protocols, the plugin can interactively request additional information from the client.

Optionally, the plugin can return the gateway_user and gateway_groups elements. PSM will only update the gateway username and gateway groups fields in the connection database if the plugin returns the gateway_user and gateway_groups elements. The returned gateway username and gateway groups override any such attributes already available on PSM about the connection, so make sure that the plugin uses the original values appropriately.

If the plugin returns the gateway_user and gateway_groups elements, you may have to configure an appropriate Usermapping Policy in the Connection Policy. If the plugin returns a gateway_user that is different from the remote user, the connection will fail without a Usermapping Policy. For details on Usermapping Policies, see Procedure 18.1, Configuring usermapping policies.