Provides a high level workflow of the login process workflow
Login Sequence Diagram
The various steps in the login process are:
- The user navigates to the Array AG login page URL and enters their user name and submits it.
- Array forwards proxied HTTPS request to GridGuard Server
- GridGuard performs a check to determine if the user is already registered. This check will come back positive for registered users
- GridGuard looks up user in Active Directory to determine if the user is a member of groups authorized to use a GridGuard (if such a group has been specified)
- Active Directory responds back to indicate if the user is a member of the group. For valid users, this will return back a successful return code
- GridGuard displays the login page with the grid
- Array forwards HTTP response to user's browser
- User enters their network password and GridPIN and submits page.
- Array proxies HTTPS request
- GridGuard loads user credential information.
- GridGuard verifies GridPIN. If user in not authorized or not found, the login will be presented but will never succeed.
- Gridguard creates a nonce.
- GridGuard logs login attempt to audit database.
- GridGuard sends back an HTML to the browser that is configured to automatically submit to Array AG once the page is loaded.
- Auto submitted form is proxied by the Array AG.
- The auto-submit for submits the username, password, and nonce id to the Array AG.
- The Array AG performs an LDAP bind against Active Directory to verify password.
- Active Directory responds back to indicate if the bind was successful. A successful bind indicates that the password was correct.
- Array AG performs an LDAP bind against GridGuard to verify the nonce.
- The LDAP server decrypts the nonce and replaced the nonce id in the password for the raw PIN. And deletes the nonce.
- GridGuard's LDAP server validates the bind in the user dn and raw PIN.
- GridGuard's LDAP server competes bind request with correct PIN and user DN.
- GridGuard's responds back to indicate that the bind was successful.
- User is now considered authenticated and Array AG provides the user access to the configured resources.
If either the password or the GridPIN authentication failed in this process, the user is automatically directed to the password incorrect page and denied access to the system.