3.3.5.1 Processing Sign-in Request Messages

The authentication server MUST determine, based on the sign-in parameter in the message, if it is the correct authentication server to handle this Sign-in Request message based on its configuration (as specified in section 1.5). If the authentication server is not the correct one to handle the Sign-in Request message for the user's domain, it MUST respond with an Authentication Server Redirect message attached to an HTTP 302 error response to the request that carried the Sign-in Request message. The HTTP response MUST include a Location header whose value is the URL of the correct authentication server.

If the authentication server is the correct one to handle the received Sign-in Request message, and the parameters relayed from the partner server are valid, according to the predetermined criteria (as specified in section 1.5), but the authentication server's validation of the given credentials (as specified in section 1.5) determines them to be invalid, the authentication server MUST respond with an Authentication Server Challenge message with da-status="failed". The authentication server MAY use the elapsed-time parameter to enforce a validity period for cached credentials.

If the authentication server is the correct one to handle the received Sign-in Request message, but the parameters relayed from the partner server are invalid, according to the predetermined criteria (as specified in section 1.5), the authentication server MUST respond with an Authentication Server Challenge message with da-status="failed-noretry".

In the two preceding cases, the values of srealm, cburl, and cbtxt MUST be taken from the authentication server's preconfigured realm name, co-branding URL, and co-branding text, respectively (as specified in section 1.5).

If the authentication server is the correct one to handle the received Sign-in Request message, the credentials are valid, and the parameters relayed from the partner server are valid, according to the predetermined criteria (as specified in section 1.5), the authentication server MUST respond with a Token Response message. The value of from-PP MUST be a valid token for the user, according to the criteria previously agreed to between the authentication server and partner server (as specified in section 1.5). Likewise, the value of ru MUST be the URL to which the client MUST send its HTTP request to access the partner server on successful authentication, as previously agreed between the authentication server and partner server (as specified in section 1.5).

As part of the HTTP response that includes the Token Response message, the authentication server MUST set the values of one or more HTTP cookies on the client (as specified in [RFC2109]), which, taken together, form a valid authentication token for the client. One or more corresponding tname parameter values MAY be included in the Token Response message. If included, they MUST contain the names of the HTTP cookies set on the client.<11>

An Authentication Server-Instructed Update message containing the current configuration version, as configured on the authentication server (as specified in section 1.5), MAY be sent to the client along with the Token Response message.<12>