3.3.5.7 Federated Authentication Ready State

This state is used to process the federated authentication token that is obtained from the client. The TDS server processes the packet that is received according to the following rules:

• If the packet that is received is a structurally valid Federated Authentication Token message, the TDS server MUST delegate processing of the security token embedded in the packet to the federated authentication layer, using the library that is indicated by the state variable that maintains the value of the bFedAuthLibrary field of the login packet’s FEDAUTH FeatureExt. The federated authentication layer responds with one of two results, and the TDS server continues processing according to the response as follows:

  • SUCCESS: The TDS Server MUST send the Federated Authentication Token to the upper layer (typically, an application that provides database management functions) for authorization. If the upper layer approves the token, the TDS server MUST send a LoginACK message that includes a FEATUREEXTACK token that contains FEDAUTH FeatureId and immediately enter the "Logged In" state or enter the "Routing Completed" state if the server decides to route. If the upper layer rejects the token, then a "Login Failed" ERROR token MUST be sent back to the client, and the TDS server MUST close the connection and enter the "Final State" state.

  • ERROR: The server MUST close the underlying transport connection, indicate an error to the upper layer, and enter the "Final State" state.

• If the packet that is received is not a structurally valid Federated Authentication Token message, the TDS server SHOULD send no response to the client. The TDS server MUST close the underlying transport connection, indicate an error to the upper layer, and enter the "Final State" state.