User Authentication (Sun Identity Manager 8.1 Business Administrator's Guide)

Sun Identity Manager 8.1 Business Administrator's Guide

User Authentication

If a user forgets his password or his password is reset, the user can answer one or more account authentication questions to gain access to Identity Manager. You establish these questions, and the rules that govern them, as part of an Identity Manager account policy. Unlike password policies, Identity Manager account policies are assigned to the user directly or through the organization assigned to the user (on the Create and Edit User pages).

To Set Up Authentication in an Account Policy

Click Security in the main menu, and then click Policies.

Select “Default Identity Manager Account Policy” from the list of policies.

Authentication selections are offered in the Secondary Authentication Policy Options area of the page.

Important! When first set up, the user should log in to the User interface and provide initial answers to his authentication questions. If these answers are not set, the user cannot successfully log in without his password.

The authentication question policy determines what happens when a user clicks on the Forgot Your Password? button on the login page or when accessing the Change My Answers page. User Authentication describes each option.

Option	Description
All	Requires the user to answer all policy-defined and personalized questions.
Any	Identity Manager displays all policy-defined and personalized questions. You must specify how many questions the user must answer.
Next	Requires the user to answer all possible policy-defined questions the first time that user logs in. If the user clicks the Forgot Your Password? button during login, Identity Manager displays the first question. If the user answers incorrectly, Identity Manager displays the next question, and so on until the user answers an authentication question correctly and logs in, or is locked out based on the specified failure attempts limit. User-generated questions are not supported for this policy.
Random	Allows the administrator to specify how many questions the user must answer. Identity Manager randomly selects and displays the specified number of questions from the list of questions defined in the policy as well as those the user has defined. The user must answer all questions displayed.
Round robin	Identity Manager selects the next question from the list of configured questions and assigns this question to the user. The first user is assigned the first question in the list of authentication questions, and the second user is assigned the second question. This pattern continues until the number of questions is exceeded. At that point, questions are assigned to users in sequential order. For example, if there are 10 questions, the 11th and 21st users are assigned the first question. The selected question is the only one that is displayed. If you want the user to answer a different question every time, use the Random policy and set the number of questions to 1. Users cannot define their own authentication questions. See Personalized Authentication Questions for more information about this feature.

You can verify your authentication choices by logging in to the Identity Manager User interface, clicking the Forgot Your Password? button, and answering the presented question or questions.

Figure 3–8 shows an example of the User Account Authentication screen.

Figure 3–8 User Account Authentication

Figure showing an example User Account Authentication
screen.

Personalized Authentication Questions

In the Identity Manager account policy, you can select an option to allow users to supply their own authentication questions in the User and Administrator interfaces. You can additionally set the minimum number of questions that the user must provide and answer to be able to log in successfully by using personalized authentication questions.

Users then can add and change questions from the Change Answers to Authentication Questions page. An example of this page is shown in Figure 3–9.

Figure 3–9 Change Answers: Personalized Authentication Questions

Figure showing an example Change Answers to Authentication
Questions page

Bypassing the Change Password Challenge after Authentication

When a user successfully authenticates by answering one or more questions, by default he is challenged by the system to provide a new password. You can configure Identity Manager to bypass the change password challenge, however, by setting the bypassChangePassword system configuration property for one or more Identity Manager applications.

For instructions on editing the system configuration object, see Editing Identity Manager Configuration Objects.

To bypass the change password challenge for all applications following successful authentication, set the bypassChangePassword property as follows in the system configuration object.

Example 3–2 Setting the Attribute to Bypass the Change Password Challenge

<Attribute name="ui" 
 <Object>
   <Attribute name="web">
     <Object> 
       <Attribute name=’questionLogin’>
         <Object>
           <Attribute name=’bypassChangePassword’>
             <Boolean>true</Boolean>
           </Attribute>
         </Object>
       </Attribute>
   ...
 </Object>
...

To disable this password challenge for a specific application, set it as follows.

Example 3–3 Setting the attribute to Disable the Change Password Challenge

<Attribute name="ui">
  <Object>
    <Attribute name="web">
      <Object>
        <Attribute name=’user’>
          <Object>
            <Attribute name=’questionLogin’>
              <Object>
                <Attribute name=’bypassChangePassword’>
                  <Boolean>true</Boolean>
                </Attribute>
              </Object>
            </Attribute>
         </Object>
       </Attribute>
     ... 
  </Object> 
...