Editing Login Modules

Enter details or make selections for login modules as follows. (Not all options are available for each login module.)

• Login success requirement. Select a requirement that applies to this module. Selections are:

  • Required. The login module is required to succeed. Irrespective of whether it succeeds or fails, authentication proceeds to the next login module in the list. If it is the only login module, the administrator is successfully logged in.

  • Requisite. The login module is required to succeed. If it succeeds, authentication proceeds to the next login module in the list. If it fails, authentication does not proceed.

  • Sufficient. The login module is not required to succeed. If it does succeed, authentication does not proceed to the next login module, and the administrator is successfully logged in. If it fails, authentication continues to the next login module in the list.

  • Optional. The login module is not required to succeed. Irrespective of whether it succeeds or fails, authentication continues to the next login module in the list.

• Login search attributes. (LDAP only.) Specify an ordered list of LDAP user attribute names to be used when attempting to bind (log in) to the associated LDAP server. Each of the LDAP user attributes specified, along with the user’s specified login name, is used (in order) to search for a matching LDAP user. This allows a user to log in to Identity Manager by using an LDAP cn or email address (when Identity Manager is configured for pass-through to LDAP).

  For example, if you specify the following and the user attempts to log in as gwilson, then the LDAP resource will first attempt to find an LDAP user where cn=gwilson.

  cn

  mail

  If that succeeds, then the bind is attempted with the password specified by the user. If it does not succeed, then the LDAP resource will search for an LDAP user where mail=gwilson. If that also fails, then login fails.

  If you do not specify a value, then the default LDAP search attributes are:

  uid

  cn

• Login correlation rule. Select a login correlation rule to be used to map the login information provided by the user to an Identity Manager user. This rule is used to search for an Identity Manager user by using the logic specified in the rule. The rule must return a list of one or more AttributeConditions that will be used to search for an Identity Manager user that matches. The rule you select must have the LoginCorrelationRule authType. For a description of the steps Identity Manager takes to map an authenticated user ID to an Identity Manager user, see Example 12–2.

• New user name rule. Select a new user name rule to be used when automatically creating new Identity Manager users as part of login.

Click Save to save a login module. Once it is saved, you can position the module relative to all other modules in the login module group.

If Identity Manager login is configured to authenticate to more than one system, an account’s user ID and password should be the same across all systems that are targets of Identity Manager authentication.

If the user ID and password combinations differ, login will fail on each system whose user ID and password do not match the user ID and password entered on the Identity Manager User Login form.

Some of these systems may have a lockout policy enforcing the number of failed login attempts before an account is locked. For these systems, user accounts are eventually locked, even though the user’s login through Identity Manager continues to succeed.

Example 12–2 contains pseudocode that describes the steps Identity Manager takes to map authenticated user IDs to Identity Manager users.

Example 12–2 Login Module Processing Logic

if an existing IDM user’s ID is the same as the specified user ID 

   if that IDM user has a linked resource whose resource name matches the 
   resource that was authenticated and whose accountId matches the resource 
   accountId returned by successful authentication (e.g. dn), then we have 
   found the right IDM user 

   otherwise if there is a LoginCorrelationRule associated with the 
   configured login module 

      evaluate it to see if it maps the login credentials to a single IDM 
      user 

      otherwise login fails 

   otherwise login fails 

if the specified userID does not match an existing IDM user’s ID 

   try to find an IDM user that has a linked resource whose resource 
   name matches the resource accountID returned by successful authentication 

     if found, then we have found the right IDM user 

     otherwise if there is a LoginCorrelationRule associated with the 
     configured login module 

         evaluate it to see if it maps the login credentials to a single 
         IDM user 

         otherwise login fails 

     otherwise login fails

In Example 12–2, the system will try to find a matching Identity Manager user using the user’s linked resources (resource information). If the resource information approach fails, however, and a loginCorrelationRule is configured, the system will try to find a matching user using the loginCorrelationRule.