test

Oracle Waveset 8.1.1 Deployment Guide

Considerations for Standard Resource Adapters

The following considerations are specific to account attributes in standard resource adapters:

User Identity Template

Note –

To view or edit the Waveset schema for Users or Roles you must be a member of the IDM Schema Configuration AdminGroup and you must have the IDM Schema Configuration capability.

The user identity template establishes the account name to use when creating the account on the resource. This template translates Waveset user account information to account information on the external resource.

You can use any schema map attribute (an attribute listed on the left side of the schema map) in the identity template.

You can overwrite the user identity template from the User form, which is commonly done to substitute organization names.

Creating an Identity Template Out of Multiple User Attributes

You can create an identity template out of a portion of multiple user attributes. For example, a template might consist of the first letter of the first name plus seven characters of the last name. In this case, you can customize the user form to perform the desired logic and then override the identity template that is defined on the resource.

Login Configuration and Pass-Through Authentication

The <LoginConfigEntry> element specifies the name and type of login module as well as the set of authentication properties required by this resource type to complete successful user authentication.

The <LoginConfig> and <SupportedApplications> sections of the adapter file specify whether the resource will be included in the options list on the Login Module configuration pages. Do not change this section of the file if you want the resource to appear in the options list.

Each <AuthnProperty> element contains the following attributes.

Table 10–11 <AuthnProperty> Element Attributes

Attribute 

Description 

dataSource

Specifies the source for the value of this property. Data sources for this property value include: 

  • user (Default): Value provided by the user at login time.

  • http attribute: Value provided by the specified http session attribute.

  • http header: Value provided by the specified http header.

  • http remote user: Value provided by the http request’s remote user property.

  • http request: Value provided by the specified http request parameter.

  • resource attribute (Active Directory only): Value allows you to specify an extra authentication attribute for the specific adapter. This attribute is only valid for the resource on which it is defined, and it cannot be manipulated by the user.

  • x509 certificate: Value is the X509 client certificate (only valid for requests made using https).

displayName

Specifies the value to use when this property is added as an HTML item to the Login form. 

doNotMap

Specifies whether to map to a LoginConfigEntry.

formFieldType

Specifies the data type that can be either text or password. This type is used to control whether data input in the HTML field associated with this property is visible (text) or not (password)

isId

Specifies whether this property value should be mapped to the Waveset accountID. For example, a property should not be mapped if the property value is an X509 certificate.

name

Identifies the internal authentication property name. 

User management across forests is only possible when multiple gateways, one for each forest, are deployed. In this case, you can configure the adapters to use a predefined domain for authentication per adapter without requiring the user to specify a domain as follows:

ProcedureTo Manage Users Across Forests

  1. Add the following authentication property to the <AuthnProperties> element in the resource object’s XML:

    <AuthnProperty name=’w2k_domain’ dataSource=’resource attribute’ value=’MyDomainName’/>

  2. Replace MyDomainName with the domain that authenticates users.

    Note –

    For more information about this property, see the Active Directory resource adapter documentation in Resource Reference.

    Most resource login modules support both the Waveset Administrative interface and User interface. The following example shows how SkeletonResourceAdapter.java implements the <LoginConfigEntry> element:


    <LoginConfigEntry name=’"+Constants.WS_RESOURCE_LOGIN_MODULE+"’ type=’"+RESOURCE_NAME+"’ 
displayName=’"+RESOURCE_LOGIN_MODULE+"’>\n"+
  "  <AuthnProperties>\n"+
  "     <AuthnProperty name=’"+LOGIN_USER+"’ displayName=’"+DISPLAY_USER+"’ formFieldType=’text’ isId=’true’/>\n"+
  "     <AuthnProperty name=’"+LOGIN_PASSWORD+"’ displayName=’"+DISPLAY_PASSWORD+"’ formFieldType=’password’/>\n"+
  "  </AuthnProperties>\n"+
  "  <SupportedApplications>\n"+
  "     <SupportedApplication name=’"+Constants.ADMINCONSOLE+"’/>\n"+
  "     <SupportedApplication name=’"+Constants.SELFPROVISION+"’/>\n"+
  "  </SupportedApplications>\n"+
"</LoginConfigEntry>\n"+

    The following example defines the supported LoginModule DATA_SOURCE options. In this example, a LoginConfig entry is taken from the LDAP resource adapter supplied by Waveset. The entry defines two authentication properties whose dataSource value, if not specified, is supplied by the user.


    public static final String USER_DATA_SOURCE = "user";
public static final String HTTP_REMOTE_USER_DATA_SOURCE = "http remote user";
public static final String HTTP_ATTRIBUTE_DATA_SOURCE = "http attribute";
public static final String HTTP_REQUEST_DATA_SOURCE = "http request";
public static final String HTTP_HEADER_DATA_SOURCE = "http header";
public static final String HTTPS_X509_CERTIFICATE_DATA_SOURCE = "x509 certificate";
" <LoginConfigEntry name=’"+WS_RESOURCE_LOGIN_MODULE+"’
type=’"+LDAP_RESOURCE_TYPE+"’
displayName=’"+Messages.RES_LOGIN_MOD_LDAP+"’>\n"+
" <AuthnProperties>\n"+
" <AuthnProperty name=’"+LDAP_UID+"’ displayName=’"+Messages.UI_USERID_LABEL+"’
formFieldType=’text’ isId=’true’/>\n"+
" <AuthnProperty name=’"+LDAP_PASSWORD+"’
displayName=’"+Messages.UI_PWD_LABEL+"’
formFieldType=’password’/>\n"+
" </AuthnProperties>\n"+
" </LoginConfigEntry>\n"+

    The next example shows a Login Config entry where the authentication property’s dataSource value is not supplied by the user. In this case, the value is derived from the HTTP request header.


    " <LoginConfigEntry name=’"+Constants.WS_RESOURCE_LOGIN_MODULE+"’
|type=’"+RESOURCE_NAME+"’ displayName=’"+RESOURCE_LOGIN_MODULE+"’>\n"+
" <AuthnProperties>\n"+
" <AuthnProperty name=’"+LOGIN_USER+"’ displayName=’"+DISPLAY_USER+"’
formFieldType=’text’ isId=’true’ dataSource=’http header’/>\n"+
" </AuthnProperties>\n"+|
" </LoginConfigEntry>\n"+