Core

This module is the general configuration base for the OpenSSO Enterprise authentication services. It must be registered and configured to use any of the specific authentication module instances. It enables the administrator to define default values that will be picked up for the values that are not specifically set in the OpenSSO Enterprise default authentication modules. The Core attributes are global and realm. The attributes are:

• Pluggable Authentication Module Classes

• Supported Authentication Module for Clients

• LDAP Connection Pool Size

• Default LDAP Connection Pool Size

• User Profile

• Remote Auth Security

• Administrator Authentication Configuration

• User Profile Dynamic Creation Default Roles

• Persistent Cookie Mode

• Persistent Cookie Maximum Time

• Alias Search Attribute Name

• Default Authentication Locale

• Organization Authentication Configuration

• Login Failure Lockout Mode

• Login Failure Lockout Count

• Login Failure Lockout Interval

• Email Address to Send Lockout Notification

• Warn User After N Failures

• Login Failure Lockout Duration

• Lockout Duration Multiplier

• Lockout Attribute Name

• Lockout Attribute Value

• Default Success Login URL

• Default Failure Login URL

• Authentication Post Processing Class

• Generate UserID Mode

• Pluggable User Name Generator Class

• Identity Types

• Pluggable User Status Event Classes

• Store Invalid Attempts in Data Store

• Module-based Authentication

• User Attribute Mapping to Session Attribute

• Default Authentication Level

Pluggable Authentication Module Classes

Specifies the Java classes of the available authentication modules. Takes a text string specifying the full class name (including package) of each authentication module. After writing a custom authentication module (by implementing the OpenSSO Enterprise AMLoginModule or the Java Authentication and Authorization Service [JAAS] LoginModule service provider interfaces), the new class value must be added to this property.

Supported Authentication Module for Clients

Specifies a list of authentication modules supported for a specific client. Formatted as:

clientType | module1,module2,module3

This attribute is read by the Client Detection Service when it is enabled.

LDAP Connection Pool Size

Specifies the minimum and maximum connection pool to be used on a specific LDAP server and port. Formatted as:

host:port:min:max

This attribute is for LDAP and Membership authentication services only.

This connection pool is different than the SDK connection pool configured in serverconfig.xml.

Default LDAP Connection Pool Size

Sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. Formatted as:

min:max

This value is superseded by a value defined for a specific host and port in the LDAP Connection Pool Size property.

User Profile

This option determines the profile status of a successfully authenticated user.

Dynamic

Specifies that on successful authentication the Authentication Service will create a user profile if one does not already exist. The SSOToken will then be issued. The user profile is created in the realm's configured user data store.

Dynamic With User Alias

Specifies that on successful authentication the Authentication Service will create a user profile that contains the User Alias List attribute which defines one or more aliases that for mapping a user's multiple profiles.

Ignore

Specifies that a user profile is not required for the Authentication Service to issue an SSOToken after a successful authentication.

Required

Specifies that on successful authentication the user must have a user profile in the realm's configured user data store in order for the Authentication Service to issue an SSOToken.

Remote Auth Security

Requires that OpenSSO Enterprise validate the identity of the calling application; thus all remote authentication requests require the calling application's SSOToken. This allows the Authentication Service to obtain the username and password associated with the application.

Administrator Authentication Configuration

Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list.

User Profile Dynamic Creation Default Roles

Specifies the Distinguished Name (DN) of a role to be assigned to a new user whose profile is created when either of the Dynamic options is selected under the User Profile attribute. There are no default values. The role specified must be within the realm for which the authentication process is configured.

This role can be either an OpenSSO Enterprise or LDAP role, but it cannot be a filtered role. If you wish to automatically assign specific services to the user, you have to configure the Required Services attribute in the User Profile.

Persistent Cookie Mode

Determines whether users can return to their authenticated session after restarting the browser. When enabled, a user session will not expire until its persistent cookie expires (as specified by the value of the Persistent Cookie Maximum Time attribute), or the user explicitly logs out. By default, the Authentication Service uses only memory cookies (expires when the browser is closed).

A persistent cookie must be explicitly requested by the client by appending the iPSPCookie=yes parameter to the login URL.

Persistent Cookie Maximum Time

Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The maximum value is 2147483647 (time in seconds). The field will accept any integer value less than the maximum.

Alias Search Attribute Name

After a user is successfully authenticated, the user's profile is retrieved. This field specifies a second LDAP attribute to use in a search for the profile if a search using the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field takes any valid LDAP attribute.

Default Authentication Locale

Specifies the default language subtype to be used by the Authentication Service. The default value is en_US. See Supported Language Locales for a listing of valid language subtypes. To use a different locale, authentication templates for that locale must first be created. A new directory must then be created for these templates. See Supported Language Locales for a listing of valid language subtypes.

Organization Authentication Configuration

Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list.

Login Failure Lockout Mode

Selecting this attribute enables a physical lockout. Physical lockout will inactivate an LDAP attribute (defined in the Lockout Attribute Name property) in the user's profile. This attribute works in conjunction with several other lockout and notification attributes.

Login Failure Lockout Count

Defines the number of attempts that a user has to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.

Login Failure Lockout Interval

Defines (in minutes) the time in which failed login attempts are counted. If one failed login attempt is followed by a second failed attempt, within this defined lockout interval time, the lockout count is begun and the user will be locked out if the number of attempts reaches the number defined in Login Failure Lockout Count. If an attempt within the defined lockout interval time proves successful before the number of attempts reaches the number defined in Login Failure Lockout Count, the lockout count is reset.

Email Address to Send Lockout Notification

Specify one (or more) email address(es) to which notification will be sent if a user lockout occurs. If sending:

• To multiple addresses, separate each address with a space.

• To non-English locales, format the address as email_address|locale|charset.

Warn User After N Failures

Specifies the number of authentication failures that can occur before OpenSSO Enterprise displays a warning message that the user will be locked out.

Login Failure Lockout Duration

Defines (in minutes) how long a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0, enables memory lockout and disables physical lockout. Memory lockout is when the user's account is locked in memory for the number of minutes specified. The account is unlocked after the time period has passed.

Lockout Duration Multiplier

Defines a value with which to multiply the value of the Login Failure Lockout Duration attribute for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user will be locked out of the account for 6 minutes. Once the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration would then be 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.

Lockout Attribute Name

Defines the LDAP attribute used for physical lockout. The default value is inetuserstatus (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Value field must also contain an appropriate value.

Lockout Attribute Value

Specifies the action to take on the attribute defined in Lockout Attribute Name. The default value is inactive (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Name field must also contain an appropriate value.

Default Success Login URL

Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /opensso/console. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.

Default Failure Login URL

Accepts a list of values that specifies where users are directed after an attempted authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.

Authentication Post Processing Class

Specifies one or more Java classes used to customize post authentication processes for successful or unsuccessful logins. The Java class must implement the com.sun.identity.authentication.spi.AMPostAuthProcessInterface OpenSSO Enterprise interface. Additionally, add a JAR containing the post processing class to the classpath of the web container instance on which OpenSSO Enterprise is configured. If the web container on which OpenSSO Enterprise is configured explodes the WAR follow this procedure.

1. Stop the web container instance.

2. Change to the WEB-INF/lib directory in the exploded OpenSSO Enterprise WAR directory.

   For example, if using Sun Application Server, AS=Deploy=BaseAS=Domain-Dir/AS-Domain/applications/j2ee-modules/opensso/WEB-INF/lib.

3. Copy the JAR that contains the post processing class to the lib directory.

4. Restart the web container instance.

Generate UserID Mode

When enabled, the Membership module will generate a list of alternate user identifiers if the one entered by a user during the self-registration process is not valid or already exists. The user identifiers are generated by the class specified in the Pluggable User Name Generator Class property.

Pluggable User Name Generator Class

Specifies the name of the class used to generate alternate user identifiers when Generate UserID Mode is enabled. The default value is com.sun.identity.authentication.spi.DefaultUserIDGenerator.

Identity Types

Lists the type or types of identities for which OpenSSO Enterprise will search. Options include:

• Agent

• agentgroup

• agentonly

• Group

• User

Pluggable User Status Event Classes

Specifies one or more Java classes used to provide a callback mechanism for user status changes during the authentication process. The Java class must implement the com.sun.identity.authentication.spi.AMAuthCallBack OpenSSO Enterprise interface. Account lockout and password changes are supported — the latter through the LDAP authentication module as the feature is only available for the module.

Store Invalid Attempts in Data Store

Enables the storage of information regarding failed authentication attempts as the value of the sunAMAuthInvalidAttemptsData attribute in the user data store. In order to store data in this attribute, the OpenSSO Enterprise schema has to be loaded. Information stored includes number of invalid attempts, time of last failed attempt, lockout time and lockout duration. Storing this information in the identity repository allows it to be shared among multiple instances of OpenSSO Enterprise.

Module-based Authentication

Enables users to authenticate using module-based authentication. Otherwise, all attempts at authentication using the module=module-instance-name login parameter will result in failure.

User Attribute Mapping to Session Attribute

Enables the authenticating user's identity attributes (stored in the identity repository) to be set as session properties in the user's SSOToken. The value takes the format User-Profile-Attribute|Session-Attribute-Name. If Session-Attribute-Name is not specified, the value of User-Profile-Attribute is used. All session attributes contain the am.protected prefix to ensure that they cannot be edited by the Client SDK.

For example, if you define the user profile attribute as mail and the user's email address (available in the user session) as user.mail, the entry for this attribute would be mail|user.mail. After a successful authentication, the SSOToken.getProperty(String) method is used to retrieve the user profile attribute set in the session. The user's email address is retrieved from the user's session using the SSOToken.getProperty("am.protected.user.mail") method call.

Properties that are set in the user session using User Attribute Mapping to Session Attributes can not be modified (for example, SSOToken.setProperty(String, String)). This will result in an SSOException. Multi-value attributes, such as memberOf, are listed as a single session variable separated by the pipe symbol. For example, Value1|Value2|Value3

Default Authentication Level

The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the user's SSOToken. When the SSOToken is presented to an application, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level does not meet the minimum value required by the application, it can prompt the user to authenticate again in order to attain a higher authentication level. The authentication level should be set within a realm's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific realm's authentication template. The Default Authentication Level default value is 0. The value of this attribute is not used by OpenSSO Enterprise but by any external application that may chose to use it.