|
| |
| Sun Java System Identity Server 2004Q2 Administration Guide | |
Chapter 20
Core Authentication AttributesThe Core Authentication service is the basic service for all of the default authentication services as well as any custom authentication module attributes. Core authentication must be configured as a service for each organization that wishes to use any form of authentication. The Core Authentication attributes consist of global and organization attributes.The values applied to the global attributes are applied across the Sun Java System Identity Server configuration and are inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Identity Server application.) The values applied to the organization attributes under Service Configuration become the default values for the Core Authentication template. The service template needs to be created after adding the service for the organization. The default values can be changed after adding by the organization’s administrator. Organization attributes are not inherited by entries in the organization. The Core Authentication attributes are separated into:
Global AttributesThe global attributes in the Core Authentication service are:
Pluggable Authentication Module Classes
This field specifies the Java classes of the authentication modules available to any organization configured within the Identity Server platform. By default, this includes LDAP, SafeWord, SecurID, Application, Anonymous, HTTP Basic, Membership, Unix, Certificate, NT, RADIUS and Windows Desktop SSO. You can write custom authentication modules by implementing the AMLoginModule SPI or the JAAS LoginModule SPI. For more information, see the Identity Server Developer’s Guide. To define new services, this field must take a text string specifying the full class name (including package name) of each new authentication service.
Supported Authentication Modules for Clients
This attribute specifies a list of supported authentication modules for a specific client. The format is as follows:
clientType | module1,module2,module3
This attribute is in effect when Client Detection is enabled.
LDAP Connection Pool Size
This attribute specifies the minimum and maximum connection pool to be used on a specific LDAP server and port. This attribute is for LDAP and Membership authentication services only. The format is as follows:
host:port:min:max
Default LDAP Connection Pool Size
This attribute sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. If an entry for the host and port exists in the LDAP Connection Pool Size attribute, the minimum and maximum settings will not be used from LDAP Connection Default Pool Size.
Organization AttributesThe organization attributes in the Core Authentication service are:
Organization Authentication Modules
This list specifies the authentication modules available to the organization. Each administrator can choose the type of authentication for each specific organization. Multiple authentication modules provide flexibility, but users must be sure that their login setting is appropriate for the selected authentication module. The default authentication is LDAP. The authentication services included with Identity Server are:
User Profile
This option allows you to specify options for a user profile.
- Required - This specifies that on successful authentication, the user needs to have a profile in the local Directory Server installed with Identity Server for the authentication service to issue an SSOToken.
- Dynamically Created - This specifies that on successful authentication, the authentication service will create the user profile if one does not already exist. The SSOToken will then be issued. The user profile is created in the local Directory Server installed with Identity Server.
- Ignore - This specifies that the user profile is not required by the authentication service to issue the SSOToken for a successful authentication.
Administrator Authentication Configuration
Clicking the edit link will allow you to define the authentication service for administrators only. An administrator is a user who needs access to the Identity Server console. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The modules configured in this attribute are picked up when the Identity Server console is accessed. For example:
http://servername.port/console_deploy_uri
User Profile Dynamic Creation Default Roles
This field specifies the roles assigned to a new user whose profiles are created if Dynamic Creation is selected through the feature User Profile. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.
Note
The role specified must be under the organization for which authentication is being configured. This role can be either an Identity Server or LDAP role, but it cannot be a filtered role.
Enable Persistent Cookie Mode
This option determines whether users can restart the browser and still return to their authenticated session. User sessions can be retained by enabling Enable Persistent Cookie Mode. When Enable Persistent Cookie Mode is enabled, a user session does not expire until its persistent cookie expires, or the user explicitly logs out. The expiration time is specified in Persistent Cookie Maximum Time. The default value is that Persistent Cookie Mode is not enabled and the authentication service uses only memory cookies.
Note
A persistent cookie must be explicitly requested by the client using the iPSPCookie=yes parameter in the login URL.
Persistent Cookie Maximum Time
This field specifies the interval after which a persistent cookie expires. (Enable Persistent Cookie Mode must be enabled by selecting its checkbox.) The interval begins when the user’s session has been successfully authenticated. The default value is 2147483 (time in seconds). The field will take any integer value between 0 and 2147483.
People Container For All Users
After successful authentication by a user, the user’s profile is retrieved. The value in this field specifies where to search for the profile. Generally, this value will be the DN of the default People Container. All user entries added to an organization are automatically added to the organization’s default People Container. The default value is ou=People, and generally, this is completed with the organization name(s) and root suffix. The field will take a valid DN for any organizational unit.
Alias Search Attribute Name
After successful authentication by a user, the user’s profile is retrieved. This field specifies a second LDAP attribute to search from if a search on the first LDAP attribute, specified in User Naming Attribute, fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field will take any valid LDAP attribute (for example, cn).
User Naming Attribute
After successful authentication by a user, the user’s profile is retrieved. The value of this attribute specifies the LDAP attribute to use for the search. By default, Identity Server assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.
Default Authentication Locale
This field specifies the default language subtype to be used by the authentication service. The default value is en_US. A listing of valid language subtypes can be found in Table 20-1.
In order to use a different locale, all authentication templates for that locale must first be created. A new directory must then be created for these templates. See the “Chapter 3: Authentication Service” in the Identity Server Developer’s Guide for more information.
Organization Authentication Configuration
This attribute sets the authentication module for the organization. The default authentication module is LDAP. One or more authentication modules can be selected by clicking the Edit link. If more than one module is selected, then the user will have to pass through the chain of all selected modules.
The modules configured in this attribute are used for authentication when users access the authentication module using the /server_deploy_uri/UL/Login format. See the Identity Server Developer’s Guide for more information.
Enable Login Failure Lockout Mode
This feature specifies whether a user can attempt a second authentication if the first attempt failed. Selecting this attribute enables a lockout and the user will have only one chance at authentication. By default, the lockout feature is not enabled. This attribute works in conjunction with Lockout-related and notification attributes.
Login Failure Lockout Count
This attribute defines the number of attempts that a user may try to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.
Login Failure Lockout Interval
This attribute defines (in minutes) the time between two failed login attempts. If a login fails and is followed by another failed login that occurs within the lockout interval, then the lockout count is incremented. Otherwise, the lockout count is reset.
Email Address to Send Lockout Notification
This attribute specifies an email address that will receive notification if a user lockout occurs. To send email notification to multiple addresses, separate each email address with a space.
Warn User After N Failure
This attribute specifies the number of authentication failures that can occur before Identity Server sends a warning message that the user will be locked out.
Login Failure Lockout Duration
This attribute enables memory locking. By default, the lockout mechanism will inactivate the User Profile (after a login failure) defined in Lockout Attribute Name. If the value of Login Failure Lockout Duration is greater than 0, then its memory locking and the user account will be locked for the number of minutes specified.
Lockout Attribute Name
This attribute designates any LDAP attribute that is to be set for lockout. The value in Lockout Attribute Value must also be changed to enable lockout for this attribute name. By default, Lockout Attribute Name is empty in the Identity Server Console. The default implementation values are inetuserstatus (LDAP attribute) and inactive when the user is locked out and Login Failure Lockout Duration is set to 0.
Lockout Attribute Value
This attribute specifies whether lockout is enabled or disabled for the attribute defined in Lockout Attribute Name. By default, the value is set to inactive for inetuserstatus.
Default Success Login URL
This field accepts a list of multiple values that specify the URL to which users are redirected after successful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML. The Success Login URL is set in the LoginStatus element in the remote-auth.dtd. See the Identity Server Developer’s Guide for more information.
Default Failure Login URL
This field accepts a list of multiple values that specify the URL to which users are redirected after an unsuccessful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTMLThe Failure Login URL is set in the LoginStatus element in the remote-auth.dtd. See the Identity Server Developer’s Guide for more information.
Authentication PostProcessing Class
This field specifies the name of the Java class used to customize post authentication processes for successful or unsuccessful logins. Example:
com.abc.authentication.PostProcessClass
The Java class must implement the following Java interface:
com.sun.identity.authentication.spi.AMPostAuthProcessInterface
Additionally, you must add the path to where the class is located to the Web Server's Java Classpath attribute.
Enable Generate UserID Mode
This attribute is used by the Membership authentication module. If this attribute field is enabled, the Membership module is able to generate user IDs, during the Self Registration process, for a specific user if the user ID already exists. The user IDs are generated from the Java class specified in Pluggable User Name Generator Class.
Pluggable User Name Generator Class
The field specifies the name of the Java class that will be used to generate user IDs when Enable Generate UserID Mode is enabled.
Default Authentication Level
The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level.
The authentication level should be set within the organization’s specific authentication template. The Default Auth Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific organization’s authentication template. The Default Auth Level default value is 0. (The value in this attribute is not used by Identity Server but by any external application that may chose to use it.) For the 2004Q2 release, this feature does not function properly. In previous releases, however, it does.