|
| |
| Sun Java System Identity Server 2004Q2 Administration Guide | |
Chapter 29
Windows Desktop SSO Authentication AttributesThe Windows Desktop SSO Authentication attributes are organization attributes. The values applied to them under Service Configuration become the default values for the Windows Desktop SSO Authentication template. The service template needs to be created after registering the service for the organization. The default values can be changed after registration by the organization’s administrator. Organization attributes are not inherited by entries in the subtrees of the organization.
This authentication module requires the Kerberos authentication service provided by a Windows 2000 server running as a domain controller.
The Windows Desktop SSO Authentication attributes are:
Service Principal
This attribute specifies the Kerberos principal that is used for authentication. Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the Identity Server instance. dc_domain_name is the Kerberos domain in which the Windows 2000 Kerberos server (domain controller) resides. It is possibly different from the domain name of the Identity Server.
Keytab Filename
This attribute specifies the Kerberos keytab file that is used for authentication. Use the following format, although the format is not required:
hostname.HTTP.keytab
hostname is the hostname of the Identity Server instance.
Kerberos Realm
This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the Identity Server domain name.
Kerberos Server Name
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
Return Principal With Domain Name
If enabled, this attributes allows Identity Server to automatically return the Kerberos principal with the domain controller’s domain name during authentication.
Authentication Level
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
Note
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Auth Level. See “Default Authentication Level” on page 258 for details. For the 2004Q2 release, this feature does not function properly. In previous releases, however, it does.