Sun Java System Access Manager 7.1 Administration Reference


This module is the general configuration base for the Access Manager authentication services. It must be registered and configured to use any of the specific authentication module instances. It enables the administrator to define default values that will be picked up for the values that are not specifically set in the Access Manager default authentication modules. The Core attributes are global and realm. The attributes are:

Pluggable Authentication Module Classes

Specifies the Java classes of the authentication modules available to any realm configured within the Access Manager platform. You can write custom authentication modules by implementing the AMLoginModule SPI or the JAAS LoginModule SPI. For more information, see the Access Manager Developer's Guide. To define new services, this field must take a text string specifying the full class name (including package name) of each new authentication service.

Supported Authentication Module for Clients

Specifies a list of supported authentication modules for a specific client. The format is as follows:

clientType | module1,module2,module3

This attribute is in effect when Client Detection is enabled.

LDAP Connection Pool Size

Specifies the minimum and maximum connection pool to be used on a specific LDAP server and port. This attribute is for LDAP and Membership authentication services only. The format is as follows:


Note –

This connection pool is different than the SDK connection pool configured in serverconfig.xml.

Default LDAP Connection Pool Size

Sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. If an entry for the host and port exists in the LDAP Connection Pool Size attribute, the minimum and maximum settings will not be used from LDAP Connection Default Pool Size.

User Profile

This option enables you to specify options for a user profile. The options are:


This specifies that on successful authentication, the user needs to have a profile in the local Directory Server installed with Access Manager for the authentication service to issue an SSOToken.


This specifies that on successful authentication, the authentication service will create the user profile if one does not already exist. The SSOToken will then be issued. The user profile is created in the local Directory Server installed with Access Manager.

Dynamic With User Alias

This specifies that on successful authentication, the authentication services will create the user profile with the User Alias List attribute.


This specifies that the user profile is not required by the authentication service to issue the SSOToken for a successful authentication.

Administrator Authentication Configuration

Defines the authentication service for administrators only. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The modules configured in this attribute are picked up when the Access Manager console is accessed. For example:


User Profile Dynamic Creation Default Roles

This field specifies the roles assigned to a new user whose profiles are created if Dynamic Creation is selected through the User Profile. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.

Note –

The role specified must be under the realm for which authentication is being configured. This role can be either an Access Manager or LDAP role, but it cannot be a filtered role.

If you wish to automatically assign specific services to the user, you have to configure the Required Services attribute in the User Profile.

Persistent Cookie Mode

This option determines whether users can restart the browser and still return to their authenticated session. User sessions can be retained by enabling Enable Persistent Cookie Mode. When Enable Persistent Cookie Mode is enabled, a user session does not expire until its persistent cookie expires, or the user explicitly logs out. The expiration time is specified in Persistent Cookie Maximum Time. The default value is that Persistent Cookie Mode is not enabled and the authentication service uses only memory cookies.

Note –

A persistent cookie must be explicitly requested by the client using the iPSPCookie=yes parameter in the login URL.

Persistent Cookie Maximum Time

Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The maximum value is 2147483647 (time in seconds). The field will accept any integer value less than the maximum.

Alias Search Attribute Name

After successful authentication by a user, the user's profile is retrieved. This field specifies a second LDAP attribute to search from if a search on the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute.

The field will take any valid LDAP attribute (for example, cn).

Default Authentication Locale

Specifies the default language subtype to be used by the authentication service. The default value is en_US. See Supported Language Locales for a listing of valid language subtypes.

In order to use a different locale, all authentication templates for that locale must first be created. A new directory must then be created for these templates. See "Login URL Parameters" in the Administration Guide for more information.

Organization Authentication Configuration

Sets the authentication module for the organization. The default authentication module is LDAP.

Login Failure Lockout Mode

Specifies whether a user can attempt a second authentication if the first attempt failed. Selecting this attribute enables a lockout and the user will have only one chance at authentication. By default, the lockout feature is not enabled. This attribute works in conjunction with Lockout-related and notification attributes.

Login Failure Lockout Count

Defines the number of attempts that a user may try to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.

Login Failure Lockout Interval

Defines (in minutes) the time between two failed login attempts. If a login fails and is followed by another failed login that occurs within the lockout interval, then the lockout count is incremented. Otherwise, the lockout count is reset.

Email Address to Send Lockout Notification

Specifies an email address that will receive notification if a user lockout occurs. To send email notification to multiple addresses, separate each email address with a space. For non-English locales, the format is:


Warn User After N Failures

Specifies the number of authentication failures that can occur before Access Manager sends a warning message that the user will be locked out.

Login Failure Lockout Duration

Enables memory locking. By default, the lockout mechanism will inactivate the User Profile (after a login failure) defined in Lockout Attribute Name. If the value of Login Failure Lockout Duration is greater than 0, then its memory locking and the user account will be locked for the number of minutes specified.

Lockout Attribute Name

Designates any LDAP attribute that is to be set for lockout. The value in Lockout Attribute Value must also be changed to enable lockout for this attribute name. By default, Lockout Attribute Name is empty in the Access Manager Console. The default implementation values are inetuserstatus (LDAP attribute) and inactive when the user is locked out and Login Failure Lockout Duration is set to 0.

Lockout Attribute Value

This attribute specifies whether lockout is enabled or disabled for the attribute defined in Lockout Attribute Name. By default, the value is set to inactive for inetuserstatus.

Default Success Login URL

This field accepts a list of multiple values that specify the URL to which users are redirected after successful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML. The default value is /amserver/console .

Default Failure Login URL

This field accepts a list of multiple values that specify the URL to which users are redirected after an unsuccessful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML.

Authentication Post Processing Class

Specifies the name of the Java class used to customize post authentication processes for successful or unsuccessful logins. Example:

The Java class must implement the following Java interface:


Additionally, you must add the path to where the class is located to the Web Server's Java Classpath attribute.

Generate UserID Mode

This attribute is used by the Membership authentication module. If this attribute field is enabled, the Membership module is able to generate user IDs, during the Self Registration process, for a specific user if the user ID already exists. The user IDs are generated from the Java class specified in Pluggable User Name Generator Class.

Pluggable User Name Generator Class

Specifies the name of the Java class is used to generate User IDs when Enable Generate UserID Mode is used.

Identity Types

Lists the type or types of identities for which Access Manager will search.

Pluggable User Status Event Classes

Extends the authentication SPIs to provide a callback mechanism for user status changes during the authentication process. The following status changes are supported:

account lockout

The account lockout event is available for any authentication module. The features is configurable through the Login Failure Lockout Mode attribute.

password change

Only available through the LDAP authentication module type, as the password change feature is only available for that module.

Store Invalid Attempts in Data Store

If enabled, this attribute allows the sharing of login failure attempts in a identity repository that is shared by multiple Access Manager instances. For example, if the identity repository that is used for a specific deployment is Directory Server, the invalid attempts are stored in the sunAMAuthInvalidAttemptsData (which belongs to sunAMAuthAccountLockoutobjectclass). The format of the data is stored as:


This information is maintained in the Directory Server for each user. As the invalid attempts occur, <InvalidCount> is increased.

Module-based Authentication

If enabled, this attribute allows users to authenticate through module-based authentication. If this attribute is not enabled, module-based login is not allowed. All login attempts with module=< module_instance_name> will result in login failure.

Default Authentication Level

The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level.

The authentication level should be set within the realm's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific realm's authentication template. The Default Authentication Level default value is 0. (The value in this attribute is not used by Access Manager but by any external application that may chose to use it.)