Sun Java System Access Manager 7.1 Administration Reference


The Mobile Station Integrated Services Digital Network (MSISDN) authentication module enables authentication using a mobile subscriber ISDN associated with a device such as a cellular telephone. It is a non-interactive module. The module retrieves the subscriber ISDN and validates it against the Directory Server to find a user that matches the number. The MSISDN Authentication attributes are realm attributes. The MSISDN Authentication attributes are:

Trusted Gateway IP Address

Specifies a list of IP addresses of trusted clients that can access MSIDSN modules. You can set the IP addresses of all clients allows to access the MSISDN module by entering the address (for example, 123.456.123.111) in the entry field and clicking Add. By default, the list is empty. If the attribute is left empty, then all clients are allowed. If you specify none, no clients are allowed.

MSISDN Number Argument

Specifies a list of parameter names that identify which parameters to search in the request header or cookie header for the MSISDN number. For example, if you define x-Cookie-Param, AM_NUMBER, and COOKIE-ID, the MSISDN authentication services will search those parameters for the MSISDN number.

LDAP Server and Port

Specifies the host name and port number of the Directory Server in which the search will occur for the users with MSISDN numbers. The format ishostname:port. If there is no port number, assume 389.

If you have Access Manager deployed with multiple domains, you can specify the communication link between specific instances of Access Manager and Directory Server in the following format (multiple entries must be prefixed by the local server name):

local_servername|server:port local_servername2|server2:port2 ...

For example, if you have two Access Manager instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:||

LDAP Start Search DN

Specifies the DN of the node where the search for the user's MSISDN number should start. There is no default value. The field will recognize any valid DN. Multiple entries must be prefixed by the local server name. The format is servername|search dn.

For multiple entries:

servername1|search dn servername2|search dn servername3|search dn...

If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.

Attribute To Use To Search LDAP

Specifies the name of the attribute in the user's profile that contains the MSISDN number to search for a particular user. The default value is sunIdentityMSISDNNumber. This value should not be changed, unless you are certain that another attribute in the user's profile contains the same MSISDN number.

LDAP Server Principal User

Specifies the LDAP bind DN to allow MSISDN searches in the Directory Server. The default bind DN is cn=amldapuser,ou=DSAME Users,dc=sun,dc=com .

LDAP Server Principal Password

Specifies the LDAP bind password for the bind DN, as defined in LDAP Server Principal User.

LDAP Server Principal Password (confirm)

Confirm the password.

Enable SSL for LDAP Access

Enables SSL access to the Directory Server specified in the LDAP Server and Port attribute. By default, this is not enabled and the SSL protocol will not be used to access the Directory Server. However, if this attribute is enabled, you can bind to a non-SSL server.

LDAP Attribute Used to Retrieve User Profile

Specifies the headers to use for searching the request for the MSISDN number. The supported values are as follows:

Cookie Header

Performs the search in the cookie.


Performs the search in the request header.


Performs the search in the request parameter. By default, all options are selected.

Return User DN on Authentication

When the Access Manager directory is the same as the directory configured for MSDISN, this option may be enabled. If enabled, this option allows the authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local Access Manager. If an external directory is used, this option is typically not enabled.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.

Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.