Sun OpenSSO Enterprise 8.0 Administration Guide

ProcedureTo Modify Core Authentication Properties By Realm

Realm attributes are applied to the realm under which they are configured.

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator.

  1. Click the Access Control tab.

  2. Click the name of the realm that contains the properties to be modified.

  3. Click the Authentication tab.

    The Core authentication module's General properties for the realm are displayed.

  4. Modify the values of the realm's General properties.

    The General properties are defined in the Core authentication module and are configurable by realm. Those documented in this step are the ones most likely to be modified.

    Default Authentication Chain

    Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in the drop down list. For more information see To Create an Authentication Chain.

    Administrator Authentication Chain

    Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in the drop down list. For more information see To Create an Authentication Chain.

    Default Success Login URL

    Specifies a URL that the user will be redirected to upon successful authentication to the realm.

  5. Click Advanced Properties.

    The Core authentication module's General Advanced Properties for the realm are displayed.

  6. Modify the attributes.

    The General Advanced Properties are defined in the Core authentication module and are configurable by realm. Those documented in this step are the ones less likely to be modified.

    User Profile

    This option determines the profile status of a successfully authenticated user.

    Dynamic

    Specifies that on successful authentication the Authentication Service will create a user profile if one does not already exist. The SSOToken will then be issued. The user profile is created in the realm's configured user data store.

    Dynamic With User Alias

    Specifies that on successful authentication the Authentication Service will create a user profile that contains the User Alias List attribute which defines one or more aliases that for mapping a user's multiple profiles.

    Ignore

    Specifies that a user profile is not required for the Authentication Service to issue an SSOToken after a successful authentication.

    Required

    Specifies that on successful authentication the user must have a user profile in the realm's configured user data store in order for the Authentication Service to issue an SSOToken.

    Administrator Authentication Configuration

    Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in the drop down list. For more information see To Create an Authentication Chain.

    User Profile Dynamic Creation Default Roles

    Specifies the DN of a role to be assigned to a new user whose profile is created when either of the Dynamic options is selected under the User Profile attribute. There are no default values. The role specified must be within the realm for which the authentication process is configured.


    Tip –

    This role can be either an OpenSSO Enterprise or LDAP role, but it cannot be a filtered role.


    Persistent Cookie Mode

    Determines whether users can return to their authenticated session after restarting the browser. When enabled, a user session will not expire until its persistent cookie expires (as specified by the value of the Persistent Cookie Maximum Time attribute), or the user explicitly logs out. By default, the Authentication Service uses only memory cookies (expires when the browser is closed).


    Tip –

    A persistent cookie must be explicitly requested by the client by appending the iPSPCookie=yes parameter to the login URL. For more information see iPSPCookie Parameter.


    Persistent Cookie Maximum Time

    Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The maximum value is 2147483647 (time in seconds). The field will accept any integer value less than the maximum.

    Alias Search Attribute Name

    After a user is successfully authenticated, the user's profile is retrieved. This field specifies a second LDAP attribute to use in a search for the profile if a search using the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field takes any valid LDAP attribute.

    Default Authentication Locale

    Specifies the default language subtype to be used by the Authentication Service. The default value is en_US. See Supported Language Locales in Sun OpenSSO Enterprise 8.0 Administration Reference for a list of supported language subtypes. To use a different locale, authentication templates for that locale must first be created. A new directory must then be created for these templates. For more information see locale Parameter.

    Organization Authentication Configuration

    Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list. For more information see To Create an Authentication Chain.

    Account Lockout Attributes

    These attributes are relevant to account lockout in which a user will be locked out from authenticating after a defined number of log in attempts has failed. For more information on the account lockout options, see Enabling Account Lockout.

    Login Failure Lockout Mode

    Selecting this attribute enables a physical lockout. Physical lockout will inactivate an LDAP attribute (defined in the Lockout Attribute Name property) in the user's profile. This attribute works in conjunction with several other lockout and notification attributes.

    Login Failure Lockout Count

    Defines the number of attempts that a user has to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.

    Login Failure Lockout Interval

    Defines (in minutes) the time in which failed login attempts are counted. If one failed login attempt is followed by a second failed attempt, within this defined lockout interval time, the lockout count is begun and the user will be locked out if the number of attempts reaches the number defined in Login Failure Lockout Count. If an attempt within the defined lockout interval time proves successful before the number of attempts reaches the number defined in Login Failure Lockout Count, the lockout count is reset.

    Email Address to Send Lockout Notification

    Specify one (or more) email address(es) to which notification will be sent if a user lockout occurs. If sending:

    • To multiple addresses, separate each address with a space.

    • To non-English locales, format the address as email_address|locale|charset where locale is the language locale and charset is the character set.

    Warn User After N Failures

    Specifies the number of authentication failures that can occur before OpenSSO Enterprise displays a warning message that the user will be locked out.

    Login Failure Lockout Duration

    Defines (in minutes) how long a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0, enables memory lockout and disables physical lockout. Memory lockout is when the user's account is locked in memory for the number of minutes specified. The account is unlocked after the time period has passed.

    Lockout Duration Multiplier

    Defines a value with which to multiply the value of the Login Failure Lockout Duration for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user will be locked out of the account for 6 minutes. Once the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration would then be 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.

    Lockout Attribute Name

    Defines the LDAP attribute to be marked as inactive for physical lockout. The default value is inetuserstatus (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Value field must also contain an appropriate value.

    Lockout Attribute Value

    Specifies the action to take on the attribute defined in Lockout Attribute Name. The default value is inactive (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Name field must also contain an appropriate value.

    Invalid Attempts Data Attribute Name

    Defines the attribute to which information regarding failed authentication attempts will be stored when the Store Invalid Attempts in Data Store attribute is enabled. The value of this attribute is used if the OpenSSO Enterprise schema is not loaded.


    Tip –

    The specified attribute needs to be defined in the LDAP User Attributes property of the data store configuration if the data store type is either Active Directory, Generic LDAPv3 or Sun DS with OpenSSO schema.


    Default Success Login URL

    Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /opensso/console. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.

    Default Failure Login URL

    Accepts a list of values that specifies where users are directed after an attempted authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.

    Authentication Post Processing Classes

    Specifies one or more Java classes used to customize post authentication processes for successful or unsuccessful logins. The Java class must implement the com.sun.identity.authentication.spi.AMPostAuthProcessInterface OpenSSO Enterprise interface. Additionally, add a JAR containing the post processing class to the classpath of the web container instance on which OpenSSO Enterprise is configured. If the web container on which OpenSSO Enterprise is configured explodes the WAR follow this procedure.

    1. Stop the web container instance.

    2. Change to the WEB-INF/lib directory in the exploded OpenSSO Enterprise WAR directory.

      For example, if using Sun Application Server, AS=Deploy=BaseAS=Domain-Dir/AS-Domain/applications/j2ee-modules/opensso/WEB-INF/lib.

    3. Copy the JAR that contains the post processing class to the lib directory.

    4. Restart the web container instance.

    Generate UserID Mode

    When enabled, the Membership module will generate a list of alternate user identifiers if the one entered by a user during the self-registration process is not valid or already exists. The user identifiers are generated by the class specified in the Pluggable User Name Generator Class property.

    Pluggable User Name Generator Class

    Specifies the name of the class used to generate alternate user identifiers when Generate UserID Mode is enabled. The default value is com.sun.identity.authentication.spi.DefaultUserIDGenerator.

    Identity Types

    Lists the type or types of identities for which OpenSSO Enterprise will search. Options include:

    • Agent

    • agentgroup

    • agentonly

    • Group

    • User

    Pluggable User Status Event Classes

    Specifies one or more Java classes used to provide a callback mechanism for user status changes during the authentication process. The Java class must implement the com.sun.identity.authentication.spi.AMAuthCallBack OpenSSO Enterprise interface. Account lockout and password changes are supported — the latter through the LDAP authentication module as the feature is only available for the module.

    Store Invalid Attempts in Data Store

    Enables the storage of information regarding failed authentication attempts to a user data store, allowing the information to be shared among multiple instances of OpenSSO Enterprise. (If this attribute is not enabled, the information would be local to the instance where the lockout occurred.) This function requires the use of a data store enabled with the OpenSSO Enterprise schema and its sunAMAuthInvalidAttemptsData attribute. You can remove the dependency on the OpenSSO Enterprise schema by defining a disparate attribute in which to store the information. To store data in an attribute not defined by the OpenSSO Enterprise schema, define a value for the Invalid Attempts Data Attribute Name attribute. This is enabled by default.

    Module-based Authentication

    Enables users to authenticate using module-based authentication. Otherwise, all attempts with the module=module_instance_name login parameter will result in failure. See Module Authentication for more information.

    User Attribute Mapping to Session Attribute

    Enables the authenticating user's identity attributes (stored in the identity repository) to be set as session properties in the user's SSOToken. The value takes the format User-Profile-Attribute|Session-Attribute-Name. If Session-Attribute-Name is not specified, the value of User-Profile-Attribute is used. All session attributes contain the am.protected prefix to ensure that they cannot be edited by the Client SDK.

    Default Authentication Level

    The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the user's SSOToken. When the SSOToken is presented to an application, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level does not meet the minimum value required by the application, it can prompt the user to authenticate again in order to attain a higher authentication level. The authentication level should be set within a realm's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific realm's authentication template. The Default Authentication Level default value is 0. The value of this attribute is not used by OpenSSO Enterprise but by any external application that may chose to use it. See Authentication Level-based Authentication for more information.

  7. Click Save.

  8. Click Back to Service Configuration.

  9. Logout of the OpenSSO Enterprise console.