This section of the OpenSSO Enterprise 8.0 Administration Reference lists and describe the configurable attributes for entities and services in the OpenSSO Enterprise console. In previous releases, many of these attributes were only configurable through the AMConfig.properties file. This file has been deprecated, and all of its properties are now defined in the OpenSSO Enterprise console and stored in the configuration directory datastore.
The Centralized Agent Configuration provides an agent administrator with a means to manage multiple agent configurations from one central place. The agent configurations are stored in OpenSSO Enterprise's data repository and managed by an administrator via the OpenSSO Enterprise Console.
Once you have created an agent, you can customize each agent's behavior. To do so, first click the name of the agent you wish to configure, and then modify the agent's attributes. See the following sections for definitions for each agent type:
A web agent instance can be configured using this interface. The properties described only apply if during agent creation, centralized configuration was chosen. If local configuration was selected, the properties related to this agent must be edited in the OpenSSOAgentConfiguration.properites file in the agent installation directory.
For definitions of the Web Policy Agent attributes, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents, or the online help.
A J2EE agent instance can be configured using this interface. The properties described only apply if during agent creation, centralized configuration was chosen. If local configuration was selected, the properties related to this agent must be edited in the OpenSSOAgentConfiguration.properites file in the agent installation directory.
For definitions of the J2EE Policy Agent attributes, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents, or the online help.
The Web Service Provider agent profile describes the configuration that is used for validating web service requests from web service clients and securing web service responses from a web service provider. The name of the web service provider must be unique across all agents.
The following General attributes define basic web service provider properties:
The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.
Defines the password for the web service provider agent
Confirm the password.
Defines whether the web service provider agent will be Active or Inactive in the system. By default, it is set to Active, meaning that the agent will participate in validating web service requests from web service clients and securing service responses from a web service provider.
Lists the basic LDAP properties, that uniquely defines the web service provider agent.
The following attributes define web service provider security attributes:
Defines the type of security credential that are used to validate the web service request. The type of security mechanism is part of the web service request from a web service client and is accepted by a web service provider. Choose from the following types:
Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos security tokens.
LibertyBearerToken – Uses the Liberty-defined bearer token.
LibertySAMLToken – Uses the Liberty-defined SAML token.
LibertyX509Token – Uses the Liberty-defined X509 certificate.
SAML-HolderOfKey - Uses the SAML 1.1 assertion type Holder-Of-Key..
SAML-SenderVouches - Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey – Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches – Uses the SAML 2.0 assertion token type Sender Vouches.
UserNameToken – Uses a user name token.
UserNameToken-Plain – Uses a user name token with a clear text password.
X509Token – Uses the X509 certificate.
Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming web service request's security token to generate OpenSSO Enterprise's authenticated SSOToken.
Defines the type of token that will be converted when a web service provider requests a token conversion from the Security Token service. The token is converted to the specified SAML or SSOToken (session token) with the same identity, but with attribute definitions specific to the token type. This new token can be used by the web service provider making a web service call to another web service provider. The token types you can define are:
SAML 1.1 token
SAML2 token
SSOToken
In order to use this attribute, any SAML token must be selected in the Security Mechanism attribute and any authentication chain defined for the web service provider.
When enabled, this attribute defines that the SOAP security headers are preserved by the web service provider for further processing.
Defines the key type used by the web service provider during the web service request signature verification process. The default value is PublicKey.
The URN (Universal Resource Name) describes a Liberty service type that the web service provider will use for service lookups.
This attribute represents the username/password shared secrets that are used by the web service provider to validate a username security token from an incoming web service request. These credentials are compared against the credentials from the username security token from an incoming web service request.
The following attributes configure the Security Assertion Markup Language (SAML) for the web service provider:
This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.
SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.
Defines the NameID mapper plug-in class that is used for SAML account mapping.
Defines the name space used for generating SAML attributes.
If enabled, this attribute defines that the principal's membership must be included as a SAML attribute.
The following attributes define signing and encryption configuration for web provider security:
When enabled, the web service provider signs the response using its X509 certificate.
When enabled, the web service response will be encrypted.
When enabled, the web service request signature is verified.
When enabled, the web service client request's security header will be decrypted.
When enabled, the web service client request will be decrypted.
Defines the reference types used when the Security Token service signs the wsp response. The possible reference types are DircectReference, KeyIdentifier, and X509.
Defines the encryption algorithm used to encrypt the web service response.
Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.
The following attributes configure the keystore to be used for certificate storage and retrieval:
This attribute defines the public certificate key alias that is sued to encrypt the web service response or verify the signature of the web service request.
This attribute defines the private certificate key alias that is used to sign the web service response or decrypt the web service request.
This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:
Location of Key Store
Password of Key Store
Password of Key
The following attributes define web service endpoints:
This attribute defines a web service end point to which the web service client is making a request. The end point is optional unless it is configured to use web security proxy.
This attribute defines a web service end point to which the web service client is making a request.
Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
Specifies the Kerberos principal as the owner of the generated Security token.
Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.
This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:
hostname.HTTP.keytab
hostname is the hostname of the OpenSSO Enterprise instance.
If enabled, this attribute specifies that the Kerberos token is signed.
The Web Service Client agent profile describes the configuration that is used for securing outbound web service requests from a web service client. The name of the web service client must be unique across all agents.
The following General attributes define basic web service client properties:
The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.
Defines the password for the web service client agent.
Confirm the password.
Defines whether the web service client agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.
Lists the basic LDAP properties, that uniquely defines the web service client agent.
The following attributes define web service client security attributes:
Defines the type of security credential that is used to secure the web service client request. You can choose one of the following security credential types:
Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos security tokens.
LibertyDiscoverySecurity — Uses Liberty-based security tokens.
SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.
SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.
STSSecurity — Uses the security token generated from the Security Token service for a given web service provider.
UserNameToken — Uses User Name Token with digest password.
UserNameToken-Plain — Uses a user name token with a clear text password for securing web service requests.
X509Token — Uses the X509 certificate.
This attribute is enabled when the web service client uses Security Token service (STS) as the Security Mechanism. This configuration describes a list of STS agent profiles that are used to communicate with and secure the web service requests to the STS service.
This attribute is enabled when the web service client is enabled for Discovery Service security. This configuration describes a list of Discovery Agent profiles that are used to secure requests made to the Discovery service.
When enabled, this attribute defines that the services client's protected page requires a user to be authenticated in order to gain access.
When enabled, this attribute defines that the SOAP security headers are preserved by the web service client for further processing.
When enabled, this attribute indicates that the web service client will pass through the received Security token from the Subject. It will not try to create the token locally or from STS communication.
The URN (Universal Resource Name) describes a Liberty service type that the web service client will use for service lookups.
The attribute represents the username/password shared secrets that are used by the web service client to generate a Username security token.
The following attributes define signing and encryption configuration for web service security:
When enabled, the web services client signs the request using a given token type.
When enabled, the web services client security header will be encrypted.
When enabled, the web services client request will be encrypted.
When enabled, the web services response signature is verified.
When enabled, the web services response will be decrypted.
Defines the reference types used when the Security Token service signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.
Defines the encryption algorithm used to encrypt the web service response.
Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.
The following attributes configure the keystore to be used for certificate storage and retrieval:
This attribute defines the public certificate key alias that is used to encrypt the web service request or verify the signature of the web service response.
This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.
This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:
Location of Key Store
Password of Key Store
Password of Key
The following attributes define web service endpoints:
This attribute defines a web service end point to which the web service client is making a request. This end point is optional unless it is configured as a web security proxy.
This attribute defines a web service end point to which the web service client is making a request.
Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
This attribute specifies the Kerberos Distribution Center (KDC) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
Specifies the web service principal registered with the KDC.
Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.
Specifies the Kerberos TGT (Ticket Granting Ticket) cache directory. When the user authenticates to the desktop or initializes using kinit (the command used to obtain the TGT from KDC), the TGT is stored in the local cache, as defined in this attribute.
The Security Token Service (STS) Client interface allows you to create and configure a client that communicates with OpenSSO Enterprise's Security Token service in order to obtain a Security Token. OpenSSO Enterprise provides the mechanism to create the following types of STS client agents:
Allows you to configure a Discovery Agent Client that communicates with the Liberty Discovery Service to obtain a Liberty-based security token. This configuration defines the attributes for securing Liberty requests from the Discovery client to the Liberty Discovery end point.
Allows you to configure a Security Token Service agent that communicates with OpenSSO Enterprise's Security Token Service to obtain web service-based security tokens. This configuration defines the attributes for securing web service Trust requests from the STS client to the STS end point.
The Discovery Agent profile holds a trust authority configuration that is used by the web services' client/profile to communicate with the Liberty Discovery service for web service lookups, registration, and for obtaining security credentials.
The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.
Defines the password for the Discovery Agent.
Confirm the password.
Defines whether the agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.
This attribute defines the agent location of the configuration repository for the Discovery Agent.
This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.
This attribute defines the Discovery service end point where the trust authority client establishes communications for service registrations and lookups.
This attribute defines the authentication service end point which the web services client uses to authenticate using the end user's SSOToken to receive the Discovery service resource offering (also referred to as bootstrap resource offering.)
A Security Token Service is a Web service that provides issuance and management of security tokens. That is, it makes security statements or claims often, although not required to be, in encrypted sets. These statements are based on the receipt of evidence that it can directly verify security tokens from authorities that it trusts. To assert trust, a service might prove its right to assert a set of claims by providing a security token or set of security tokens issued by an STS, or it could issue a security token with its own trust statement (note that for some security token formats this can just be a re-issuance or co-signature). This forms the basis of trust brokering.
The following General attributes define basic Security Token service properties:
The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.
Defines the password for the Security Token service agent.
Confirm the password.
Defines whether the agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.
Specifies the version of WS-Trust to use, either 1.0 or 1.3.
Lists the basic LDAP properties, that uniquely defines the Security Token service agent.
The following attributes define Security Token service security attributes:
Defines the type of security credential that is used to secure the STS request. You can choose one of the following security credential types:
Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos security tokens.
LibertyDiscoverySecurity — Uses Liberty-based security tokens.
SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.
SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.
STSSecurity — Uses the security token generated from the Security Token service for a given web service provider.
UserNameToken — Uses User Name Token with digest password.
UserNameToken-Plain — Uses a user name token with a clear text password for securing web service requests.
X509Token — Uses the X509 certificate.
This attribute is enabled when the Security Token service agent uses Security Token service (STS) as the Security Mechanism. This configuration describes a list of STS agent profiles that are used to communicate with and secure the requests to the STS service.
When enabled, this attribute defines that the SOAP security headers are preserved by the Security Token service agent for further processing.
The attribute represents the username/password shared secrets that are used by the Security Token service agent to generate a Username security token.
The following attributes define signing and encryption configuration for the Security Token service:
When enabled, the Security Token service agent signs the request using a given token type.
When enabled, the Security Token service agent security header will be encrypted.
When enabled, the Security Token service request will be encrypted.
When enabled, the Security Token service response signature is verified.
When enabled, the Security Token service response will be decrypted.
Defines the reference types used when the Security Token service signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.
Defines the encryption algorithm used to encrypt the response.
Sets the encryption strength to encrypt the response. Select a greater value for greater encryption strength.
The following attributes configure the keystore to be used for certificate storage and retrieval:
This attribute defines the public certificate key alias that is sued to encrypt the web service request or verify the signature of the web service response.
This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.
This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:
Location of Key Store
Password of Key Store
Password of Key
The following attributes define web service endpoints:
This field takes a value equal to:
%protocol://%host:%port%uri/sts
This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port%uri/sts/mex
This syntax allows for dynamic substitution of the Security Token Service MEX Endpoint URL based on the specific session parameters.
Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
This attribute specifies the Kerberos Distribution Center (KDC) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
Specifies the Security Token Service principal registered with the KDC.
Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.
Specifies the Kerberos TGT (Ticket Granting Ticket) cache directory. When the user authenticates to the desktop or initializes using kinit (the command used to obtain the TGT from KDC), the TGT is stored in the local cache, as defined in this attribute.
OpenSSO Enterprise is backward compatible with Policy Agent 2.2. Policy Agent 2.2 must be configured locally from the deployment container on which it is installed. Therefore, from the OpenSSO Enterprise Console, a very limited number of Policy Agent 2.2 options can be configured.
The password was set when you created the agent profile. However, you can change the password at any time in the future.
The confirmation of the password was performed when you created the agent profile. If you change the password, you must confirm the change.
The Active option is selected when the agent is created. Choose Inactive only if you want to remove the protection the agent provides.
A description of the agent, which you can add if desired.
A required setting when enabling CDSSO and when configuring the deployment to prevent cookie hijacking.
This attribute serves as a key in a pairing of a key and a value. This attribute is used by OpenSSO Enterprise to receive agent requests for credential assertions about users. Only one attribute is valid in this key-value pairing. All other attributes are ignored. Use the following format:
agentRootURL=protocol://hostname:port/
The entry must be precise. For example, the string representing the key, agentRootURL, is case sensitive.
An agent authenticator is a type of agent that, once it is authenticated, can obtain the read-only data of agent profiles that are selected for the agent authenticator to read. The agent profiles can be of any type (J2EE, WSP, Discovery, and so forth), but must exist in the same realm. Users that have the agent authenticator's credentials (username and password) can read the agent profile data, but do not have the create, update, or delete permissions of the Agent Admin.
The agent Authenticator contains the following attributes:
The password was set when you created the agent authenticator profile. However, you can change the password at any time in the future.
The confirmation of the password was performed when you created the agent authenticator profile. If you change the password, you must confirm the change.
The Active option is selected when the agent authenticator is created. Choose Inactive only if you want to remove the protection the agent provides.
This attribute defines a list of OpenSSO Enterprise agents whose profile data is read by the agent authenticator. The agents can be of any type (J2EE, WSP, Discovery, and so forth), but must exist in the same realm. To add an agent to the list, select the agent name and click Add.
This section lists and describes the attributes available in the OpenSSO Enterprise console for entity provider customization. For instructions for creating the entity providers and entity provider roles, see Creating an Entity in Sun OpenSSO Enterprise 8.0 Administration Guide
The SAMLv2 entity provider type is based on the OASIS Security Assertion Markup Language (SAML) version 2 specification. This entity supports various profiles (single sign-on, single logout, and so forth) when interacting with remote SAMLv2 entities. The SAMLv2 provider entity allows you to assign and configure the following roles:
SAMLv2 service providers contain the following attribute groups:
Select any checkbox to enable signing for the following SAMLv2 service prover requests or responses:
Authentication Requests Signed |
All authentication requests received by this service provider must be signed. |
Assertions Signed |
All assertions received by this service provider must be signed. |
POST Response Signed |
The identity provider must sign the single sign-on Response element when POST binding is used |
Artifact Response |
The identity provider must sign the ArtifactResponse element. |
Logout Request |
The identity provider must sign the LogoutRequest element. |
Logout Response |
The identity provider must sign the LogoutResponse element. |
Manage Name ID Request |
The identity provider must sign the ManageNameIDRequst element. |
Manage Name ID Response |
The identity provider must sign the ManageNameIDResponse element. |
Select any checkbox to enable encryption for the following elements:
Attribute |
The identity provider must encrypt all AttributeStatement elements. |
Assertion |
The identity provider must encrypt all Assertion elements. |
NameID |
The identity provider must encrypt all NameID elements. |
This attribute defines the certificate alias elements for the service provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store
This attribute maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider .
Specifies the implementation of the SPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultSPAuthnContexteMapper.
Select the check box next to the authentication context class if the identity provider supports it.
The SAMLv2-defined authentication context classes are:
InternetProtocol
InternetProtocolPassword
Kerberos
MobileOneFactorUnregistered
MobileTwoFactorUnregistered
MobileOneFactorContract
MobileTwoFactorContract
Password
Password-ProtectedTransport
Previous-Session
X509
PGP
SPKI
XMLDSig
Smartcard
Smartcard-PKI
Software-PKI
Telephony
NomadTelephony
PersonalTelephony
AuthenticaionTelephony
SecureRemotePassword
TLSClient
Time-Sync-Token
Unspecified
Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.
In this framework, each service provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.
Specifies what the resulting authentication context must be when compared to the value of this property. Accepted values include:
exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.
minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.
maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.
better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.
The default value is exact.
Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.
Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.
Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultSPAttributeMapper.
Mappings should be configured in the format:
SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
If enabled, Auto-federation automatically federates a user's different provider accounts based on a common attribute. The Attribute field specifies the attribute used to match a user's different provider accounts when auto-federation is enabled.
Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultSPAccountMapper, the default implementation.
This attribute defines the message encoding format for artifact, either URI or FORM.
This attribute specifies the identifier of the user to which all identity provider users will be mapped on the service provider side in cases of single sign-on using the transient name identifier.
The Local Authentication URL specifies the URL of the local login page.
The Intermediate URL specifies a URL to which a user can be directed after authentication and before the original request's URL. An example might be a successful account creation page after the auto-creation of a user account.
The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.
After a successful SAML v2 operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.
When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc¶m2=xyz, it must be URL-encoded as:
http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
and then appended to the URL. For example, the service provider initiated single sign-on URL would be:
http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
Defines the implementation class for the com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter interface, used to add application-specific processing during the federation process.
Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.
The names used in the metaAlias must not contain a /.
The Single Logout Service synchronizes the logout functionality across all sessions authenticated by the service provider.
Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL the expected response provider. The binding types are:
HTTP Redirect
POST
SOAP
This services defines the URLs that will be used when communicating with the service provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)
Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL the expected response provider. The binding types are:
HTTP Redirect
POST
SOAP
This service processes the responses that a service provider receives from an identity provider. When a service provider wants to authenticate a user, it sends an authentication request to an identity provider.
HTTP-Artifact specifies a non-browser SOAP-based protocol.
HTTP-Post specifies a browser-based HTTP POST protocol.
PAOS defines the URL location for PAOS binding.
Location specifies the URL of the provider to which the request is sent. Index specifies the URL in the standard metadata. Defaultis the default URL to be used for the binding.
Defines URL endpoint on Service Provider that can handle SAE (Secure Attribute Exchange) requests. If this URL is empty (not configured), SAE single sign-on will not be enabled. Normal SAMLv2 single sign-on responses will be sent to the service provider.
Defines the URL endpoint on a Service Provider that can handle SAE global logout requests.
This attribute defines the application security configuration. Each application must have one entry. Each entry has the following format:
url=SPAppURL|type=symmetric_orAsymmetric|secret=ampassword encoded shared secret
Defines the implementation class of the IDP list finder SPI. This returns a list of preferred identity providers that are trusted by the ECP.
Specifies a URI reference that can be used to retrieve the complete identity provider list if the IDPList element is not complete.
Defines a list of identity providers for the ECP to contact. This is used by the default implementation of the IDP Finder (for example, com.sun.identity.saml2.plugins.ECPIDPFinder) .
Proxy Authentication Configuration attributes define values for dynamic identity provider proxying. Select the check box to enable proxy authentication for a service provider.
Select the check box if you want introductions to be used to find the proxying identity provider.
Enter the maximum number of identity providers that can be used for proxy authentication.
Add a list of identity providers that can be used for proxy authentication. Type the URI defined as the provider's identifier in New Value and click Add.
SAMLv2 identity providers contain the following attribute groups:
Setting the following flags indicate to the identity provider how the service provider signs specific messages:
Authentication Request |
All authentication requests received by this identity provider must be signed. |
Artifact Resolve |
The service provider must sign the ArtifactResolve element. |
Logout Request |
The service provider must sign the LogoutRequest element. |
Logout Response |
The service provider must sign the LogoutResponse element. |
Manage Name ID Request |
The service provider must sign the ManageNameIDRequst element. |
Manage Name ID Response |
The service provider must sign the ManageNameIDResponse element. |
Select the checkbox to enable encryption for the following elements:
NameID |
The service provider must encrypt all NameID elements. |
This attribute defines the certificate alias elements for the identity provider. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
Defines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store
This attribute specifies mapping between the NameID Format attribute and a user profile attribute. If the defined Name ID format is used in protocol, the profile attribute value will be used as NameID value for the format in the Subject. The syntax of each entry is:
NameID Format=User profile attribute
For example:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail
To add new NameID format, the NameID Value Map attribute needs to be updated with a corresponding entry. The exceptions are persistent, transient and unspecified. For persistent and transient, the NameID value will be generated randomly. For this attribute, unspecified is optional. If it is specified, the NameID value will be the value of the user profile attribute. If it is not specified, an random number will be generated.
This attribute maps the SAMLv2-defined authentication context classes to authentication methods available from the identity provider.
Specifies the implementation of the IDPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.
Specifies the default authentication context type used by the identity provider if the service provider does not send an authentication context request.
Select the check box next to the authentication context class if the identity provider supports it.
The SAMLv2-defined authentication context classes are:
InternetProtocol
InternetProtocolPassword
Kerberos
MobileOneFactorUnregistered
MobileTwoFactorUnregistered
MobileOneFactorContract
MobileTwoFactorContract
Password
Password-ProtectedTransport
Previous-Session
X509
PGP
SPKI
XMLDSig
Smartcard
Smartcard-PKI
Software-PKI
Telephony
NomadTelephony
PersonalTelephony
AuthenticaionTelephony
SecureRemotePassword
TLSClient
Time-Sync-Token
Unspecified
Choose the OpenSSO Enterprise authentication type to which the context is mapped.
Type the OpenSSO Enterprise authentication option.
Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.
In this framework, each identity provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.
Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the Not Before Time Skew value. The default value is 600. It has no relevance to the notAfter value.
Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.
Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.
If enabled, this allows the identity provider to cache assertions to be retrieved later.
Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.
Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.
Mappings should be configured in the format:
SAML-attribute=local-attribute
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultIDPAccountMapper, the default implementation.
These attribute contains configuration specific to the OpenSSO Enterprise instance.
Defines the Authentication URL to which the identity provider will redirect for authentication.
The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.
Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.
The names used in the metaAlias must not contain a /.
Defines the endpoint(s) that support the Artifact Resolution profile. Location specifies the URL of the provider to which the request is sent. Index specifies a unique integer value to the endpoint so that it can be referenced in a protocol message.
The Single Logout Service synchronizes the logout functionality across all sessions authenticated by the identity provider.
Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. The binding types are:
HTTP Redirect
POST
SOAP
This services defines the URLs that will be used when communicating with the service provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)
Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. . The binding types are:
HTTP Redirect
POST
SOAP
Defines the endpoint(s) that support the profiles of the Authentication Request protocol. All identity providers must support at least one such endpoint.
Location specifies the URL of the provider to which the request is sent. The binding types are:
HTTP Redirect
POST
SOAP
Defines the URL endpoint on Identity Provider that can handle SAE (Secure Attribute Exchange) requests.
Defines the application security configuration. Each application must one entry. Each entry has the following format:
url=IDPAppURL|type=symmetric_orAsymmetric|secret=ampassword encoded shared secret OR or pubkeyalias=idp app signing cert
Defines an implementation class for the session mapper SPI. The mapper finds a valid session from HTTP servlet request on the identity provider with an ECP profile.
XACML PDP contains the following attributes for customization:
Displays the XACML PDP release that is supported by this provider.
urn:liberty:iff:2003-08 refers to Liberty Identity Federation Framework Version 1.2.
urn:liberty:iff:2002-12 refers to Liberty Identity Federation Framework Version 1.1.
Defines the key alias that is used to sign requests and responses.
Defines the key alias to XACML encryption.
Basic authorization can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.
When enabled, this attribute enforces that all queries be signed for the XACML authorization decision.
This attribute defines the type (binding) of the authorization request, and the URL endpoint for receiving the request. By default, the binding type is SOAP.
XACML PEP contains the following attributes for customization:
Displays the XACML PEP release that is supported by this provider.
Defines the key alias that is used to sign requests and responses.
Defines the key alias to XACML encryption.
Basic authorization can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.
When enabled, this attribute enforces that all responses be signed for the XACML authorization decision.
When enabled, this attribute enforces that all assertions are to be encrypted.
SAMLv2 Attribute Authority contains the following attributes for customization:
The length for keys used by the Attribute Authority entity when interacting with another entity.
The encryption algorithm used to interact with another entity.
This attribute defines the URL endpoints that will receive attribute query requests. Location specifies the URL of the provider to which the request is sent. Mapper defines the SPI that finds the attribute mapping authority to return a list of attributes that will be included in a response. The SAMLv2–defined attribute query profiles are:
Basic
X509
Defines the URLs to which the AssertionIDs are sent from a client to an identity provider in order to retrieve the corresponding assertion. Location specifies the URL of the provider to which the request is sent. Mapper defines the SPI that finds the AssertionID mapping authority to return a list of attributes that will be included in a response. The bindings are:
SOAP
URI
Defines the type of SAMLv2–defined supported attribute profile. Basic is the default type.
Defines the certificate alias elements. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
Specifies the data store attribute name which contains the X509 subject DN. It is used to find a user whose attribute value matches the X. 509 subject DN. This field is used in the Attribute Query Profile for X. 509 subject only.
SAMLv2 Attribute Query contains the following attributes for customization:
Defines the name identifier formats supported by the attribute query provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support three types of identifiers:
An X509SubjectName defines the subject name of the X509 encryption type.
A persistent identifier is saved to a particular user's data store entry as the value of two attributes.
A transient identifier is temporary and no data will be written to the user's persistent data store.
This attribute defines the certificate alias elements for the provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
SAMLv2 Authentication Authority contains the following attributes for customization:
The length for keys used by the Attribute Authority entity when interacting with another entity.
The encryption algorithm used to interact with another entity.
This attribute defines the URL to which authentication queries are sent.
Defines the URLs to which the AssertionIDs are sent from a client to an identity provider in order to retrieve the corresponding assertion. Location specifies the URL of the provider to which the request is sent. The AssertionID request types are:
SOAP
URI
This attribute defines the certificate alias elements for the provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.
The ID-FF provider entity is based on the Liberty-defined ID-FF (Liberty Identity Federation Framework) for implementing single sign-on with federated identities. The IF-FF provider entity allows you to assign and configure the following roles:
The ID-FF identity provider attributes are grouped as follows:
The static value of this attribute is the type of provider being configured: hosted or remote
The value of this attribute is a description of the identity provider.
Choose the Liberty ID-FF release that is supported by this provider.
urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.
urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.
Defines the security certificate alias that is used to sign requests and responses.
Defines the security certificate alias that is used for encryption for the Signing Key and Encryption Key. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.
Select the check box to enable encryption of the name identifier.
Defines a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.
Defines a URL to which service providers can send single sign-on and federation requests.
Defines a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.
Defines a URL to which the service providers can send single logout responses.
Defines a URL to which a service provider will send federation termination requests.
Defines a URL to which the service providers can send federation termination responses.
Defines a URL to which a service provider will send requests to specify a new name identifier to be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.
Defines a URL to which the service providers can send name registration responses.
Select a profile to notify other providers of a principal’s federation termination:
HTTP Redirect
SOAP
Select a profile to notify other providers of a principal’s logout:
HTTP Redirect
HTTP Get
SOAP
Select a profile to notify other providers of a principal’s name registration:
HTTP Redirect
SOAP
Select a profile for sending authentication requests:
Browser Post (specifies a browser-based HTTP POST protocol)
Browser Artifact (specifies a non-browser SOAP-based protocol)
LECP (specifies a Liberty-enabled Client Proxy)
OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.
Defines the alias name for the local identity provider.
Select the provider that should be used for authentication requests from a provider hosted locally:
Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.
Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
Defines the name of the host that issues the assertion. This value might be the load balancer's host name if OpenSSO Enterprise is behind one.
Specifies the type of statements the identity provider can generate. For example lib:AuthenticationStatement.
Defines whether the identity provider is active or inactive. Active, the default, means the identity provider can process requests and generate responses.
Defines the URL of the home page of the identity provider.
Defines the URL to which a principal will be redirected if single sign-on has failed.
Specifies the URL which performs the federation operation.
Defines the URL to which a principal will be directed upon successful Federation registration.
Defines the URL that lists all of the circle of trusts to which the provider belongs.
Defines the URL to which a principal is directed upon Federation termination.
Defines the URL to which a principal is redirected after federation termination is completed.
Defines the URL to which a principal is directed upon an error.
Defines the URL to which a principal is directed after logout.
This field defines the class used by an identity provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.
Specifies a plug-able class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.
Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth . The default value is:
com.sun.identity.federation.accountmgmt.DefaultFSUserProvider
The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.
Specify values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:
SAML-attribute=local-attribute
For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.
The bootstrapping attribute is:
Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.
Select the check box to enable auto-federation.
When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.
This attribute defines the identity provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource.
Select the check box next to the authentication context class if the identity provider supports it.
The Liberty-defined authentication context classes are:
Mobile Contract
Mobile Digital ID
MobileUnregistered
Password
Password-ProtectedTransport
Previous-Session
Smartcard
Smartcard-PKI
Software-PKI
Time-Sync-Token
Choose the OpenSSO Enterprise authentication type to which the context is mapped.
Type the OpenSSO Enterprise authentication option.
Choose a priority level for cases where there are multiple contexts.
Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid.
Type the interval of time (in seconds) before a cleanup is performed to expired assertions.
Type the interval of time (in seconds) to specify the timeout for assertion artifacts.
Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.
The ID-FF service provider attributes are grouped into the following sections:
The static value of this attribute is the type of provider being configured: hosted or remote
The value of this attribute is a description of the service provider.
Choose the Liberty ID-FF release that is supported by this provider.
urn:liberty:iff:2003-08 refers to the Liberty Identity Federation Framework Version 1.2.
urn:liberty:iff:2002-12 refers to the Liberty Identity Federation Framework Version 1.1.
Defines the security certificate alias that is used to sign requests and responses. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate
Defines the security certificate alias that is used for encryption. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.
Select the check box to enable encryption of the name identifier.
If enabled, the service provider will sign all authentication requests.
Defines a URI to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.
Defines a URL to which identity providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.
Defines a URL to which the identity providers can send single logout responses.
Defines a URL to which an identity provider will send federation termination requests.
Defines a URL to which the identity providers can send federation termination responses.
Defines a URL that will be used when communicating with the identity provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)
Defines a URL to which the identity providers can send name registration responses. (Registration can occur only after a federation session is established.)
Defines the URL to which an Identity Provider can send SAML assertions.
If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.
Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.
Select a profile to notify other providers of a principal’s federation termination:
HTTP Redirect
SOAP
Select a profile to notify other providers of a principal’s logout:
HTTP Redirect
HTTP Get
SOAP
Select a profile to notify other providers of a principal’s name registration:
HTTP Redirect
SOAP
Select a profile for sending authentication requests:
Browser Post (specifies a browser-based HTTP POST protocol)
Browser Artifact (specifies a non-browser SOAP-based protocol)
WML (specifies the Wireless Markup Language protocol)
LECP (specifies a Liberty-enabled Client Proxy)
OpenSSO Enterprise can handle requests that come from a Liberty-enabled client proxy profile, but it requires additional configuration that is beyond the scope of this manual.
Defines an alias name for the local service provider.
Select the provider that should be used for authentication requests from a provider hosted locally:
Remote specifies that the provider hosted locally would contact a remote identity provider upon receiving an authentication request.
Local specifies that the provider hosted locally should contact a local identity provider upon receiving an authentication request (essentially, itself).
Select the check box to indicate that the identity provider must re-authenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.
Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.
This option, if enabled, allows for a service provider to participate in name registration after it has been federated.
An enumeration permitting requester influence over name identifier policy at the identity provider.
Select the check box to enable affiliation federation.
Defines whether the service provider is active or inactive. Active, the default, means the service provider can process requests and generate responses.
Specifies the type of statements the service provider can generate. For example , lib:AuthenticationStatement.
Defines the URL that lists all of the circle of trusts to which the provider belongs.
Specifies the URL which performs the federation operation.
Defines the URL of the home page of the identity provider.
Defines the URL to which a principal will be redirected if single sign-on has failed.
Defines the URL to which a principal is redirected after federation termination is completed.
Defines the URL to which a principal is directed upon an error.
Defines the URL to which a principal is directed after logout.
Defines the implementation class for the com.sun.identity.federation.plugins.FSSPAdapter interface. The default value is:
com.sun.identity.federation.plugins.FSDefaultSPAdapter
Defines a list of environment properties to be used by the service provider adapter SPI implementation class.
Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth. . The default value is:
com.sun.identity.federation.accountmgmt.DefaultFSUserProvider
This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.
The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.
Specify values to define the mappings used by the default attribute mapper plug-in specified above. Mappings should be configured in the format:
SAML-attribute=local-attribute
For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.
Select the check box to enable auto-federation.
Defines the user's common LDAP attribute name such as telephonenumber. For creating an Auto Federation Attribute Statement. When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.
This attribute defines the service provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:
Select the check box next to the authentication context class if the service provider supports it.
The Liberty-defined authentication context classes are:
Mobile Contract
Mobile Digital ID
MobileUnregistered
Password
Password-ProtectedTransport
Previous-Session
Smartcard
Smartcard-PKI
Software-PKI
Time-Sync-Token
Choose a priority level for cases where there are multiple contexts.
Proxy Authentication Configuration attributes define values for dynamic provider proxying.
Select the check box to enable proxy authentication for a service provider.
Type an identifier for an identity provider(s) that can be used for proxy authentication in New Value and click Add. The value is a URI defined as the provider's identifier.
Enter the maximum number of identity providers that can be used for proxy authentication.
Select the check box if you want introduction cookies to be used to find the proxying identity provider.
The WS-Federation entity provider type is based on the WS-Federation protocol. The implementation of this protocol allows single sign-on between OpenSSO Enterprise and the Microsoft Active Directory Federation Service. The WS-Federation provider entity allows you to assign and configure the following roles:
Identity Provider
Service Provider
The following attributes are common to both Identity and Service Provider types:
This attribute defines the name the WS-Federation service provider. The default is the meta alias given at creation time.
This attribute defines the name the WS-Federation identity provider. The default is the meta alias given at creation time.
Displays the realm to which the provider belongs.
Defines a unique identifier for the identity or service provider.
Specifies the URL at which the identity or service provider is providing WS-Federation services. For example:
https://demo.example.com/OpenSSO Enterprise/WSFederationServlet/metaAlias/example
The following attributes apply to the WS-Federation Identity Provider role:
Defines the format of the name identifier component of the single sign-on response sent from the identity provider to the service provider. WS-Federation single sign-on supports the following identifier formats (default is UPN):
Common Name
UPN – User Principal Name. The syntax is username@domain, where an example of domainis example.com.
Defines the attribute in the user's profile that will be used as the name ID value. The default is uid.
When using the UPN format defined in the NameID Format attribute, this specifies whether the NameID Attribute in the user's profile includes a domain. If it does, then the NameID Attribute will be used for the UPN as it is currently defined. Otherwise, it is combined with a domain to form a UPN.
When using the UPN format, if the Name Includes Domain attribute is not selected, this specifies an attribute in the user's profile to be used as the UPN domain.
When using UPN format, if the Name Includes Domain attribute is not selected, and if a value for Domain Attribute is not specified, or if there is no value for that attribute for a particular user, then this attribute is used to constructing the UPN.
This attribute specifies the provider certificate alias used to find the assertion signing certificate in the keystore.
Specifies the claim type so the WS-Federation service can recognize the type of token that is exchanged between federation partners.
The EmailAddress claim type is used to identify a specific security principal by an email address.
The UPN claim type is used to identify a specific security principal via a User Principal Name.
The CommonName claim type is used to identify a security principal via a CN value consistent with X.500 naming conventions. The value of this claim is not necessarily unique and should not be used for authorization purposes.
This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.DefaultIDPAccountMapper.
This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultIDPAttributeMapper.
Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:
SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
Assertions are valid for a period of time and not before or after.
Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.
The following attributes apply to the WS-Federation service provider role:
All assertions received by this service provider must be signed.
This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.
DefaultADFSPartnerAccountMapper is the default implementation.
This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultSPAttributeMapper.
Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:
SAML_attr=local-attribute
For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.
Assertions are valid for a period of time and not before or after.
Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.
Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.
After a successful WS-Federation operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.
When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc¶m2=xyz, it must be URL-encoded as:
http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
and then appended to the URL. For example, the service provider initiated single sign-on URL would be:
http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz
Specifies the service so that the service provider can identify the preferred identity provider. The service URL is specified as a contact endpoint by the service provider.
Specifies the identity provider selection mechanism and configuration. Either the cookie or HTTP Request header attribute can be used to locate the identity provider.
The Configuration page allows administrators to manage attribute values of the services that OpenSSO Enterprise offers. The attributes that comprise an OpenSSO Enterprise service are classified as one of the following types:
Global – Applied across the OpenSSO Enterprise configuration. They cannot be applied to users, roles or realms as the goal of global attributes is to customize OpenSSO Enterprise.
Realm – Realm attributes are only assigned to realms. No object classes are associated with realm attributes. For instance, attributes listed in the authentication services are defined as realm attributes because authentication is done at the realm level rather than at a subtree or user level.
Dynamic – Applies to an OpenSSO Enterprise configured role or realm. When the role is assigned to a user or a user is created in an realm, the dynamic attribute then becomes a characteristic of the user.
User – Applies directly to each user. They are not inherited from a role or an realm and, typically, are different for each user.
In previous releases, many of attributes were only configurable through the AMConfig.properties file. This file has been deprecated, and all of its properties are now defined in the OpenSSO Enterprise console and stored in the configuration directory datastore. For information on AMConfig.properties for backwards compatibility for systems that have been upgraded to OpenSSO Enterprise 8.0. see the Sun Java System Access Manager 7.1 Administration Reference.
The Configuration attributes you can modify are:
OpenSSO is installed with a set of default authentication module types. An authentication module instance is a plug-in that collects user information such as a user ID and password, checks the information against entries in a database, and allows or denies access to the user. Multiple instances of the same type can be created and configured separately.
This section provides attribute descriptions that configure the default authentication module types.
See Chapter 3, Configuring Authentication, in Sun OpenSSO Enterprise 8.0 Administration Guide for more information on the authentication modules and configuring an authentication process.
This module type works similarly to the LDAP authentication module type, but uses the Microsoft Active Directory instead of an LDAP directory. Using this module type makes it possible to have both LDAP and Active Directory coexist under the same realm. The Active Directory authentication attributes are realm attributes. The attributes are:
Specifies the host name and port number of the primary Active Directory server specified during OpenSSO Enterprise installation. This is the first server contacted for Active Directory authentication. The format ishostname:port. If there is no port number, assume 389.
If you have OpenSSO Enterprise deployed with multiple domains, you can specify the communication link between specific instances of OpenSSO Enterprise and Directory Server in the following format (multiple entries must be prefixed by the local server name):
local_servername|server:port local_servername2|server2:port2 ...
For example, if you have two OpenSSO Enterprise instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the host name and port number of a secondary Active Directory server available to the OpenSSO Enterprise platform. If the primary Active Directory server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, OpenSSO Enterprise will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.
When authenticating users from a Directory Server that is remote from the OpenSSO Enterprise, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one Directory Server location can be used for both fields.
Specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search dn.
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.
Specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized.
Make sure that password is correct before you logout. If it is incorrect, you will be locked out. If this should occur, you can login with the super user DN. By default, this the amAdmin account with which you would normally log in, although you will use the full DN. For example:
uid_amAdmin,ou=People,OpenSSO-deploy-base
Carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid Active Directory password is recognized.
Confirm the password.
Specifies the attribute used for the naming convention of user entries. By default, OpenSSO Enterprise assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.
Lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber , and mail, the user could authenticate with any of these names.
Specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.
Indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in DN to Start User Search. The default value is SUBTREE. One of the following choices can be selected from the list:
Searches only the specified node.
Searches at the level of the specified node and one level down.
Search all entries at and below the specified node.
Enables SSL access to the Directory Server specified in the Primary and Secondary Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.
If the Active Directory server is running with SSL enabled (LDAPS), you must make sure that OpenSSO Enterprise is configured with proper SSL trusted certificates so that AM could connect to Directory server over LDAPS protocol
When the OpenSSO Enterprise directory is the same as the directory configured for Active Directory, this option may be enabled. If enabled, this option allows the Active Directory authentication module instance to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module instance returns only the User ID, and the authentication service searches for the user in the local OpenSSO Enterprise instance. If an external Active Directory is used, this option is typically not enabled.
This attribute is used for Active Directory Server failback. It defines the number of minutes in which a thread will “sleep” before verifying that the primary Active Directory server is running.
This attribute is used by the Active Directory authentication module instance when the Active Directory server is configured as an external Active Directory server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format:
attr1|externalattr1
attr2|externalattr2
When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profileattribute (in the Core Authentication module type) is set to Dynamically Created and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module type allows a user to log in without specifying credentials. You can create an Anonymous user so that anyone can log in as Anonymous without having to provide a password. Anonymous connections are usually customized by the OpenSSO Enterprise administrator so that Anonymous users have limited access to the server. The Anonymous authentication attributes are realm attributes. The attributes are:
Contains a list of user IDs that have permission to login without providing credentials. If a user's login name matches a user ID in this list, access is granted and the session is assigned to the specified user ID.
If this list is empty, accessing the following default module instance login URL will be authenticated as the Default Anonymous User Name:
protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name
If this list is not empty, accessing Default module instance login URL (same as above) will prompt the user to enter any valid Anonymous user name. If this list is not empty, the user can log in without seeing the login page by accessing the following URL:
protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name&IDToken1=<valid Anonymous username>
Defines the user ID that a session is assigned to if Valid Anonymous User List is empty and the following default module instance login URL is accessed:
protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name
The default value is anonymous. An Anonymous user must also be created in the realm.
If Valid Anonymous User List is not empty, you can login without accessing the login page by using the user defined in Default Anonymous User Name. This can be done by accessing the following URL:
protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name&IDToken1= DefaultAnonymous User Name
If enabled, this option allows for case-sensitivity for user IDs. By default, this attribute is not enabled.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
Once an authentication module instance is defined, the instance can be configured for authentication module chaining, to supply redirect URLs, and a post-processing Java class specification based on a successful or failed authentication process. Before an authentication module instance can be configured, the Core authentication attribute Organization Authentication Configuration must be modified to include the specific authentication module instance name.
This module enables a user to log in through a personal digital certificate (PDC). The module instance can require the use of the Online Certificate Status Protocol (OCSP) to determine the state of a certificate. Use of the OCSP is optional. The user is granted or denied access to a resource based on whether or not the certificate is valid. The Certificate authentication attributes are realm attributes. The attributes are:
Specifies whether to check if the user certificate presented at login is stored in the LDAP Server. If no match is found, the user is denied access. If a match is found and no other validation is required, the user is granted access. The default is that the Certificate Authentication service does not check for the user certificate.
A certificate stored in the Directory Server is not necessarily valid; it may be on the certificate revocation list. See Match Certificate to CRL. However, the web container may check the validity of the user certificate presented at login.
Specifies the attribute of the certificate's SubjectDN value that will be used to search LDAP for certificates. This attribute must uniquely identify a user entry. The actual value will be used for the search. The default is cn.
Specifies whether to compare the user certificate against the Certificate Revocation List (CRL) in the LDAP Server. The CRL is located by one of the attribute names in the issuer's SubjectDN. If the certificate is on the CRL, the user is denied access; if not, the user is allowed to proceed. This attribute is, by default, not enabled.
Certificates should be revoked when the owner of the certificate has changed status and no longer has the right to use the certificate or when the private key of a certificate owner has been compromised.
Specifies the attribute of the received certificate's issuer subjectDN value that will be used to search LDAP for CRLs. This field is used only when the Match Certificate to CRL attribute is enabled. The actual value will be used for the search. The default is cn.
Specifies the HTTP parameters for obtaining a CRL from a servlet for a CRL update. Contact the administrator of your CA for these parameters.
Enables OCSP validation to be performed by contacting the corresponding OCSP responder. The OCSP responder is decided as follows during runtime. The attributes mentioned are located in the console at Configuration > Servers and Sites > Security:
If this value is set to true and the OCSP responder is set in the Responder URL attribute, the value of the attribute will be used as the OCSP responder.
If Online Certificate Status Protocol Check is enabled and if the value of this attribute is not set, the OCSP responder presented in your client certificate is used as the OCSP responder.
If Online Certificate Status Protocol Checkis not enabled or if Online Certificate Status Protocol Checkis enabled and if an OCSP responder can not be found, no OCSP validation will be performed.
Before enabling OCSP Validation, make sure that the time of the OpenSSO Enterprise machine and the OCSP responder machine are in sync as close as possible. Also, the time on the OpenSSO Enterprise machine must not be behind the time on the OCSP responder. For example:
OCSP responder machine - 12:00:00 pm
OpenSSO Enterprise machine - 12:00:30 pm
Specifies the name and port number of the LDAP server where the certificates are stored. The default value is the host name and port specified when OpenSSO Enterprise was installed. The host name and port of any LDAP Server where the certificates are stored can be used. The format is hostname:port.
Specifies the DN of the node where the search for the user's certificate should start. There is no default value. The field will recognize any valid DN.
Multiple entries must be prefixed by the local server name. The format is as follows:
servername|search dn
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.
This field accepts the DN of the principal user for the LDAP server where the certificates are stored. There is no default value for this field which will recognize any valid DN. The principal user must be authorized to read, and search certificate information stored in the Directory Server.
This field carries the LDAP password associated with the user specified in the LDAP Server Principal User field. There is no default value for this field which will recognize the valid LDAP password for the specified principal user. This value is stored as readable text in the directory.
Confirm the password.
Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.
Specifies which field in the certificate's Subject DN should be used to search for a matching user profile. For example, if you choose email address, the certificate authentication service will search for the user profile that matches the attribute emailAddr in the user certificate. The user logging in then uses the matched profile. The default field is subject CN. The list contains:
email address
subject CN
subject DN
subject UID
other
If the value of the Certificate Field Used to Access User Profile attribute is set to other, then this field specifies the attribute that will be selected from the received certificate's subjectDN value. The authentication service will then search the user profile that matches the value of that attribute.
If any value type other than none is selected, this attribute has precedence over Certificate Field Used to Access User Profile or Other Certificate Field Used to Access User Profileattribute.
RFC822Name
UPN
Defines a list of trusted hosts that can be trusted to send certificates to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the certificate emanated from one of these hosts. This attribute is used for the Portal Server gateway, for a load balancer with SSL termination and for Distributed Authentication.
Disables the attribute. This is set by default.
Accepts Portal Server Gateway-style certificate authentication from any client IP address.
Lists the IP addresses from which to accept Portal Server Gateway-style certificate authentication requests (the IP Address of the Gateway(s)). The attribute is configurable on an realm basis.
Specifies the port number for the secure socket layer. Currently, this attribute is only used by the Gateway servlet. Before you add or change an SSL Port Number, see the "Policy-Based Resource Management" section in the OpenSSO Enterprise Administration Guide.
This attribute is used only when the Trusted Remote Hosts attribute is set to all or has a specific host name defined. The administrator must specify the http header name for the client certificate that is inserted by the load balancer or SRA.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core authentication attribute Default Authentication Level
This module is the general configuration base for the OpenSSO Enterprise authentication services. It must be registered and configured to use any of the specific authentication module instances. It enables the administrator to define default values that will be picked up for the values that are not specifically set in the OpenSSO Enterprise default authentication modules. The Core attributes are global and realm. The attributes are:
Specifies the Java classes of the available authentication modules. Takes a text string specifying the full class name (including package) of each authentication module. After writing a custom authentication module (by implementing the OpenSSO Enterprise AMLoginModule or the Java Authentication and Authorization Service [JAAS] LoginModule service provider interfaces), the new class value must be added to this property.
Specifies a list of authentication modules supported for a specific client. Formatted as:
clientType | module1,module2,module3 |
This attribute is read by the Client Detection Service when it is enabled.
Specifies the minimum and maximum connection pool to be used on a specific LDAP server and port. Formatted as:
host:port:min:max |
This attribute is for LDAP and Membership authentication services only.
This connection pool is different than the SDK connection pool configured in serverconfig.xml.
Sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. Formatted as:
min:max |
This value is superseded by a value defined for a specific host and port in the LDAP Connection Pool Size property.
This option determines the profile status of a successfully authenticated user.
Specifies that on successful authentication the Authentication Service will create a user profile if one does not already exist. The SSOToken will then be issued. The user profile is created in the realm's configured user data store.
Specifies that on successful authentication the Authentication Service will create a user profile that contains the User Alias List attribute which defines one or more aliases that for mapping a user's multiple profiles.
Specifies that a user profile is not required for the Authentication Service to issue an SSOToken after a successful authentication.
Specifies that on successful authentication the user must have a user profile in the realm's configured user data store in order for the Authentication Service to issue an SSOToken.
Requires that OpenSSO Enterprise validate the identity of the calling application; thus all remote authentication requests require the calling application's SSOToken. This allows the Authentication Service to obtain the username and password associated with the application.
Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list.
Specifies the Distinguished Name (DN) of a role to be assigned to a new user whose profile is created when either of the Dynamic options is selected under the User Profile attribute. There are no default values. The role specified must be within the realm for which the authentication process is configured.
This role can be either an OpenSSO Enterprise or LDAP role, but it cannot be a filtered role. If you wish to automatically assign specific services to the user, you have to configure the Required Services attribute in the User Profile.
Determines whether users can return to their authenticated session after restarting the browser. When enabled, a user session will not expire until its persistent cookie expires (as specified by the value of the Persistent Cookie Maximum Time attribute), or the user explicitly logs out. By default, the Authentication Service uses only memory cookies (expires when the browser is closed).
A persistent cookie must be explicitly requested by the client by appending the iPSPCookie=yes parameter to the login URL.
Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The maximum value is 2147483647 (time in seconds). The field will accept any integer value less than the maximum.
After a user is successfully authenticated, the user's profile is retrieved. This field specifies a second LDAP attribute to use in a search for the profile if a search using the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field takes any valid LDAP attribute.
Specifies the default language subtype to be used by the Authentication Service. The default value is en_US. See Supported Language Locales for a listing of valid language subtypes. To use a different locale, authentication templates for that locale must first be created. A new directory must then be created for these templates. See Supported Language Locales for a listing of valid language subtypes.
Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list.
Selecting this attribute enables a physical lockout. Physical lockout will inactivate an LDAP attribute (defined in the Lockout Attribute Name property) in the user's profile. This attribute works in conjunction with several other lockout and notification attributes.
Defines the number of attempts that a user has to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.
Defines (in minutes) the time in which failed login attempts are counted. If one failed login attempt is followed by a second failed attempt, within this defined lockout interval time, the lockout count is begun and the user will be locked out if the number of attempts reaches the number defined in Login Failure Lockout Count. If an attempt within the defined lockout interval time proves successful before the number of attempts reaches the number defined in Login Failure Lockout Count, the lockout count is reset.
Specify one (or more) email address(es) to which notification will be sent if a user lockout occurs. If sending:
To multiple addresses, separate each address with a space.
To non-English locales, format the address as email_address|locale|charset.
Specifies the number of authentication failures that can occur before OpenSSO Enterprise displays a warning message that the user will be locked out.
Defines (in minutes) how long a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0, enables memory lockout and disables physical lockout. Memory lockout is when the user's account is locked in memory for the number of minutes specified. The account is unlocked after the time period has passed.
Defines a value with which to multiply the value of the Login Failure Lockout Duration attribute for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user will be locked out of the account for 6 minutes. Once the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration would then be 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.
Defines the LDAP attribute used for physical lockout. The default value is inetuserstatus (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Value field must also contain an appropriate value.
Specifies the action to take on the attribute defined in Lockout Attribute Name. The default value is inactive (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Name field must also contain an appropriate value.
Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /opensso/console. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.
Accepts a list of values that specifies where users are directed after an attempted authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.
Specifies one or more Java classes used to customize post authentication processes for successful or unsuccessful logins. The Java class must implement the com.sun.identity.authentication.spi.AMPostAuthProcessInterface OpenSSO Enterprise interface. Additionally, add a JAR containing the post processing class to the classpath of the web container instance on which OpenSSO Enterprise is configured. If the web container on which OpenSSO Enterprise is configured explodes the WAR follow this procedure.
Stop the web container instance.
Change to the WEB-INF/lib directory in the exploded OpenSSO Enterprise WAR directory.
For example, if using Sun Application Server, AS=Deploy=BaseAS=Domain-Dir/AS-Domain/applications/j2ee-modules/opensso/WEB-INF/lib.
Copy the JAR that contains the post processing class to the lib directory.
Restart the web container instance.
When enabled, the Membership module will generate a list of alternate user identifiers if the one entered by a user during the self-registration process is not valid or already exists. The user identifiers are generated by the class specified in the Pluggable User Name Generator Class property.
Specifies the name of the class used to generate alternate user identifiers when Generate UserID Mode is enabled. The default value is com.sun.identity.authentication.spi.DefaultUserIDGenerator.
Lists the type or types of identities for which OpenSSO Enterprise will search. Options include:
Agent
agentgroup
agentonly
Group
User
Specifies one or more Java classes used to provide a callback mechanism for user status changes during the authentication process. The Java class must implement the com.sun.identity.authentication.spi.AMAuthCallBack OpenSSO Enterprise interface. Account lockout and password changes are supported — the latter through the LDAP authentication module as the feature is only available for the module.
Enables the storage of information regarding failed authentication attempts as the value of the sunAMAuthInvalidAttemptsData attribute in the user data store. In order to store data in this attribute, the OpenSSO Enterprise schema has to be loaded. Information stored includes number of invalid attempts, time of last failed attempt, lockout time and lockout duration. Storing this information in the identity repository allows it to be shared among multiple instances of OpenSSO Enterprise.
Enables users to authenticate using module-based authentication. Otherwise, all attempts at authentication using the module=module-instance-name login parameter will result in failure.
Enables the authenticating user's identity attributes (stored in the identity repository) to be set as session properties in the user's SSOToken. The value takes the format User-Profile-Attribute|Session-Attribute-Name. If Session-Attribute-Name is not specified, the value of User-Profile-Attribute is used. All session attributes contain the am.protected prefix to ensure that they cannot be edited by the Client SDK.
For example, if you define the user profile attribute as mail and the user's email address (available in the user session) as user.mail, the entry for this attribute would be mail|user.mail. After a successful authentication, the SSOToken.getProperty(String) method is used to retrieve the user profile attribute set in the session. The user's email address is retrieved from the user's session using the SSOToken.getProperty("am.protected.user.mail") method call.
Properties that are set in the user session using User Attribute Mapping to Session Attributes can not be modified (for example, SSOToken.setProperty(String, String)). This will result in an SSOException. Multi-value attributes, such as memberOf, are listed as a single session variable separated by the pipe symbol. For example, Value1|Value2|Value3
The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the user's SSOToken. When the SSOToken is presented to an application, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level does not meet the minimum value required by the application, it can prompt the user to authenticate again in order to attain a higher authentication level. The authentication level should be set within a realm's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific realm's authentication template. The Default Authentication Level default value is 0. The value of this attribute is not used by OpenSSO Enterprise but by any external application that may chose to use it.
The Data Store authentication module allows a login using the Identity Repository of the realm to authenticate users. Using the Data Store module removes the requirement to write an authentication plug- in module, load, and then configure the authentication module if you need to authenticate against the same data store repository. Additionally, you do not need to write a custom authentication module where flat-file authentication is needed for the corresponding repository in that realm.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Federation authentication module is used by a service provider to create a user session after validating single sign-on protocol messages. This authentication module is used by the SAML, SAMLv2, ID-FF, and WS-Federation protocols.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The HTTP authentication module allows a login using the HTTP basic authentication with no data encryption. A user name and password are requested through the use of a web browser. Credentials are validated internally using any LDAP or Data Store authentication module to verify the user's credentials.
Specifies the authentication module used to validate the credentials.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Java Database Connectivity (JDBC) authentication module allows OpenSSO Enterprise to authenticate users through any Structured Query Language (SQL) databases that provide JDBC-enabled drivers. The connection to the SQL database can be either directly through a JDBC driver or through a JNDI connection pool. The JDBC attributes are realm attributes. The attributes are:
Specifies the connection type to the SQL database, using either a JNDI (Java Naming and Directory Interface) connection pool or JDBC driver. The options are:
Connection pool is retrieved via JNDI
Non-persistent JDBC connection
The JNDI connection pool utilizes the configuration from the underlying web container.
If JNDI is selected in Connection Type, this field specifies the connection pool name. Because JDBC authentication uses the JNDI connection pool provided by the web container, the setup of JNDI connection pool may not be consistent among other web containers. See the OpenSSO Enterprise Administration Guide for examples
If JDBC is selected in Connection Type, this field specifies the JDBC driver provided by the SQL database. For example, com.mysql.jdbc.Driver. The class specified by JDBC Driver must be accessible to the web container instance on which OpenSSO has been deployed and configured. Include the .jar file that contains the JDBC driver class in the OpenSSO-deploy-base/WEB-INF/lib directory.
Specifies the database URL if JDBC is select in Connection Type. For example, the URL for mySQL is jdbc.mysql://hostname:port/databaseName.
Specifies the user name from whom the database connection is made for the JDBC connection.
Defines the password for the user specified in User to Connect to Database.
Confirm the password.
Specifies the password column name in the SQL database.
Specifies the SQL statement that retrieves the password of the user that is logging in. For example:
select Password from Employees where USERNAME = ? |
Specifies the class name that transforms the password retrieved from the database, to the format of the user input, for password comparison. This class must implement the JDBCPasswordSyntaxTransform interface.
By default, the value of this attribute is com.sun.identity.authentication.modules.jdbc.ClearTextTransform which expects the password to be in clear text.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The following example shows how to set up a connection pool for Web Server and MySQL 4.0:
In the Web Server console, create a JDBC connection pool with the following attributes:
samplePool
com.mysql.jdbc.jdbc2.optional.MysqlDatacSource
Server name of the mySQL server.
Port number on which mySQL server is running.
User name of the database password.
The password of the user.
The name of the database.
The jar file which contain the DataSource class and the JDBC Driver class mentioned in the following steps should be added to the application class path
Configure the JDBC Resources. In the Web Server console, create a JDBC resource with the following attributes:
jdbc/samplePool
samplePool
on
Add the following lines to the sun-web.xml file of the application:
<resource-ref> <res-ref-name>jdbc/mySQL</res-ref-name> <jndi-name>jdbc/samplePool</jndi-name> </resource-ref>
Add the following lines to the web.xml file of the application:
<resource-ref> <description>mySQL Database</description> <res-ref-name>jdbc/mySQL</res-ref-name> <res-type>javax.sql.DataSource</res-type> <res-auth>Container</res-auth> </resource-ref>
Once you have completed the settings the value for this attribute is becomes java:comp/env/jdbc/mySQL.
This module enables authentication using LDAP bind, a Directory Server operation which associates a user ID password with a particular LDAP entry. You can define multiple LDAP authentication configurations for a realm. The LDAP authentication attributes are realm attributes. The attributes are:
Specifies the host name and port number of the primary LDAP server specified during OpenSSO Enterprise installation. This is the first server contacted for authentication. The format ishostname:port. If there is no port number, assume 389.
If you have OpenSSO Enterprise deployed with multiple domains, you can specify the communication link between specific instances of OpenSSO Enterprise and Directory Server in the following format (multiple entries must be prefixed by the local server name):
local_servername|server:port local_servername2|server2:port2 ...
For example, if you have two OpenSSO Enterprise instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the host name and port number of a secondary LDAP server available to the OpenSSO Enterprise platform. If the primary LDAP server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, OpenSSO Enterprise will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.
When authenticating users from a Directory Server that is remote from the OpenSSO Enterprise, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one Directory Server location can be used for both fields.
Specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search dn.
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.
Specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized.
Carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid LDAP password will be recognized.
Confirm the password.
Specifies the attribute used for the naming convention of user entries. By default, OpenSSO Enterprise assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.
Lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber , and mail, the user could authenticate with any of these names. These attributes must be set separately.
Specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.
Indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in the DN to Start User Search attribute. The default value is SUBTREE. One of the following choices can be selected from the list:
Searches only the specified node.
Searches at the level of the specified node and one level down.
Search all entries at and below the specified node.
Enables SSL access to the Directory Server specified in the Primary and Secondary LDAP Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.
If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that OpenSSO Enterprise is configured with proper SSL trusted certificates so that AM could connect to Directory server over LDAPS protocol
When the OpenSSO Enterprise directory is the same as the directory configured for LDAP, this option may be enabled. If enabled, this option allows the LDAP authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local OpenSSO Enterprise LDAP. If an external LDAP directory is used, this option is typically not enabled.
This attribute is used for LDAP Server failback. It defines the number of minutes in which a thread will “sleep” before verifying that the LDAP primary server is running.
This attribute is used by the LDAP authentication module when the LDAP server is configured as an external LDAP server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format:
attr1|externalattr1
attr2|externalattr2
When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profileattribute (in the Core Authentication module) is set to Dynamically Created and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Membership Authentication module is implemented for personalized sites that allow a user to self-register. This means the user can create an account, personalize it, and access it as a registered user without the help of an administrator. The attributes are realm attributes. The attributes are:
Specifies the minimum number of characters required for a password set during self-registration. The default value is 8.
Specifies the roles assigned to new users whose profiles are created through self-registration. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.
The role specified must be under the realm for which authentication is being configured. Only the roles that can be assigned to the user will be added during self-registration. All other DNs will be ignored. The role can be either an OpenSSO Enterprise role or an LDAP role, but filtered roles are not accepted.
Specifies whether services are immediately made available to a user who has self-registered. The default value is Active and services are available to the new user. By selecting Inactive, the administrator chooses to make no services available to a new user.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Mobile Station Integrated Services Digital Network (MSISDN) authentication module enables authentication using a mobile subscriber ISDN associated with a device such as a cellular telephone. It is a non-interactive module. The module retrieves the subscriber ISDN and validates it against the Directory Server to find a user that matches the number. The MSISDN Authentication attributes are realm attributes. The MSISDN Authentication attributes are:
Specifies a list of IP addresses of trusted clients that can access MSIDSN modules. You can set the IP addresses of all clients allows to access the MSISDN module by entering the address (for example, 123.234.123.111) in the entry field and clicking Add. By default, the list is empty. If the attribute is left empty, then all clients are allowed. If you specify none, no clients are allowed.
Specifies a list of parameter names that identify which parameters to search in the request header or cookie header for the MSISDN number. For example, if you define x-Cookie-Param, AM_NUMBER, and COOKIE-ID, the MSISDN authentication services will search those parameters for the MSISDN number.
Specifies the host name and port number of the Directory Server in which the search will occur for the users with MSISDN numbers. The format ishostname:port. If there is no port number, assume 389.
If you have OpenSSO Enterprise deployed with multiple domains, you can specify the communication link between specific instances of OpenSSO Enterprise and Directory Server in the following format (multiple entries must be prefixed by the local server name):
local_servername|server:port local_servername2|server2:port2 ...
For example, if you have two OpenSSO Enterprise instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the DN of the node where the search for the user's MSISDN number should start. There is no default value. The field will recognize any valid DN. Multiple entries must be prefixed by the local server name. The format is servername|search dn.
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.
Specifies the name of the attribute in the user's profile that contains the MSISDN number to search for a particular user. The default value is sunIdentityMSISDNNumber. This value should not be changed, unless you are certain that another attribute in the user's profile contains the same MSISDN number.
Specifies the LDAP bind DN to allow MSISDN searches in the Directory Server. The default bind DN is cn=amldapuser,ou=DSAME Users,dc=sun,dc=com .
Specifies the LDAP bind password for the bind DN, as defined in LDAP Server Principal User.
Confirm the password.
Enables SSL access to the Directory Server specified in the LDAP Server and Port attribute. By default, this is not enabled and the SSL protocol will not be used to access the Directory Server. However, if this attribute is enabled, you can bind to a non-SSL server.
Specifies the headers to use for searching the request for the MSISDN number. The supported values are as follows:
Performs the search in the cookie.
Performs the search in the request header.
Performs the search in the request parameter. By default, all options are selected.
Specifies the LDAP attribute that is used during a search to return the user profile for MSISDN authentication service. The default is uid.
When the OpenSSO Enterprise directory is the same as the directory configured for MSISDN, this option may be enabled. If enabled, this option allows the authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local OpenSSO Enterprise. If an external directory is used, this option is typically not enabled.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for authentication using an external Remote Authentication Dial-In User Service (RADIUS) server. The RADIUS Authentication attributes are realm attributes. The attributes are:
Displays the IP address or fully qualified host name of the primary RADIUS server. The default IP address is 127.0.0.1. The field will recognize any valid IP address or host name. Multiple entries must be prefixed by the local server name as in the following syntax:
local_servername|ip_address local_servername2|ip_address ...
Displays the IP address or fully qualified domain name (FQDN) of the secondary RADIUS server. It is a failover server which will be contacted if the primary server could not be contacted. The default IP address is 127.0.0.1. Multiple entries must be prefixed by the local server name as in the following syntax:
local_servername|ip_address local_servername2|ip_address ...
Carries the shared secret for RADIUS authentication. The shared secret should have the same qualifications as a well-chosen password. There is no default value for this field.
Confirmation of the shared secret for RADIUS authentication.
Specifies the port on which the RADIUS server is listening. The default value is 1645.
Specifies the time interval in seconds to wait for the RADIUS server to respond before a timeout. The default value is 3 seconds. It will recognize any number specifying the timeout in seconds.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Secure Attribute Exchange (SAE) authentication module is used when a external entity (such as an existing application ) has already authenticated the user and wishes to securely inform a local OpenSSO Enterprise instance about the authentication to trigger the creation of a OpenSSO Enterprise session for the user. The SAE authentication module is also used by the Virtual Federation functionality where the existing entity instructs the local OpenSSO Enterprise instance to use federation protocols to transfer authentication and attribute information to a partner application. The SAE attribute is a realm attribute.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for users to authenticate using Secure Computing's SafeWord or SafeWord PremierAccess authentication servers. The SafeWord Authentication Attributes are realm attributes. The attributes are:
Specifies the SafeWord or SafeWord PremiereAccess server name and port. Port 7482 is set as the default for a SafeWord server. The default port number for a SafeWord PremierAccess server is 5030.
Specifies the directory into which the SafeWord client library places its verification files. The default is as follows:
ConfigurationDirectory/uri/auth/safeword/serverVerification
If a different directory is specified in this field, the directory must exist before attempting SafeWord authentication.
Enables SafeWord logging. By default, SafeWord logging is enabled.
Specifies the SafeWord logging level. Select a level in the Drop-down menu. The levels are DEBUG, ERROR, INFO and NONE .
Specifies the directory path and log file name for SafeWord client logging. The default path isConfigurationDirectory/uri/auth/safeword/safe.log .
If a different path or filename is specified, it must exist before attempting SafeWord authentication. If more than one realm is configured for SafeWord authentication, and different SafeWord servers are used, then different paths must be specified or only the first realm where SafeWord authentication occurs will work. Likewise, if a realm changes SafeWord servers, the swec.dat file in the specified directory must be deleted before authentications to the newly configured SafeWord server will work.
Defines the timeout period (in seconds) between the SafeWord client (OpenSSO Enterprise) and the SafeWord server. The default is 120 seconds.
Defines the Client Type that the SafeWord server uses to communicate with different clients, such as Mobile Client, VPN, Fixed Password, Challenge/Response, and so forth.
This attribute specifies the Extended Authentication and Single Sign-on Protocol (EASSP) version. This field accepts either the standard (101), SSL-encrypted premier access (200), or premier access (201) protocol versions.
Defines the minimum authenticator strength for the client/SafeWord server authentication. Each client type has a different authenticator value, and the higher the value, the higher the authenticator strength. 20 is the highest value possible. 0 is the lowest value possible.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for authentication using RSA (a division of EMC) ACE/Server software and RSA SecurID authenticators. For this release of OpenSSO Enterprise, the SecurID Authentication module is available for Solaris/SPARC, Solaris/x86, Linux, and Windows platforms supported by OpenSSO Enterprise. The SecurID authentication attributes are realm attributes. The attributes are:
Specifies the directory in which the SecurID ACE/Server sdconf.rec file is located, by default in ConfiugrationDirectory/uri/auth/ace/data If you specify a different directory in this field, the directory must exist before attempting SecurID authentication.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for authentication using
a user's Unix identification and password. If any of the Unix authentication
attributes are modified, both OpenSSO Enterprise and the amunixd
helper must be restarted. For more information on
starting the amunixid helper, see Running the Unix Authentication Helper (amunixd Daemon) in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide. This authentication module is supported
on Solaris and Linux. The Unix authentication attributes are:
This attribute specifies the port to which the Unix Helper `listens' upon startup for the configuration information contained in the UNIX Helper Authentication Port, Unix Helper Timeout, and Unix Helper Threads attributes. The default is 58946.
This attribute specifies the port to which the Unix Helper `listens' for authentication requests after configuration. The default port is 57946.
This attribute specifies the number of minutes that users have to complete authentication. If users surpass the allotted time, authentication automatically fails. The default time is set to 3 minutes.
This attribute specifies the maximum number of permitted simultaneous Unix authentication sessions. If the maximum is reached at a given moment, subsequent authentication attempts are not allowed until a session is freed up. The default is set to 5.
This is a realm attribute. The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This is a realm attribute. It defines the PAM (Pluggable Authentication Module) configuration or stack that is shipped for you operating system and is used for Unix authentication. For Solaris, the name is defaulted toother and for Linux, the name is password.
For more information on PAM, please consult the documentation for your system. For Solaris, see pam.conf(4) and for Linux, see the PAM files in /etc/pam.d.
This module is specific to Windows and is also known as Kerberos authentication. The user presents a Kerberos token to OpenSSO Enterprise through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication plug-in module provides a client (user) with desktop single sign-on. This means that a user who has already authenticated with a key distribution center can be authenticated with OpenSSO Enterprise without having to provide the login information again. The Windows Desktop SSO attributes are global attributes. The attributes are:
Specifies the Kerberos principal that is used for authentication. Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possibly different from the domain name of the OpenSSO Enterprise.
This attribute specifies the Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file.
This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
If enabled, this attributes allows OpenSSO Enterprise to automatically return the Kerberos principal with the domain controller's domain name during authentication.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Windows NT Authentication module allows for authentication against a Microsoft Windows NT server. The attributes are realm attributes. The values applied to them under Service Configuration become the default values for the Windows NT Authentication template. The service template needs to be created after registering the service for the realm. The default values can be changed after registration by the realm's administrator. Realm attributes are not inherited by entries in the subtrees of the realm.
In order to activate the Widows NT Authentication module, Samba Client 2.2.2 or 3.x must be downloaded and installed to the following directory:
ConfigurationDirectory/uri/bin
The Samba Client is a file and print server for blending Windows and UNIX machines without requiring a separate Windows NT/2000 Server.
Red Hat Linux ships with a Samba client, located in the/usr/bin directory.
In order to authenticate using the Windows NT Authentication service for Linux, copy the client binary to/bin.
The Windows NT attributes are:
Defines the Domain name to which the user belongs.
Defines the Windows NT authentication hostname. The hostname should be the netBIOS name, as opposed to the fully qualified domain name (FQDN). By default, the first part of the FQDN is the netBIOS name.
If the DHCP (Dynamic Host Configuration Protocol) is used, you would put a suitable entry in the HOSTS file on the Windows 2000 machine.
Name resolution will be performed based on the netBIOS name. If you do not have any server on your subnet supplying netBIOS name resolution, the mappings should be hardcoded. For example, the hostname should be example1 not example1.company1.com.
Defines the Samba configuration filename and supports the -s option in the smbclient command. The value must be the full directory path where the Samba configuration file is located.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Console properties contain services that enable you to configure the OpenSSO Enterprise console and to define console properties for different locales and character sets. The Console properties contain the following:
The Administration service enables you to configure the OpenSSO Enterprise console at both the global level as well as at a configured realm level (Preferences or Options specific to a configured realm). The Administration service attributes are global and realm attributes.
If you have upgraded to OpenSSO Enterprise 8.0 and are running in legacy mode, a large number attributes will be displayed in the console. The complete list of attributes and their descriptions are listed in the OpenSSO Enterprise 8.0 online help and in the Sun Java System Access Manager 7.1 Administration Reference.
The attributes are:
Enables Federation Management. It is selected by default. To disable this feature, deselect the field The Federation Management tab will not appear in the console.
Specifies the default agent container into which the agent is created. The default is Agents.
This field defines the maximum number of results returned from a search. The default value is 100.
Do not set this attribute to a large value (greater than 1000) unless sufficient system resources are allocated.
OpenSSO Enterprise is preconfigured to return a maximum size of 4000 search entries. This value can be changed through the console or by using ldapmodify. If you wish to change it using ldapmodify,create a newConfig.xml, with the following values (in this example, nsSizeLimit: -1 means unlimited):
dn: cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX changetype: modify replace:nsSizeLimit nsSizeLimit: -1
Then, run ldapmodify. For example:
setenv LD_LIBRARY_PATH /opt/SUNWam/lib/: /opt/SUNWam/ldaplib/ldapsdk:/usr/lib/mps:/usr/share/lib/mps/secv1:/usr/lib/mps/secv1: $LD_LIBRARY_PATH ./ldapmodify -D "cn=Directory Manager" -w "iplanet333" -c -a -h hostname.domain -p 389 -f newConfig.xml
Modifications to this attribute done through LDAPModify will take precedence to those made through the OpenSSO Enterprise Console.
Defines the amount of time (in number of seconds) that a search will continue before timing out. It is used to stop potentially long searches. After the maximum search time is reached, the search terminates and returns an error. The default is 5 seconds.
Directory Server is been preconfigured with a timeout value of 120 seconds. This value can be changed through the Directory Server console or by using ldapmodify. If you wish to change it using ldapmodify,create a newConfig.xml, with the following values (this example changes the timeout from 120 seconds to 3600 seconds):
dn: cn=config changetype: modify replace:nsslapd-timelimit nsslapd-timelimit: 3600
Then, run ldapmodify. For example:
setenv LD_LIBRARY_PATH /opt/SUNWam/lib/: /opt/SUNWam/ldaplib/ldapsdk:/usr/lib/mps:/usr/share/lib/mps/secv1:/usr/lib/mps/secv1: $LD_LIBRARY_PATH ./ldapmodify -D "cn=Directory Manager" -w "iplanet333" -c -a -h hostname.domain -p 389 -f newConfig.xml
This attribute defines the attribute name that is to be searched upon when performing a simple search in the Navigation page. The default value for this attribute is cn.
For example, if you enter j* in the Name field in the Navigation frame, users whose names begins with "j" or "J" will be displayed.
This field defines the attribute name used when displaying the users returned from a simple search. The default of this attribute is uid cn. This will display the user ID and the user's full name.
The attribute name that is listed first is also used as the key for sorting the set of users that will be returned. To avoid performance degradation, use an attribute whose value is set in a user's entry.
This attribute allows you to define the maximum rows that can be displayed per page. The default is 25. For example, if a user search returns 100 rows, there will be 4 pages with 25 rows displayed in each page.
This option enables callbacks for plug-ins to retrieve external attributes (any external application-specific attribute). External attributes are not cached in the OpenSSO Enterprise SDK, so this attribute allows you enable attribute retrieval per realm level. By default, this option is not enabled
The Globalization Settings service contains global attributes that enable you to configure OpenSSO Enterprise for different locales and character sets. The attributes are:
This attribute lists the character sets supported for each locale, which indicates the mapping between locale and character set. The format is as follows:
To add a New Supported Charset, click Add and define the following parameters:
The new locale you wish to add. SeeSupported Language Locales for more information.
Enter the supported charset for the specified locale. Charsets are delimited by a semicolon. For example, charset=charset1;charset2;charset3;...;charsetn
To edit any existing Supported Charset, click the name in the Supported Charset table. Click OK when you are finished.
This attribute lists the codeset names (which map to IANA names) that will be used to send the response. These codeset names do not need to match Java codeset names. Currently, there is a hash table to map Java character sets into IANA charsets and vice versa.
To add a New Charset Alias, click Add button and define the following parameters:
The IANA mapping name. For example, Shift_JIS
The Java character set to map to the IANA character set.
To edit any existing Charset Alias, click the name in the table. Click OK when you are finished.
This display option allows you to define the way in which a name is automatically generated to accommodate name formats for different locales and character sets. The default syntax is as follows (please note that including commas and/or spaces in the definition will display in the name format):
en_us = {givenname} {initials} {sn}
For example, if you wanted to display a new name format for a user (User One) with a uid (11111) for the Chinese character set, define:
zh = {sn}{givenname}({uid})
The display is:
OneUser 11111
The following table lists the language locales that OpenSSO Enterprise supports:
Language Tag |
Language |
af |
Afrikaans |
be |
Byelorussian |
bg |
Bulgarian |
ca |
Catalan |
cs |
Czechoslovakian |
da |
Danish |
de |
German |
el |
Greek |
en |
English |
es |
Spanish |
eu |
Basque |
fi |
Finnish |
fo |
Faroese |
fr |
French |
ga |
Irish |
gl |
Galician |
hr |
Croatian |
hu |
Hungarian |
id |
Indonesian |
is |
Icelandic |
it |
Italian |
ja |
Japanese |
ko |
Korean |
nl |
Dutch |
no |
Norwegian |
pl |
Polish |
pt |
Portuguese |
ro |
Romanian |
ru |
Russian |
sk |
Slovakian |
sl |
Slovenian |
sq |
Albanian |
sr |
Serbian |
sv |
Swedish |
tr |
Turkish |
uk |
Ukrainian |
zh |
Chinese |
Global Properties contain services that enable to define password reset functionality and policy configuration for OpenSSO Enterprise. The services you can configure are:
This attribute specifies the implementation class for the com.sun.identity.plugin.datastore.DataStoreProvider SPI which is used for managing federation user data store information.
This attribute specifies the implementation class for the com.sun.identity.plugin.configuration.ConfigurationInstance SPI which is used for managing federation service configuration data.
This attribute specifies the implementation class for the com.sun.identity.plugin.log.Logger SPI which is used for managing federation logging.
This specifies the implementation class for the com.sun.identity.plugin.session.SessionProvider SPI which is used for managing federation session.
This attribute specifies the maximum allowed content length for an HTTP Request that will be used in federation services. Any request whose content exceeds the specified maximum content length will be rejected.
This attribute specifies the implementation class for the com.sun.identity.saml.xmlsig.PasswordDecoder interface which is used to decode stored password for XML signing keystore and password for basic authentication under SAML 1.x.
This attribute specifies the SAML XML signature provider class. The default SPI is com.sun.identity.saml.xmlsig.AMSignatureProvider.
This attribute specifies the XML signature key provider class. The default SPI is com.sun.identity.saml.xmlsig.JKSKeyProvider.
If set to on, the certificate must be presented to the keystore for XML signature validation. If set to off, presence checking of the certificate is skipped. This applies to SAML1.x only.
This attribute specifies XML cannonicalization algorithm used for SAML XML signature generation and verification. The default value is http://www.w3.org/2001/10/xml-exc-c14n#.
This attribute specifies XML signature algorithm used for SAML XML Signature generation and verification. When not specified or value is empty, the default value (http://www.w3.org/2000/09/xmldsig#rsa-sha1) is used.
This attribute specifies transformation algorithm used for SAML XML signature generation and verification. When not specified or the value is empty, the default value (http://www.w3.org/2001/10/xml-exc-c14n#) is used.
This attribute specifies the name of the ID-FF Services cookie. The cookie is used to remember if the user is federated already.
This attribute specifies the implementation class for finding a preferred identity provider to be proxied.
This attribute specifies the cleanup interval (in seconds) for ID-FF internal request cleanup thread.
This attribute specifies the timeout value (in seconds) for the ID-FF Authentication Request. AnyAuthnRequest object will be purged from the memory if it exceeds the timeout value.
This attribute specifies the login URL to which the IDP will redirect if a valid session is not found while processing the Authentication Request. If the key is not specified, a default login URL is used.
This attribute specifies the level of signature verification for Liberty requests and responses.
This attribute specifies the implementation class name for the com.sun.identity.liberty.ws.security.SecurityAttributePlugin interface. The class returns a list of SAML attributes to be included in the credentials generated by the Discovery Service.
The value set in this attribute is used in the com.sun.identity.liberty.ws.security.LibSecurityTokenProvider implementation class. It specifies the data type to be put into the KeyInfo block inside the XML signature. If value is certificate, the signer's X059 Certificate will be included inside KeyInfo. Otherwise, corresponding DSA/RSA key will be included in KeyInfo.
This attribute specifies the implementation class for the security token provider.
This attribute specifies default certificate alias for the issuing web service security token for this web service client.
This attribute specifies the certificate alias for the trusted authority that will be used to sign the SAML or SAML BEARER token of response message.
This attribute specifies the certificate aliases for trusted CA. SAML or SAML BEARER tokens of an incoming request. The message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|.....
Example: myalias1:myissuer1|myalias2|myalias3:myissuer3.
The value issuer is used when the token does not have a KeyInfo inside of the signature. The issuer of the token must be in this list and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.
This attribute indicates whether the web service provider will redirect the user for consent. The default value is yes.
This initiates an interaction to get user consent or to collect additional data. This property indicates whether the web service provider will redirect the user to collect additional data. The default value is yes.
This attribute indicates the length of time (in seconds) that the web service provider expects to take to complete an interaction and return control back to the web service client. For example, the web service provider receives a request indicating that the web service client will wait a maximum 30 seconds (set in WSC's Expected Duration for Interaction) for interaction. If this attribute is set to 40 seconds, the web service provider returns a SOAP fault (timeNotSufficient), indicating that the time is insufficient for interaction.
This attribute indicates whether the web service provider will enforce a HTTPS returnToURLspecified by the web service client. The Liberty Alliance Project specifications state that the value of this property is always yes. The false value is primarily meant for ease of deployment in a phased manner.
This attribute indicates whether the web service provider would enforce the address values of returnToHost and requestHost if they are the same. The Liberty Alliance Project specifications state that the value of this property is always yes. The false value is primarily meant for ease of deployment in a phased manner.
This attribute points to the location of the style sheet that is used to render the interaction page in HTML.
This attribute points to the location of the style sheet that is used to render the interaction page in WML.
This attribute specifies the URL where the WSPRedirectHandler servlet is deployed. The servlet handles the service provider side of interactions for user redirects.
Defines the WSP redirect handler URL exposed by a Load Balancer.
Defines the WSP redirect handler URLs of trusted servers in the cluster.
This attribute specifies the class that provides access methods to read interaction configurations.
This attribute indicates the level of interaction in which the WSC will participate if configured to participate in user redirects. The possible values are interactIfNeeded, doNotInteract, and doNotInteractForData. The affirmative interactIfNeeded is the default.
This attribute indicates whether the web service client will include a SOAP header to indicate certain preferences for interaction based on the Liberty specifications. The default value is yes.
This attribute defines whether the WSC will participate in user redirections. The default value is yes.
This attribute defines the maximum length of time (in seconds) that the web service client is willing to wait for the web service provider to complete its portion of the interaction. The web service provider will not initiate an interaction if the interaction is likely to take more time than what is set. For example, the web service provider receives a request where this property is set to a maximum 30 seconds. If the web service provider property WSP's Expected Duration for Interaction is set to 40 seconds, the web service provider returns a SOAP fault (timeNotSufficient), indicating that the time is insufficient for interaction.
This attribute specifies whether the web service client will enforce HTTPS in redirected URLs. The Liberty Alliance Project specifications state that the value of this property is always yes, which indicates that the web service provider will not redirect the user when the value of redirectURL (specified by the web service provider) is not an HTTPS URL. The false value is primarily meant for easy, phased deployment.
This attribute defines a list of values each specifying a Single Logout Handler implementation class for an individual federation protocol. Each value has following format: key=Federation_Protocol_Name|class=SPI_Implementation_Class_Name
The default is, OASIS SAMLv2 (key=SAML2),
Liberty ID-FF (key=IDFF) and WS-Federation (key=WSFED) are defined in the list. For example:
key=SAML2|class=com.sun.identity.multiprotocol.SAML2SingleLogoutHandler key=IDFF|class=com.sun.identity.multiprotocol.IDFFSingleLogoutHandler key=WSFED|class=com.sun.identity.multiprotocol.WSFederationSingleLogoutHandler |
OpenSSO Enterprise provides a Password Reset service to allow users to receive an email message containing a new password or to reset their password for access to a given service or application protected by OpenSSO Enterprise. The Password Reset attributes are realm attributes. The attributes are:
This attribute specifies the name of user attribute that is used to search for the user whose password is to be reset.
This field allows you to add a list of questions that the user can use to reset his/her password. To add a question, type it in the Secret Question filed and click Add. The selected questions will appear in the user's User Profile page. The user can then select a question for resetting the password. Users may create their own question if the Personal Question Enabled attribute is selected.
This attribute specifies the search filter to be used to find user entries.
This attribute specifies the DN from which the user search will start. If no DN is specified, the search will start from the realm DN. You should not use cn=directorymanager as the base DN, due to proxy authentication conflicts.
This attribute value is used with Bind Password to reset the user password.
This attribute value is used with Bind DN to reset the user password.
Confirm the password.
This attribute determines the classname for resetting the password. The default classname is com.sun.identity.password.RandomPasswordGenerator . The password reset class can be customized through a plug-in. This class needs to be implemented by the PasswordGenerator interface.
This attribute determines the method for user notification of password resetting. The default classname is: com.sun.identity.password.EmailPassword The password notification class can be customized through a plug-in. This class needs to be implemented by the NotifyPassword interface. See the OpenSSO Enterprise Developer's Guide for more information.
Selecting this attribute will enable the password reset feature.
Selecting this attribute will allow a user to create a unique question for password resetting.
This value specifies the maximum number of questions to be asked in the password reset page.
When enabled, this option forces the user to change his or her password on the next login. If you want an administrator, other than the top-level administrator, to set the force password reset option, you must modify the Default Permissions ACIs to allow access to that attribute.
This attribute specifies whether to disallow users to reset their password if that user initially fails to reset the password using the Password Reset application. By default, this feature is not enabled.
This attributes defines the number of attempts that a user may try to reset a password, within the time interval defined in Password Reset Failure Lockout Interval, before being locked out. For example, if Password Reset Failure Lockout Count is set to 5 and Login Failure Lockout Interval is set to 5 minutes, the user has five chances within five minutes to reset the password before being locked out.
This attribute defines (in minutes) the amount of time in which the number of password reset attempts (as defined in Password Reset Failure Lockout Count) can be completed, before being locked out.
This attribute specifies an email address that will receive notification if a user is locked out from the Password Reset service. Specify multiple email address in a space-separated list.
This attribute specifies the number of password reset failures that can occur before OpenSSO Enterprise sends a warning message that user will be locked out.
This attribute defines (in minutes) the duration that user will not be able to attempt a password reset if a lockout has occurred.
This attribute contains the inetuserstatus value that is set in Password Reset Lockout Attribute Value. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.
This attribute specifies the inetuserstatus value (contained in Password Reset Lockout Attribute Name) of the user status, as either active or inactive. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.
The Policy Configuration attributes enable the administrator to set configuration global and realm properties used by the Policy service.
The Global Properties are:
Specifies the resource comparator information used to compare resources specified in a Policy rule definition. Resource comparison is used for both policy creation and evaluation.
Click the Add button and define the following attributes:
Specifies the service to which the comparator should be used.
Defines the Java class that implements the resource comparison algorithm.
Specifies the delimiter to be used in the resource name.
Specifies the wildcard that can be defined in resource names.
Matches zero or more characters, at the same delimiter boundary.
Specifies if the comparison of the two resources should consider or ignore case. False ignores case, True considers case.
Specifies whether or not the policy framework should continue evaluating subsequent policies, even if a DENY policy decision exists. If it is not selected (default), policy evaluation would skip subsequent policies once the DENY decision is recognized.
Defines the names of policy advice keys for which the Policy Enforcement Point (Policy Agent) would redirect the user agent to OpenSSO Enterprise. If the agent receives a policy decision that does not allow access to a resource, but does posses advices, the agent checks to see whether it has a advice key listed in this attribute.
If such an advice is found, the user agent is redirected to OpenSSO Enterprise, potentially allowing the access to the resource.
When set to Yes, this attribute allows you to create policies in sub-realms without having to create referral policies from the top-level or parent realm. You can only create policies to protect HTTP or HTTPS resources whose fully qualified hostname matches the DNSAlias of the realm. By default, this attribute is defined as No.
The LDAP Properties are:
Specifies the host name and port number of the primary LDAP server specified during OpenSSO Enterprise installation that will be used to search for Policy subjects, such as LDAP users, LDAP roles, LDAP groups, and so forth.
The format is hostname:port. For example: machine1.example.com:389
For failover configuration to multiple LDAP server hosts, this value can be a space-delimited list of hosts. The format is hostname1:port1 hostname2:port2...
For example: machine1.example1.com:389 machine2.example1.com:389
Multiple entries must be prefixed by the local server name. This is to allow specific OpenSSO Enterprise instances to be configured to talk to specific Directory Servers.
The format is servername|hostname:port For example:
machine1.example1.com|machine1.example1.com:389
machine1.example2.com|machine1.example2.com:389
For failover configuration:
AM_Server1.example1.com|machine1.example1.com:389 machine2.example.com1:389
AM_Server2.example2.com|machine1.example2.com:389 machine2.example2.com:389
Specifies the base DN in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation.
This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation base.
Defines the DN of the realm or organization which is used as a base while searching for the values of OpenSSO Enterprise Roles. This attribute is used by the AccessManagerRoles policy subject.
Specifies the bind DN in the LDAP server.
Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.
Confirm the password.
Specifies the search filter to be used to find organization entries. The default is (objectclass=sunMangagedOrganization).
Defines the scope to be used to find organization entries. The scope must be one of the following:
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Defines the scope to be used to find group entries. The scope must be one of the following:
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).
Specifies the search filter to be used to find user entries. The default is (objectclass=inetorgperson).
Defines the scope to be used to find user entries. The scope must be one of the following:
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Specifies the search filter to be used to find entries for roles. The default is (&(objectclass=ldapsubentry)(objectclass=nsroledefinitions)) .
This attribute defines the scope to be used to find entries for roles. The scope must be one of the following:
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Defines the scope to be used to find entries for OpenSSO Enterprise Roles subject.
SCOPE_BASE
SCOPE_ONE
SCOPE_SUB (default)
Defines the attribute type for which to conduct a search on an organization. The default is o.
Defines the attribute type for which to conduct a search on a group. The default is cn.
Defines the attribute type for which to conduct a search on a user. The default is uid.
This field defines the attribute type for which to conduct a search on a role. The default is cn.
This field defines the maximum number of results returned from a search. The default value is 100. If the search limit exceeds the amount specified, the entries that have been found to that point will be returned.
Specifies the amount of time before a timeout on a search occurs. If the search exceeds the specified time, the entries that have been found to that point will be returned
Specifies whether or not the LDAP server is running SSL. Selecting enables SSL, deselecting (default) disables SSL.
If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that OpenSSO Enterprise is configured with proper SSL-trusted certificates so that OpenSSO Enterprise can connect to Directory server over LDAPS protocol.
Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.
This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.
Allows you to select a set of subject types available to be used for policy definition in the realm.
Allows you to select a set of conditions types available to be used for policy definition in the realm.
Allows you to select a set of referral types available to be used for policy definition in the realm.
This attribute specifies the amount of time (in minutes) that a cached subject result can be used to evaluate the same policy request based on the single sign-on token.
When a policy is initially evaluated for an SSO token, the subject instances in the policy are evaluated to determine whether the policy is applicable to a given user. The subject result, which is keyed by the SSO token ID, is cached in the policy. If another evaluation occurs for the same policy for the same SSO token ID within the time specified in the Subject Result Time To Live attribute, the policy framework retrieves the cached subjects result, instead of evaluating the subject instances. This significantly reduces the time for policy evaluation.
This attribute must be enabled if you create a policy to protect a resource whose subject's member in a remote Directory Server aliases a local user. This attribute must be enabled, for example, if you create uid=rmuser in the remote Directory Server and then add rmuser as an alias to a local user (such as uid=luser) in OpenSSO Enterprise. When you login as rmuser, a session is created with the local user (luser) and policy enforcement is successful.
Defines the policy response provider plug-ins that are enabled for the realm. Only the response provider plug-ins selected in this attribute can be added to policies defined in the realm.
Defines the dynamic response attributes that are enabled for the realm. Only a subset of names selected in this attribute can be defined in the dynamic attributes list in IDResponseProvider to be added to policies defined in the realm.
This attribute specifies the duration (in seconds) between each cache cleanup.
Specifies the attribute name used to store name identifier information on a user's entry. If nothing is specified, the default attribute (sun-fm-saml2-nameid-info) will be used. The corresponding datastore bind user must have read/write/search/compare permission to this attribute.
Specifies the attribute name used to store name identifier key on a user's entry. If not specified, the default attribute (sun-fm-saml2-nameid-infokey) will be used. The corresponding datastore bind user must have read/write/search/compare permission to this attribute. You must also must make sure that the equality type index is added.
Specifies the cookie domain for the SAMLv2 IDP discovery cookie.
Specifies cookie type used in SAMLv2 IDP Discovery Service, either Persistent or Session. Default is Session.
Specifies URL scheme used in SAMLv2 IDP Discovery Service.
Specifies implementation class name for the SAMLv2 Encryption Provider interface. The class is used to perform XML encryption and decryption in SAMLv2 profiles.
This is used in the com.sun.identity.saml2.xmlenc.FMEncProvider class. If enabled, it will include EncryptedKey inside a KeyInfo in the EncryptedData element when performing XML encryption operation. If it is not enabled, EncryptedKey is paralleled to the EncryptedData element. Default is enabled.
If enabled, the signing certificate used by identity provider and service provider will be validated against certificate revocation list (CRL) configured in the Security settings under the Sites and Servers tab. If the certificate is not validated and accepted, it will stop and return a validation error without doing further XML signature validation.
If enabled, the SAML identity provider or service provider will validate the certificate that is used in signing . If the certificate is validated and accepted, the provider will validate the signature. If not, it will stop and return a validation error.
If enabled, the signing certificate used by identity provider and service provider will be validated against the trusted CA list. If the certificate is not validated and accepted, it will stop and return a validation error without doing further XML signature validation.
The SAMLv2 SOAP Binding service provides SOAP-based exchange of SAMLv2 Request and Response message between a OpenSSO Enterprise Client and the OpenSSO Enterprise Server. The requests received are delegated to the request handler for further processing. The key to the Request Handler and the meta alias is in the SOAP Binding service URL. A mapping of the meta alias and the RequestHandler is stored in the SAMLv2 SOAP Binding service which can be read from the OpenSSO Enterprise configuration store.
The RequestHandlerList is a list of key/value pair entries containing the mapping of the meta alias to the RequestHandler implementation. This attribute must be set if a OpenSSO Enterprise 8.0 server is being configured to act as Policy Decision Point (PDP).
The Key is the Policy Decision Point meta alias and the Class is the Java class name, which is the implementation of RequestHandler Interface which can process XACML Requests.
For example, If the meta Alias of the XACML Policy Decision Point is /pdp and the implementation of the interface is com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler, then the key should be set to /pdp and the class should be set to com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler.
The RequestHandler interface must be implemented on the server side by each SAMLv2 service that uses the SOAP Binding Service. The Request Handler List attribute stores information about the implementation classes that implement the Request Handler. The Request Handler List displays entries that contain key/value pairs.
Click New to display the New Request Handler attributes or click on a configured key value to modify existing attributes.
Provide values for the attributes based on the following information:
The Key is the Policy Decision Point meta alias.
The Class is the Java class name, which is the implementation of RequestHandler Interface which can process XACML Requests.
Click OK to complete the Request Handler configuration.
Click Save on the SAMLv2 SOAP Binding page to complete the service configuration.
The attributes contained in this service define the dynamic configuration for the OpenSSO Enterprise Security Token Service (STS). These attributes define the following configuration:
Issuing and creating security tokens
Web services security for the STS itself for securing STS service endpoints. The Signing and Encryption attributes configures the server provider validation of incoming WS-Trust requests and secures outgoing WS-Trust responses. The Security Mechanism attribute defines the security credential of the security tokens.
SAML configuration to request SAML attribute mapping in the security token (through a SAML assertion) when the configured STS is specified as a web service provider and receives a SAML token (assertion) generated by a remote STS.
Security token validation received from a web service provider when the token was generated by a remote STS.
You can create dynamic configuration profiles for different OpenSSO Enterprise web services security providers in the Centralized Agent Configuration under the Realms tab.
The name of the Security Token service that issues the security tokens.
This field takes a value equal to:
%protocol://%host:%port%uri/sts
This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.
When enabled, this attribute encrypts the key issued by the Security Token service.
When enabled, this attribute encrypts the security token issued by the Security Token service.
Defines the amount of time for which the issued token is valid.
This attribute specifies the implementation class for the security token provider/issuer.
Defines the alias name for the certificate used to sign the security token issues by the Security Token service.
Defines the implementation class for the end user token conversion.
Defines the type of security credential that is used to secure the security token itself, or the security credential accepted by the Security Token service from the incoming WS-Trust request sent the by the client. You can choose from the following security types:
Anonymous — The anonymous security mechanism contains no security credentials.
KerberosToken — Uses Kerberos tokens.
LibertyBearerToken – Uses the Liberty-defined bearer token.
LibertySAMLToken – Uses the Liberty-defined SAML token.
LibertyX509Token – Uses the Liberty-defined X509 certificate.
SAML-HolderOfKey — Uses the SAML 1.1 assertion type Holder-Of-Key.
SAML-SenderVouches — Uses the SAML 1.1 assertion type Sender Vouches.
SAML2–HolderOfKey — Uses the SAML 2.0 assertion token type Holder-Of-Key.
SAML2–SenderVouches — Uses the SAML 2.0 assertion token type Sender Vouches.
UserNameToken — Uses a user name token to secure the Security Token service requests.
UserNameToken-Plain — Uses a user name token with a clear text password for securing Security Token service requests.
X509Token — Uses the X509 certificate to secure the Security token.
Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming issuer request's security token to generate OpenSSO Enterprise's authenticated security token.
The attribute represents the username/password shared secrets that are used by the Security Token service to validate a UserName token sent by the client as part of the incoming WS-Trust request.
Specifies that the Security Token service must verify the signature of the incoming WS-Trust request.
Specifies that all request headers received by the Security Token Service must be decrypted.
Specifies that all requests received by the Security Token Service must be decrypted.
Specifies that all responses received by the Security Token Service must be signed.
Specifies that all responses sent by the Security Token service must be encrypted.
Defines the reference types used when the Security Token service signs the WS-Trust response. The possible reference types are DircectReference, KeyIdentifier, and X509.
Defines the encryption algorithm used by the Security Token service to encrypt the WS-Trust response.
Sets the encryption strength used by he Security Token service to encrypt the WS-Trust response. Select a greater value for greater encryption strength.
This attribute defines the private certificate key alias that is used to sign the WS-Trust response or to decrypt the incoming WS-Trust request.
This attribute defines the certificate private key type used for signing WS-Trust responses or decrypting WS-Trust requests. The possible types are PublicKey, SymmetricKey, or NoProofKey.
Defines the public certificate key alias used to verify the signature of the incoming WS-Trust request or to encrypt the WS-Trust response.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
Specifies the Kerberos principal as the owner of the generated Security token.
Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.
This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:
hostname.HTTP.keytab
hostname is the hostname of the OpenSSO Enterprise instance.
If enabled, this attribute specifies that the Kerberos token is signed.
All of the following SAML-related attributes are to be used in the configuration where the current instance of the Security Token service haves as the web service provider and receives a SAML Token generated from another Security Token service instance.
This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.
SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.
The SAML NameID Mapper for an assertion that is generated for the Security Token service.
When enabled, the generated assertion contains user memberships as SAML attributes.
Defines the SAML Attribute Namespace for an assertion that is generated for the Security Token service.
Defines a list of trusted issuers that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these issuers.
Defines a list of IP addresses that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these hosts.
The Session service defines values for an authenticated user session such as maximum session time and maximum idle time. The Session attributes are global, dynamic, or user attributes. The attributes are:
Provides the connection information for the session repository used for the session failover functionality in OpenSSO Enterprise. The URL of the load balancer should be given as the identifier to this secondary configuration. If the secondary configuration is defined in this case, the session failover feature will be automatically enabled and become effective after the server restart.
Enter a name for the new Sub Configuration.
Enter data for the following fields:
Defines the database user who is used to retrieve and store the session data.
Defines the password for the database user defined in Session Store.
Confirm the password.
Defines the total time a thread is willing to wait for acquiring a database connection object. The value is in milliseconds.
Specifies the URL of the database.
Click Add.
This attribute specifies the maximum number of results returned by a session search. The default value is 120.
This attributed defines the maximum amount of time before a session search terminates. The default value is 5 seconds.
Enables or disables the feature session property change notification. In a single sign-on environment, one OpenSSO Enterprise session can be shared by multiple applications. If this feature is set to ON, if one application changes any of the session properties specified in the Notification Properties list (defined as a separate session service attribute), the notification will be sent to other applications participating in the same single sign-on environment.
Enables or disables session quota constraints. The enforcement of session quota constraints enables administrators to limit a user to have a specific number of active/concurrent sessions based on the constraint settings at the global level, or the configurations associated with the entities (realm/role/user) to which this particular user belongs.
The default setting for this attribute is OFF. You must restart the server if the settings are changed.
Defines the amount of time (in number of milliseconds) that an inquiry to the session repository for the live user session counts will continue before timing out.
After the maximum read time is reached, an error is returned. This attribute will take effect only when the session quota constraint is enabled in the session failover deployment. The default value is 6000 milliseconds. You must restart the server if the settings are changed.
Specifies whether the users with the Top-level Admin Role should be exempt from the session constraint checking. If YES, even though the session constraint is enabled, there will be no session quota checking for these administrators.
The default setting for this attribute is NO. You must restart the server if the settings are changed. This attribute will take effect only when the session quota constraint is enabled.
Specifies the resulting behavior when the user session quota is exhausted. There are two selectable options for this attribute:
The next expiring session will be destroyed.
The new session creation request will be denied.
This attribute will take effect only when the session quota constraint is enabled and the default setting is DESTROY_OLD_SESSION .
If set to YES, this attribute will enforce user lockout to the server when the session repository is down. This attribute takes effect only when the session Enable Quota Constrain is selected.
When a change occurs on a session property defined in the list, the notification will be sent to the registered listeners. The attribute will take effect when the feature of Session Property Change Notification is enabled.
When set to YES, a minimum set of session properties are stored by the server between the session timeout and purge delay states. This is used to improve memory performance. The following properties are stored:
loginURL
SessionTimedOut
SAML2IDPSessionIndex
SAML2IDPSessionIndex
If set to OFF, then all session-related attributes are stored by OpenSSO Enterprise after a session timeout.
This attribute accepts a value in minutes to express the maximum time before the session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 120. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.) Max Session Time limits the validity of the session. It does not get extended beyond the configured value.
This attribute accepts a value (in minutes) equal to the maximum amount of time without activity before a session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 30. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.)
This attribute accepts a value (in minutes) equal to the maximum interval before the client contacts OpenSSO Enterprise to refresh cached session information. A value of 0 or higher will be accepted. The default value is 3. It is recommended that the maximum caching time should always be less than the maximum idle time.
Specifies the maximum number of concurrent sessions allowed for a user.
The default user preferences are defined through the user service. These include time zone, locale and DN starting view. The User service attributes are dynamic attributes.
This field specifies the user's choice for the text language displayed in the OpenSSO Enterprise console. The default value is en. This value maps a set of localization keys to the user session so that the on-screen text appears in a language appropriate for the user.
This field specifies the time zone in which the user accesses the OpenSSO Enterprise console. There is no default value.
If this user is a OpenSSO Enterprise administrator, this field specifies the node that would be the starting point displayed in the OpenSSO Enterprise console when this user logs in. There is no default value. A valid DN for which the user has, at the least, read access can be used.
This option indicates the default status for any newly created user. This status is superseded by the User Entry status. Only active users can authenticate through OpenSSO Enterprise. The default value is Active. Either of the following can be selected from the pull-down menu:
The user can authenticate through OpenSSO Enterprise.
The user cannot authenticate through OpenSSO Enterprise, but the user profile remains stored in the directory.
The individual user status is set by registering the User service, choosing the value, applying it to a role and adding the role to the user's profile.
System Properties contain the following default services that you can configure:
An initial step in the authentication process is to identify the type of client making the HTTP(S) request. This OpenSSO Enterprise feature is known as client detection. The URL information is used to retrieve the client's characteristics. Based on these characteristics, the appropriate authentication pages are returned. For example, when a Netscape browser is used to request a web page, OpenSSO Enterprise 8.0 displays an HTML login page. Once the user is validated, the client type ( Netscape browser) is added to the session token. The attributes defined in the Client Detection service are global attributes.
This attribute defines the default client type derived from the list of client types in the Client Types attribute. The default is genericHTML.
This attribute defines the client detection class for which all client detection requests are routed. The string returned by this attribute should match one of the client types listed in the Client Types attribute. The default client detection class is com.sun.mobile.cdm.FEDIClientDetector. OpenSSO Enterprise also contains com.iplanet.services.cdm.ClientDetectionDefaultImpl .
Enables client detection. If client detection is enabled (default), every request is routed thought the class specified in the Client Detection Class attribute. By default, the client detection capability is enabled. If this attribute is not selected, OpenSSO Enterprise assumes that the client is genericHTML and will be accessed from a HTML browser.
The Logging service provides status and error messages related to OpenSSO Enterprise administration. An administrator can configures values such as log file size and log file location. OpenSSO Enterprise can record events in flat text files or in a relational database. The Logging service attributes are global attributes. The attributes are:
This attribute accepts a value for the maximum size (in bytes) of a OpenSSO Enterprise log file. The default value is 100000000.
The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by OpenSSO Enterprise to the size of the files.
This attribute has a value equal to the number of backup log files that will be retained for historical analysis. Any integer can be entered depending on the partition size and available disk space of the local system. The default value is 1.
The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by OpenSSO Enterprise to the size of the files.
Entering a value of 0 is interpreted to be the same as a value of 1, meaning that if you specify 0, a history log file will be created.
The file-based logging function needs a location where log files can be stored. . The default location is:
OpenSSO-deploy-base/uri/log
OpenSSO-deploy-base/uri/logare tags representing the base configuration directory and the OpenSSO Enterprise deployment URI. each specified during post-installation configuration. At runtime, the logging service determines the instance's proper directory for logging. This attribute's value can be set to an explicit path , but the base path should be its configuration directory (the value of OpenSSO-deploy-base) to avoid permissions problems.
If a non-default directory is specified, OpenSSO Enterprise will create the directory if it does not exist. You should then set the appropriate permissions for that directory (for example, 0700).
When configuring the log location for DB (database) logging (such as, Oracle or MySQL), part of the log location is case sensitive. For example, if you are logging to an Oracle database, the log location should be (note case sensitivity):
jdbc:oracle:thin:@machine.domain:port:DBName
To configure logging to DB, add the JDBC driver files to the web container's JVM classpath. You need to manually add JDBC driver files to the classpath of the ssoadm script, otherwise ssoadm logging can not load the JDBC driver.
Changes to logging attributes usually take effect after you save them. This does not require you to restart the server. If you are changing to secure logging, however, you should restart the server.
Specifies whether logging is turned on (ACTIVE) or off (INACTIVE). Value is set to ACTIVE during installation.
If set to false, host lookups will not be performed to populate the LogRecord's HostName field.
Enables you to specify either File, for flat file logging, or DB for database logging.
If the Database User Name or Database User Password is invalid, it will seriously affect OpenSSO Enterprise processing. If OpenSSO Enterprise or the console becomes unstable, you set the Log Status attribute to Inactive.
After you have set the property, restart the server. You can then log in to the console and reset the logging attribute. Then, change the Log Status property to ACTIVE and restart the server.
This attribute accepts the name of the user that will connect to the database when the Logging Type attribute is set to DB.
This attribute accepts the database user password when the Logging Type attribute is set to DB.
Confirm the database password.
This attribute enables you to specify the driver used for the logging implementation class.
Represents the list of fields that are to be logged. By default, all of the fields are logged. The fields are:
CONTEXTID
DOMAIN
HOSTNAME
IPADDRESS
LOGGED BY
LOGINID
LOGLEVEL
MESSAGEID
MODULENAME
NAMEID
At minimum you should log CONTEXTID, DOMAIN, HOSTNAME, LOGINID and MESSAGEID.
This attribute sets the frequency (in seconds) that the server should verify the logs to detect tampering. The default time is 3600 seconds. This parameter applies to secure logging only.
This parameter sets the frequency (in seconds) that the log will be signed. The default time is 900 seconds. This parameter applies to secure logging only.
This attribute enables or disables secure logging. By default, secure logging is off. Secure Logging enables detection of unauthorized changes or tampering of security logs.
Secure logging can only be used for flat files. This option does not work for Database (DB) logging.
This attribute defines RSA and DSA (Digital Signature Algorithm), which have private keys for signing and a public key for verification. You can select from the following:
MD2 w/RSA
MD5 w/RSA
SHA1 w/DSA
SHA1 w/RSA
MD2, MD5 and RSA are one-way hashes. For example, if you select the signing algorithm MD2 w/RSA, the secure logging feature generates a group of messages with MD2 and encrypts the value with the RSA private key. This encrypted value is the signature of the original logged records and will be appended to the last record of the most recent signature. For validation, it well decrypt the signature with the RSA public key and compare the decrypted value to the group of logged records. The secure logging feature will then will detect any modifications to any logged record.
When secure logging is enabled, the logging service looks for its certificate at the location specified by this attribute. The actual directory path is determined at runtime. The value can be set to an explicit path, but the base path should be accessible by the OpenSSO Enterprise instance.
The default value is OpenSSO-deploy-base/uri/Logger.jks.
This attribute sets the maximum number of records that the Java LogReader interfaces return, regardless of how many records match the read query. By default, it is set to 500. This attribute can be overridden by the caller of the Logging API through the LogQuery class.
This attribute is only applicable to secure logging. It specifies when the log files and keystore need to be archived, and the secure keystore regenerated, for subsequent secure logging. The default is five files per logger.
This attribute specifies the maximum number of log records to be buffered in memory before the logging service attempts to write them to the logging repository. The default is one record.
This attribute defines the maximum number of log records held in memory if database (DB) logging fails. This attribute is only applicable when DB logging is specified. When the OpenSSO Enterprise logging service loses connection to the DB, it will buffer up to the number of records specified. This attribute defaults to two times of the value defined in the Buffer Size attribute.
This attribute defines the amount of time that the log records will be buffered in memory before they are sent to the logging service to be written. This attribute applies if Time Buffering is ON. The default is 3600 seconds.
When selected as ON, OpenSSO Enterprise will set a time limit for log records to be buffered in memory before they are written. The amount of time is set in the Buffer Time attribute.
Use this attribute to configure the degree of detail for all OpenSSO Enterprise log files. the default is the INFO level. FINE, FINER, FINEST provide more detail and more log records. In addition there is a level OFF that can be used to turn off logging, which is essentially the same as setting the Log Status attribute to INACTIVE..
The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other OpenSSO Enterprise services such as session, authentication, logging, SAML and Federation.
This service enables clients to find the correct service URL if the platform is running more than one OpenSSO Enterprise. When a naming URL is found, the naming service will decode the session of the user and dynamically replace the protocol, host, and port with the parameters from the session. This ensures that the URL returned for the service is for the host that the user session was created on. The Naming attributes are:
This field takes a value equal to :
%protocol://%host:%port/Server_DEPLOY_URI/profileservice
This syntax allows for dynamic substitution of the profile URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/sessionservice
This syntax allows for dynamic substitution of the session URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/loggingservice
This syntax allows for dynamic substitution of the logging URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/policyservice
This syntax allows for dynamic substitution of the policy URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/authservice
This syntax allows for dynamic substitution of the authentication URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/SAMLAwareServlet
This syntax allows for dynamic substitution of the SAML web profile/artifact URL based on the specific session parameters.
This field takes a value equal to
%protocol://%host:%port/Server_DEPLOY_URI/SAMLSOAPReceiver
This syntax allows for dynamic substitution of the SAML SOAP URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/SAMLPOSTProfileServlet
This syntax allows for dynamic substitution of the SAML web profile/POST URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/AssertionManagerServlet/AssertionM anagerIF
This syntax allows for dynamic substitution of the SAML Assertion Manager Service URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/amserver/FSAssertionManagerServlet/FSAssertionMana gerIF
This syntax allows for dynamic substitution of the Federation Assertion Manager Service URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/amserver/SecurityTokenManagerServlet/SecurityToken ManagerIF/
This syntax allows for dynamic substitution of the Security Token Manager URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port/amserver/jaxrpc/
This syntax allows for dynamic substitution of the JAXRPC Endpoint URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port%uri/identityservices/
This syntax allows for dynamic substitution of the Identity Web Services Endpoint URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port%uri/identity//
This syntax allows for dynamic substitution of the Identity REST Services Endpoint URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port%uri/sts
This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.
This field takes a value equal to:
%protocol://%host:%port%uri/sts/mex
This syntax allows for dynamic substitution of the Security Token Service MEX Endpoint URL based on the specific session parameters.
The Platform service is where additional servers can be added to the OpenSSO Enterprise configuration as well as other options applied at the top level of the OpenSSO Enterprise application. The Platform service attributes are global attributes. The attributes are:
The platform locale value is the default language subtype that OpenSSO Enterprise was installed with. The authentication, logging and administration services are administered in the language of this value. The default is en_US. See Supported Language Localesfor a listing of supported language subtypes.
The list of domains that will be returned in the cookie header when setting a cookie to the user's browser during authentication. If empty, no cookie domain will be set. In other words, the OpenSSO Enterprise session cookie will only be forwarded to the OpenSSO Enterprise itself and to no other servers in the domain.
If SSO is required with other servers in the domain, this attribute must be set with the cookie domain. If you had two interfaces in different domains on one OpenSSO Enterprise then you would need to set both cookie domains in this attribute. If a load balancer is used, the cookie domain must be that of the load balancer's domain, not the servers behind the load balancer. The default value for this field is the domain of the installed OpenSSO Enterprise.
If set to yes, this attribute enable hex encoding for cookies. The default is No.
This attribute specifies the character set for different clients at the platform level. It contains a list of client types and the corresponding character sets.
Enter a value for the Client Type.
Enter a value for the Character Set. See Supported Language Locales for the character sets available.
Click OK.
Click Save in the Platform Service main page.
The Servers and Sites configuration attributes allow for centralized configuration management of sites and servers for the entire deployment.
Multiple (two or more) OpenSSO Enterprise instances can be deployed on at least two different host servers. For example, you might deploy two instances on one server and a third instance on another server. Or you might deploy all instances on different servers. You can also configure the OpenSSO Enterprise instances in session failover mode, if required for your deployment.
One or more load balancers route client requests to the various OpenSSO Enterprise instances. You configure each load balancer according to your deployment requirements (for example, to use round-robin or load average) to distribute the load between the OpenSSO Enterprise instances. A load balancer simplifies the deployment, as well as resolves issues such as a firewall between the client and the back-end OpenSSO Enterprise servers. You can use a hardware or software load balancer with your OpenSSO Enterprise deployment. All OpenSSO Enterprise instances access the same Directory Server.
If you make any changes to the configuration attributes for Servers and Sites, either through the console or the command line interface, you must restart the web container on which OpenSSO Enterprise is deployed for the changes to take effect.
An entry for each server is automatically created in the server list when the OpenSSO Enterprise Configurator is run for server configuration. Under normal circumstances, these steps should not be required.
Log into the OpenSSO Enterprise console as the top-level administrator.
Click the Configuration tab and then click Sites and Servers.
Click New in the Servers list.
Enter the FQDN of the server that you wish to add and click OK.
The FQDN should be in the format of http(s)://host.domain:port/uri.
The newly created server instance appears in the list.
To edit the server, click on the name of the server. The configuration attributes for the server are available for you to customize.
The Default Server Settings are the set of default values for server instances. Each server instance needs to have a minimum set of properties values and most of the properties values, depending on your deployment, can be the same for all server instance. This setting allows you to enter the basic properties in one place, without having to change hem for each additional server instance.
These default values can be overwritten. This done by clicking on the Inheritance Settings button, located at the top of the server instance profile page. After this button is clicked, the console displays a page where you can select and deselect which values to inherit or overwrite.
The Inheritance Settings allow you to select which default values can be overwritten for each server instance. Make sure that the attributes that you wish to define for the server instance are unchecked, and then click Save.
The General attributes configure basic configuration data for your centralized server management.
The site attribute is:
This attribute maps the load balancer Site Name (site ID) to the OpenSSO Enterprise server. Note that the site must be created before you can add the site.
The system attributes list location information for the server instance:
Specifies the base directory where product's data resides.
The locale value is the default language subtype that OpenSSO Enterprise was installed with. The default is en_us.
The location of notification service end point. This value is set during installation.
Default value is no. Determines if validation is required when parsing XML documents using the OpenSSO Enterprise XMLUtils class. This property is in effect only when value for the Debug Level attribute is set to warning or message. Allowable values are yes and no. The XML document validation is turned on only if the value for this property yes, and if value for Debug Level attribute is set to warning or message.
The Debugging attributes list basic error checking information:
Specifies debug level. Default value is error. Possible values are:
off — No debug file is created.
error — Only error messages are logged.
warning — Only warning messages are logged.
message — Error, warning, and informational messages are logged.
If set to on, the server directs all debug data to a single file (debug.out). If set to OFF, the server creates separate per-component debug files.
Specifies the output directory where debug files will be created. Value is set during installation. Example: OpenSSO-deploy-base/uri/debug.
The Mail Server attributes list the host name and port for the mail server:
Default value is localhost. Specifies the mail server host.
Default value is 25. Specifies the mail server port.
The Security attributes define encryption, validation and cookie information to control the level of security for the server instance.
The encryption attributes are:
Specifies the key used to encrypt and decrypt passwords and is stored in the Service Management System configuration. Value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd
The shared secret for application authentication module. Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl
Default value is com.iplanet.services.util.JCEEncryption. Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption.
Default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java.
The validation attributes are:
Default value is 16384 or 16k. Specifies the maximum content-length for an HttpRequest that OpenSSO Enterprise will accept.
Default value is NO. Specifies whether or not the IP address of the client is checked in all SSOToken creations or validations.
The cookie attributes are:
Default value is iPlanetDirectoryPro. Cookie name used by Authentication Service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information.
Allows the OpenSSO Enterprise cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. Default value is false.
This property allows OpenSSO Enterprise to URLencode the cookie value which converts characters to ones that are understandable by HTTP.
The following attributes allow you to configure keystore information for additional sites and servers that you create:
Value is set during installation. Example: OpenSSO-deploy-base/URI/keystore.jks. Specifies the path to the SAML XML keystore password file.
Value is set during installation. Example: OpenSSO-deply-base/URI/.storepass. Specifies the path to the SAML XML key storepass file.
Value is set during installation. Example: OpenSSO-deploy-base/URI/.keypass Specifies the path to the SAML XML key password file.
Default value is test.
These attributes define the local Certificate Revocation List (CRL) caching repository that is used for keeping the CRL from certificate authorities. Any service that needs to obtain a CRL for certificate validation will receive the CRL based on this information.
Specifies the name of the LDAP server where the certificates are stored. The default value is the host name specified when OpenSSO Enterprise was installed. The host name of any LDAP Server where the certificates are stored can be used.
Specifies the port number of the LDAP server where the certificates are stored. The default value is the port specified when OpenSSO Enterprise was installed. The port of any LDAP Server where the certificates are stored can be used.
Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.
Specifies the bind DN in the LDAP server.
Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.
This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation base.
Any DN component of issuer's subjectDN can be used to retrieve a CRL from a local LDAP server. It is a single value string, like, "cn". All Root CAs need to use the same search attribute.
The Online Certificate Status Protocol (OCSP) enables OpenSSO Enterprise services to determine the (revocation) state of a specified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.
This attribute enables OCSP checking. It is enabled by default.
This attribute defines is a URL that identifies the location of the OCSP responder. For example, http://ocsp.example.net:80.
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.
The OCSP responder nickname is the CA certificate nick name for that responder, for example Certificate Manager - sun. If set, the CA certificate must be presented in the web server's certificate database. If the OCSP URL is set, the OCSP responder nickname must be set also. Otherwise, both will be ignored. If they are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, no OCSP validation will be performed.
Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions.
This property can be true or false. All the cryptography operations will be running FIPS compliant mode only if it is true.
The session attributes allow you to configure session information for a additional site and server instances.
The following attributes set server session limits:
Default value is 5000. Specify the maximum number of allowable concurrent sessions. Login sends a Maximum Sessions error if the maximum concurrent sessions value exceeds this number.
Default value is 3. Specifies the number of minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file.
Default value is 0. Specifies the number of minutes to delay the purge session operation. After a session times out, this is an extended time period during which the session continues to reside in the session server. This property is used by the client application to check if the session has timed out through SSO APIs. At the end of this extended time period, the session is destroyed. The session is not sustained during the extended time period if the user logs out or if the session is explicitly destroyed by an OpenSSO Enterprise component. The session is in the INVALID state during this extended period.
The following attributes set statistical configuration:
Default value is 60. Specifies number of minutes to elapse between statistics logging. Minimum is 5 seconds to avoid CPU saturation. OpenSSO Enterprise assumes any value less than 5 seconds to be 5 seconds.
Default value is file. Specifies location of statistics log. Possible values are:
off — No statistics are logged.
file — Statistics are written to a file under the specified directory.
console — Statistics are written into Web Server log files.
Value is set during installation. Example: OpenSSO Enterprise-base/server-URI/stats. Specifies directory where debug files are created.
Default value is false. Enables or disables host lookup during session logging.
The following attributes set notification configuration:
Default value is 10. Defines the size of the pool by specifying the total number of threads.
Default value is 100. Specifies the maximum task queue length. When a notification task comes in, it is sent to the task queue for processing. If the queue reaches the maximum length, further incoming requests will be rejected along with a ThreadPoolException, until the queue has a vacancy.
The following attribute sets validation configuration:
Default value is true. Compares the Agent DN. If the value is false, the comparison is case-sensitive.
The SDK attributes set configuration definitions for the back-end data store.
The Data Store attributes basic datastore configuration:
Specifies if the back-end datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled.
The default is false. The purpose of this flag is to report to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used. This flag must be set to "true" when the Access Manager SDK (from version 7 or 7.1) is communicating with Access Manager version 6.3.
For example, in the co-existence/legacy mode this value should be "true". In the legacy DIT, the delegation policies were not supported. Only ACIs were supported, so o to ensure proper delegation check, this flag must be set to 'true' in legacy mode installation to make use of the ACIs for access control. Otherwise the delegation check will fail.
In realm mode, this value should be set to false so only the delegation policies are used for access control. In version 7.0 and later, Access Manager or OpenSSO Enterprise supports data-agnostic feature in realm mode installation. So, in addition to Directory Server, other servers may be used to store service configuration data. Additionally, this flag will report to the Service Management feature that the Directory Proxy does not need to be used for the read, write, and/or modify operations to the back-end storage. This is because some data stores, like Active Directory, may not support proxy.
Default value is 10. Defines the size of the pool by specifying the total number of threads.
The following attributes define event service notification for the data store:
Default value is 3. Specifies the number of attempts made to successfully re-establish the Event Service connections.
Default value is 3000. Specifies the delay in milliseconds between retries to re-establish the Event Service connections.
Default values are 80,81,91. Specifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger.
Default value is 0. Specifies the number of minutes after which the persistent searches will be restarted.
This property is used when a load balancer or firewall is between the policy agents and the Directory Server, and the persistent search connections are dropped when TCP idle timeout occurs. The property value should be lower than the load balancer or firewall TCP timeout. This ensures that the persistent searches are restarted before the connections are dropped. A value of 0 indicates that searches will not be restarted. Only the connections that are timed out will be reset.
Specifies which event connection can be disabled. Values (case insensitive) can be:
aci — Changes to the aci attribute, with the search using the LDAP filter (aci=*).
sm — Changes in the OpenSSO Enterprise information tree (or service management node), which includes objects with the sunService or sunServiceComponent marker object class. For example, you might create a policy to define access privileges for a protected resource, or you might modify the rules, subjects, conditions, or response providers for an existing policy.
um — Changes in the user directory (or user management node). For example, you might change a user's name or address.
For example, to disable persistent searches for changes to the OpenSSO Enterprise information tree (or service management node):
com.sun.am.event.connection.disable.list=sm
Persistent searches cause some performance overhead on Directory Server. If you determine that removing some of this performance overhead is absolutely critical in a production environment, you can disable one or more persistent searches using this property.
However, before disabling a persistent search, you should understand the limitations described above. It is strongly recommended that this property not be changed unless absolutely required. This property was introduced primarily to avoid overhead on Directory Server when multiple 2.1 J2EE agents are used, because each of these agents establishes these persistent searches. The 2.2 J2EE agents no longer establish these persistent searches, so you might not need to use this property.
Disabling persistent searches for any of these components is not recommended, because a component with a disabled persistent search does not receive notifications from Directory Server. Consequently, changes made in Directory Server for that particular component will not be notified to the component cache. For example, if you disable persistent searches for changes in the user directory (um), OpenSSO Enterprise will not receive notifications from Directory Server. Therefore, an agent would not get notifications from OpenSSO Enterprise to update its local user cache with the new values for the user attribute. Then, if an application queries the agent for the user attributes, it might receive the old value for that attribute.
Use this property only in special circumstances when absolutely required. For example, if you know that Service Configuration changes (related to changing values to any of services such as Session Service and Authentication Services) will not happen in production environment, the persistent search to the Service Management (sm) component can be disabled. However, if any changes occur for any of the services, a server restart would be required. The same condition also applies to other persistent searches, specified by the aci and um values.
The following attributes set connection data for the back end data store:
Default is 1000. Specifies the number milliseconds between retries.
Default value is 3. Specifies the number of attempts made to successfully re-establish the LDAP connection.
Default values are 80,81,91. Specifies the LDAPException error codes for which retries to re-establish the LDAP connection will trigger.
The following attributes define caching and replication configuration:
Default value is 10000. Specifies the size of the SDK cache when caching is enabled. Use an integer greater than 0, or the default size (10000 users) will be used.
Default value is 0. Specifies the number of times to retry.
Default value is 1000. Specifies the number of milliseconds between retries.
When enabled, the cache entries will expire based on the time specified in User Entry Expiration Time attribute.
This attribute specifies time in minutes for which the user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the Directory Server), the data for the entry that is cached will expire. At this point, new requests for data for these user entries are read from the Directory Server.
This attribute specifies the time in minutes for which the non-user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the Directory Server), the data for the entry that is cached will expire. At this point, new requests for data for these non-user entries are read from the Directory Server.
The Directory Configuration attributes define basic configuration information for the embedded directory store:
The Directory Configuration attributes are:
Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.
This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.
Specifies the bind DN in the LDAP server.
Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.
This attribute defines the directory server that will serve as the configuration data store for the OpenSSO Enterprise instance. To add a configuration server, click the Add button, and provide values for the following attributes:
Enter a name for the server.
Specifies fully-qualified host name of the Directory Server. For example:
DirectoryServerHost.domainName.com
Specifies the Directory Server port number .
Defines the connection type for the Directory Server. By default, SIMPLE is selected. You can also choose SSL.
The following attribute define basic directory-server configurations for Legacy mode instances of OpenSSO Enterprise. These attributes will only appear in a Legacy mode installation.
Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.
This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.
This attribute lists the load balancer protocol, host name, and port. For example: http://lb.example.com:80.
The advanced properties enable an administrator to select and add values to server configuration properties that are not present in the OpenSSO Enterprise Console. All Server and Sites properties were located in the AMConfig.properties file in previous releases.
In addition to the default properties displayed in the Advance table of the console, the following properties can be added.
am.encryption.pwd= am_load_balancer_cookie= com.iplanet.am.clientIPCheckEnabled=true,false com.iplanet.am.console.deploymentDescriptor= com.iplanet.am.console.host= com.iplanet.am.console.port=integer com.iplanet.am.console.protocol=https,http com.iplanet.am.console.remote=true,false com.iplanet.am.cookie.encode=true,false com.iplanet.am.cookie.name= com.iplanet.am.cookie.secure=true,false com.iplanet.am.directory.host= com.iplanet.am.directory.port=integer com.iplanet.am.directory.ssl.enabled=true,false com.iplanet.am.domaincomponent= com.iplanet.am.event.connection.delay.between.retries=integer com.iplanet.am.event.connection.ldap.error.codes.retries= com.iplanet.am.event.connection.num.retries=integer com.iplanet.am.jssproxy.checkSubjectAltName=true,false com.iplanet.am.jssproxy.resolveIPAddress=true,false com.iplanet.am.jssproxy.SSLTrustHostList= com.iplanet.am.jssproxy.trustAllServerCerts=true,false com.iplanet.am.lbcookie.name= com.iplanet.am.lbcookie.value= com.iplanet.am.ldap.connection.delay.between.retries=integer com.iplanet.am.ldap.connection.ldap.error.codes.retries= com.iplanet.am.ldap.connection.num.retries=integer com.iplanet.am.locale= com.iplanet.am.notification.threadpool.size=integer com.iplanet.am.notification.threadpool.threshold=integer com.sun.identity.client.notification.url= com.iplanet.am.replica.delay.between.retries=integer com.iplanet.am.replica.num.retries=integer com.iplanet.am.rootsuffix= com.iplanet.am.sdk.cache.entry.default.expire.time=integer com.iplanet.am.sdk.cache.entry.expire.enabled=true,false com.iplanet.am.sdk.cache.entry.user.expire.time=integer com.iplanet.am.sdk.cache.maxSize=integer com.iplanet.am.sdk.caching.enabled=true,false com.iplanet.am.sdk.ldap.debugFileName= com.iplanet.am.sdk.package= com.iplanet.am.sdk.remote.pollingTime=integer com.iplanet.am.server.host= com.iplanet.am.server.port=integer com.iplanet.am.server.protocol=https,http com.iplanet.am.serverMode=true,false com.iplanet.am.service.secret= com.iplanet.am.services.deploymentDescriptor= com.iplanet.am.session.client.polling.enable=true,false com.iplanet.am.session.client.polling.period=integer com.iplanet.am.session.failover.cluster.stateCheck.period=integer com.iplanet.am.session.failover.cluster.stateCheck.timeout=integer com.iplanet.am.session.failover.httpSessionTrackingCookieName= com.iplanet.am.session.failover.sunAppServerLBRoutingCookieName= com.iplanet.am.session.failover.useInternalRequestRouting=true,false com.iplanet.am.session.failover.useRemoteSaveMethod=true,false com.iplanet.am.session.invalidsessionmaxtime=integer com.iplanet.am.session.maxSessions=integer com.iplanet.am.session.protectedPropertiesList= com.iplanet.am.session.purgedelay=integer com.iplanet.am.smtphost= com.iplanet.am.smtpport=integer com.iplanet.am.stats.interval=integer com.iplanet.am.util.xml.validating=on,off com.iplanet.am.version= com.iplanet.security.SSLSocketFactoryImpl= com.iplanet.security.SecureRandomFactoryImpl= com.iplanet.security.encryptor= com.iplanet.services.cdsso.cookiedomain= com.iplanet.services.comm.server.pllrequest.maxContentLength=integer com.iplanet.services.configpath= com.iplanet.services.debug.directory= com.sun.identity.configFilePath= com.iplanet.am.sdk.userEntryProcessingImpl= com.iplanet.am.profile.host= com.iplanet.am.profile.port=integer com.iplanet.am.pcookie.name= com.iplanet.am.jssproxy.SSLTrustHostList= com.sun.identity.authentication.ocspCheck= com.sun.identity.authentication.ocsp.responder.url= com.sun.identity.authentication.ocsp.responder.nickname= com.sun.identity.authentication.super.user= com.sun.identity.password.deploymentDescriptor= com.iplanet.am.session.httpSession.enabled= unixHelper.port=integer com.sun.identity.policy.Policy.policy_evaluation_weights= unixHelper.ipaddrs= com.sun.identity.authentication.uniqueCookieDomain= com.sun.identity.monitoring.local.conn.server.url= com.sun.identity.monitoring= com.iplanet.services.debug.level=off,error,warning,message com.sun.services.debug.mergeall=on,off com.sun.embedded.sync.servers=on,off com.sun.embedded.replicationport=integer com.iplanet.services.stats.directory= com.iplanet.services.stats.state=off,file,console com.sun.am.event.connection.disable.list= com.sun.am.event.connection.idle.timeout=integer com.sun.am.ldap.connnection.idle.seconds=integer com.sun.am.ldap.fallback.sleep.minutes=integer com.sun.am.session.SessionRepositoryImpl= com.sun.am.session.caseInsensitiveDN=true,false com.sun.am.session.enableAddListenerOnAllSessions=true,false com.sun.am.session.enableHostLookUp=true,false com.sun.am.session.trustedSourceList= com.sun.identity.agents.true.value= com.sun.identity.amsdk.cache.enabled=true,false com.sun.identity.client.encryptionKey= com.sun.identity.cookieRewritingInPath=true,false com.sun.identity.delegation.cache.size=integer com.sun.identity.enableUniqueSSOTokenCookie=true,false com.sun.identity.idm.cache.enabled=true,false com.sun.identity.idm.cache.entry.default.expire.time=integer com.sun.identity.idm.cache.entry.expire.enabled=true,false com.sun.identity.idm.cache.entry.user.expire.time=integer com.sun.identity.jsr196.authenticated.user= com.sun.identity.jss.donotInstallAtHighestPriority=true,false com.sun.identity.liberty.ws.util.providerManagerClass= com.sun.identity.log.logSubdir= com.sun.identity.loginurl= com.sun.identity.overrideAMC=true,false com.sun.identity.plugin.datastore.class.*= com.sun.identity.security.checkcaller=true,false com.sun.identity.security.x509.pkg= com.sun.identity.server.fqdnMap=map com.sun.identity.session.application.maxCacheTime=integer com.sun.identity.session.connectionfactory.provider= com.sun.identity.session.failover.connectionPoolClass= com.sun.identity.session.httpClientIPHeader= com.sun.identity.session.polling.threadpool.size=integer com.sun.identity.session.polling.threadpool.threshold=integer com.sun.identity.session.repository.cleanupGracePeriod=integer com.sun.identity.session.repository.cleanupRunPeriod=integer com.sun.identity.session.repository.dataSourceName= com.sun.identity.session.repository.enableEncryption=true,false com.sun.identity.session.repository.healthCheckRunPeriod=integer com.sun.identity.session.resetLBCookie=true,false com.sun.identity.session.returnAppSession=true,false com.sun.identity.sitemonitor.SiteStatusCheck.class= com.sun.identity.sitemonitor.interval=integer com.sun.identity.sitemonitor.timeout=integer com.sun.identity.sm.authservicename.provider= com.sun.identity.sm.cache.enabled=true,false com.sun.identity.sm.cacheTime=integer com.sun.identity.sm.enableDataStoreNotification=true,false com.sun.identity.sm.flatfile.root_dir= com.sun.identity.sm.ldap.enableProxy=true,false com.sun.identity.sm.notification.threadpool.size=integer com.sun.identity.sm.sms_object_class_name= com.sun.identity.url.readTimeout=integer com.sun.identity.url.redirect= com.sun.identity.urlchecker.invalidate.interval=integer com.sun.identity.urlchecker.sleep.interval=integer com.sun.identity.urlchecker.targeturl= com.sun.identity.util.debug.provider= com.sun.identity.webcontainer= com.sun.identity.wss.discovery.config.plugin= com.sun.identity.wss.provider.config.plugin= com.sun.identity.wss.security.authenticator= com.sun.identity.xmlenc.EncryptionProviderImpl= s1is.java.util.logging.config.class= s1is.java.util.logging.config.file= com.sun.identity.authentication.special.users= com.sun.identity.auth.cookieName= com.iplanet.am.naming.failover.url= com.sun.identity.authentication.uniqueCookieName= securidHelper.ports=integer com.iplanet.am.daemons= bootstrap.file= com.sun.identity.crl.cache.directory.host= com.sun.identity.crl.cache.directory.port=integer com.sun.identity.crl.cache.directory.ssl=true,false com.sun.identity.crl.cache.directory.user= com.sun.identity.crl.cache.directory.password= com.sun.identity.crl.cache.directory.searchlocs= com.sun.identity.crl.cache.directory.searchattr= com.sun.identity.authentication.ocspCheck=true,false com.sun.identity.authentication.ocsp.responder.url= com.sun.identity.authentication.ocsp.responder.nickname= com.sun.identity.security.fipsmode=true,false com.sun.identity.urlconnection.useCache=true,false com.sun.identity.sm.cache.ttl.enable=true,false com.sun.identity.sm.cache.ttl=integer com.sun.identity.common.systemtimerpool.size=integer com.iplanet.services.cdc.invalidGotoStrings= |
Click New in the Site list.
Enter the Site Name.
This value uniquely identifies the server and allows the possibility of specifying a second entry point (in addition to the primary URL) to the site. This is also used to shorten the cookie length by mapping the server URL to the server ID.
Enter the Primary URL for the site instance, including the site URI.
Click Save.
The created site will appear in the site list in the correct format.
Click on the name of the site you wish to edit from the Site list.
The primary URL for the site is listed in the Primary URL attribute.
If you wish, add a Secondary URL.
The secondary URL provides the connection information for the session repository used for the session failover functionality in OpenSSO Enterprise. The URL of the load balancer should be given as the identifier to this secondary configuration. If the secondary configuration is defined in this case, the session failover feature will be automatically enabled and become effective after the server restart.
Click Save.
The following table lists the Servers and Sites properties that were included in AMConfig.properties in previous releases, but are now managed as attributes through the OpenSSO Enterprise console. The properties are listed alphabetically. To search for a particular property, use your browser's Search or Find function.
The name of the property located in the AMConfig.properties file.
Is the name of the attribute as it appears in the OpenSSO Enterprise console.
Lists the console location where the attribute is located.
Property Name |
Attribute Name in Console |
Location in Console |
---|---|---|
am.encryption.pwd |
Password Encryption Key |
Servers and Sites > Security |
com.iplanet.am.clientIPCheckEnabled |
Client IP Address Check |
Servers and Sites > Security |
com.iplanet.am.cookie.encode |
Encode Cookie Value |
Servers and Sites > Security |
com.iplanet.am.cookie.name |
Cookie Name |
Servers and Sites > Security |
com.iplanet.am.cookie.secure |
Secure Cookie |
Servers and Sites > Security |
com.iplanet.am.event.connection.delay.between.retries |
Delay Between Event Service Connection Retries |
Servers and Sites > SDK |
com.iplanet.am.event.connection.ldap.error.codes.retries |
Error Codes for Event Service Connection Retries |
Servers and Sites > SDK |
com.iplanet.am.event.connection.num.retries |
Number of retries for Event Service Notification |
Servers and Sites > SDK |
com.iplanet.am.ldap.connection.delay.between.retries |
Number of Retries for LDAP Connection |
Servers and Sites > SDK |
com.iplanet.am.ldap.connection.ldap.error.codes.retries |
Error Codes for LDAP Connection Retries |
Servers and Sites > SDK |
com.iplanet.am.ldap.connection.num.retries |
Delay Between LDAP Connection Retries |
Servers and Sites > SDK |
com.iplanet.am.locale |
Default Locale |
Servers and Sites > General |
com.iplanet.am.notification.threadpool.size |
Notification Pool Size |
Servers and Sites > Session |
com.iplanet.am.notification.threadpool.threshold |
Notification Thread Pool Threshold |
Servers and Sites > Session |
com.iplanet.am.replica.delay.between.retries |
Delay Between SDK Replica Retries |
Servers and Sites > SDK |
com.iplanet.am.replica.num.retries |
SDK Replica Retries |
Servers and Sties > SDK |
com.iplanet.am.rootsuffix | ||
com.iplanet.am.sdk.cache.entry.default.expire.time |
Default Entry Expiration Time |
Servers and Sites > SDK |
com.iplanet.am.sdk.cache.entry.expire.enabled |
Cache Entry Expiration Enabled |
Servers and Sites > SDK |
com.iplanet.am.sdk.cache.entry.user.expire.time |
User Entry Expiration Time |
Servers and Sites > SDK |
com.iplanet.am.sdk.cache.maxSize |
SDK Caching Max. Size |
Servers and Sites > SDK |
com.iplanet.am.service.secret |
Authentication Service Shared Secret |
Servers and Sites > Security |
com.iplanet.am.session.invalidsessionmaxtime |
Invalidate Session Max Time |
Servers and Sites > Session |
com.iplanet.am.session.maxSessions |
Maximum Sessions |
Servers and Sites > Session |
com.iplanet.am.session.purgedelay |
Sessions Purge Delay |
Servers and Sites > Session |
com.iplanet.am.smtphost |
Mail Server Host Name |
Servers and Sites > General |
com.iplanet.am.smtpport |
Mail Server Port Number |
Servers and Sites > General |
com.iplanet.am.stats.interval |
Logging Interval |
Servers and Sites > Session |
com.iplanet.security.encryptor |
Encryption Class |
Servers and Sites > Security |
com.iplanet.services.comm.server.pllrequest.maxContentLength |
Platform Low Level. Comm. Max. Content Length |
Servers and Sites > Security |
com.iplanet.services.configpath |
Base Installation Directory |
Servers and Sites > General |
com.iplanet.services.debug.directory |
Debug Directory |
Servers and Sites > General |
com.iplanet.services.debug.level |
Debug Level |
Servers and Sites > General |
com.iplanet.services.stats.directory |
Directory |
Servers and Sites > General |
com.iplanet.services.stats.state |
State |
Servers and Sites > Session |
com.sun.am.event.connection.disable.list |
Disabled Even Service Connection |
Servers and Sites > SDK |
com.sun.am.session.caseInsensitiveDN |
Case Insensitive Client DN Comparison |
Servers and Sites > Session |
com.sun.am.session.enableHostLookUp |
Enable Host Lookup |
Servers and Sites > Session |
com.sun.identity.saml.xmlsig.certalias |
Certificate Alias |
Servers and Sites > Security |
com.sun.identity.saml.xmlsig.keypass |
Private Key Password File |
Servers and Sites > Security |
com.sun.identity.saml.xmlsig.keystore |
Keystore File |
Servers and Sites > Security |
com.sun.identity.saml.xmlsig.storepass |
Keystore Password File |
Servers and Sites > Security |
com.sun.identity.sm.ldap.enableProxy |
Enable Directory Proxy |
Servers and Sites > SDK |
This chapter contains definitions of the attributes for configuring the OpenSSO Enterprise data store types. The Active Directory, Generic LDAPv3, and Sun Directory Server with OpenSSO Enterprise Schema data store types share the same underlying plug-in, so the configuration attributes are the same. (The default values for some of the attributes are different for each datastore type and are displayed accordingly in the OpenSSO Enterprise console.) This chapter contains the following sections:
When configuring Microsoft Active Directory to work with OpenSSO Enterprise, you have to map the predefined properties to properties defined in your instance of Active Directory; this is called attribute mapping. Following are the attributes that need to be defined when adding Active Directory as a data store to a realm.
Enter the name of the LDAP server to which OpenSSO will be connected in the format host.domain:portnumber. If more than one entry is entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.
Optionally, a server identifier and site identifier can be appended to the value of the LDAP Server attribute for redundancy. In this case, the format is host.domain:portnumber|serverID|siteID. These identifiers are assigned to the server when they are configured globally.
serverID specifies a particular server as the primary LDAP server and others as secondary and tertiary (as defined) fallback servers. (If no number is specified, the LDAP server is primary.) The identifier is displayed in the OpenSSO console.
Click the Configuration tab, click the Servers and Sites tab.
Click the appropriate Server Name.
Under the Advanced tab, see the value of the com.iplanet.am.lbcookie.value property — for example, 01.
Click the Configuration tab, click the Servers and Sites tab.
siteID is not currently displayed in the OpenSSO console. It is a two digit number generated internally by OpenSSO — for example, 02. To find this value, use an LDAP browser to find ou=accesspoint,ou=site_name,ou=com-sun-identity sites,ou=default,ou=GlobalConfig,ou=iPlanetAMPlatformService,ou=services,root-suffix. Under this DN, see sunkeyvalue:primary-siteid=site-id for the site identifier.
This configuration should not be changed for the OpenSSO embedded data store as it may cause inconsistent behavior.
Specifies the DN name that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Plugin Supported Types and Operations attribute.
Specifies the DN password that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected.
Confirm the password.
The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.
When enabled, OpenSSO Enterprise will connect to the primary server using the HTTPS protocol.
Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.
Specifies the maximum number of connections to allowed.
Specifies the maximum number of entries returned from a search operation. If this limit is reached, Active Directory returns any entries that match the search request.
Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Active Directory returns any search entries that match the search request.
If enabled, this option specifies that referrals to other LDAP servers are followed automatically.
Specifies the location of the class file which implements the LDAPv3 repository.
Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive. The defaults are:
employeeNumber=distinguishedName
iplanet-am-user-alias-list=objectGUID
mail=userPrincipalName
portalAddress=sAMAccountName
telephonenumber=displayName
uid=sAMAccountName
Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:
Agent: read, create, edit, delete
Group: read, create, edit, delete
Realm: read, create, edit, delete, service
User: read, create, edit, delete, service
Role: read, create, edit, delete
You can remove permissions from the above list (except role) based on your LDAP server settings and the tasks, but you can not add more permissions. If the configured LDAPv3 Repository plug-in is pointing to an instance of Sun Directory Server, permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles.
If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets OpenSSO Enterprise services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.
The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations are assignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.
Defines the scope to be used to find LDAPv3 plug-in entries. The scope must be one of the following:
SCOPE_BASE: searches only the base DN.
SCOPE_ONE: searches only the entries under the base DN.
SCOPE_SUB (default): searched the base DN and all entries within its subtree.
This field defines the attribute type to conduct a search for a user. For example, if the user's DN is uid=user1, ou=people, dc=example, dc=com, then you would specify uid in this field.
Specifies the search filter to be used to find user entries.
Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.
Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.
Specifies which attributes are required when a user is created. This attribute uses the following syntax:
DestinationAttributeName=SourceAttributeName
If the source attribute name is missing, the default is the user ID (uid). For example:
cn sn=givenName
Both cn and sn are required in order to create a user profile. cn gets the value of the attribute named uid, and sn gets the value of the attribute named givenName.
Specifies the attribute name to indicate if the user is active or inactive.
This attribute value is assigned to the user when the user is created. For a user to be active, the Active Directory value is 544. For a user to be inactive, the Active Directory value is 546.
For Active Directory, this field is not used.
This field defines the attribute type for which to conduct a search on a group. The default is cn.
Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).
Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.
Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.
Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.
Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.
Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.
Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.
Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.
Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.
Specifies the value of the people container. The default is people.
The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty).
Specifies that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.
This value is currently not used.
Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.
Defines the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.
Defines the scope to be used in a persistent search. The scope must be one of the following:
SCOPE_BASE – searches only the base DN.
SCOPE_ONE – searches only the entries under the base DN.
SCOPE_SUB (default) – searched the base DN and all entries within its subtree.
Defines the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.
If OpenSSO Enterprise is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.
Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.
Specifies the time to wait before each retry. This only applies to persistent search connection.
Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.
If enabled, this allows OpenSSO Enterprise to cache data retrieved from the data store.
Specifies the maximum time data is stored in the cache before it is removed. The values are defined in seconds.
Specifies the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. The values are defined in bytes.
The following attributes are used to configure a LDAPv3 repository plug-in:
Enter the name of the LDAP server to which OpenSSO will be connected in the format host.domain:portnumber. If more than one entry is entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.
Optionally, a server identifier and site identifier can be appended to the value of the LDAP Server attribute for redundancy. In this case, the format is host.domain:portnumber|serverID|siteID. These identifiers are assigned to the server when they are configured globally.
serverID specifies a particular server as the primary LDAP server and others as secondary and tertiary (as defined) fallback servers. (If no number is specified, the LDAP server is primary.) The identifier is displayed in the OpenSSO console.
Click the Configuration tab, click the Servers and Sites tab.
Click the appropriate Server Name.
Under the Advanced tab, see the value of the com.iplanet.am.lbcookie.value property — for example, 01.
Click the Configuration tab, click the Servers and Sites tab.
siteID is not currently displayed in the OpenSSO console. It is a two digit number generated internally by OpenSSO — for example, 02. To find this value, use an LDAP browser to find ou=accesspoint,ou=site_name,ou=com-sun-identity sites,ou=default,ou=GlobalConfig,ou=iPlanetAMPlatformService,ou=services,root-suffix. Under this DN, see sunkeyvalue:primary-siteid=site-id for the site identifier.
This configuration should not be changed for the OpenSSO embedded configuration data store as it may cause inconsistent behavior.
Specifies the DN name that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Plugin Supported Types and Operations attribute.
Specifies the DN password that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected
Confirm the password.
The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.
When enabled, OpenSSO Enterprise will connect to the primary server using the HTTPS protocol.
Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.
Specifies the maximum number of connections to allowed.
Specifies the maximum number of entries returned from a search operation. If this limit is reached, the data store returns any entries that match the search request.
Specifies the maximum number of seconds allocated for a search request. If this limit is reached, the data store returns any search entries that match the search request.
If enabled, this option specifies that referrals to other LDAP servers are followed automatically.
Specifies the location of the class file which implements the LDAPv3 repository.
Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive.
Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:
agent: read, create, edit, delete
group: read, create, edit, delete
realm: read, create, edit, delete, service
user: read, create, edit, delete, service
role: read, create, edit, delete
You can remove permissions from the above list based on your LDAP server settings and the tasks, but you can not add more permissions.
If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets OpenSSO Enterprise services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.
The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations are assignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.
Defines the scope to be used to find LDAPv3 plug-in entries. The scope must be one of the following:
SCOPE_BASE: searches only the base DN.
SCOPE_ONE: searches only the entries under the base DN.
SCOPE_SUB (default): searched the base DN and all entries within its subtree.
This field defines the attribute type to conduct a search for a user. For example, if the user's DN is uid=user1, ou=people, dc=example, dc=com, then you would specify uid in this field.
Specifies the search filter to be used to find user entries.
Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.
Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.
Specifies which attributes are required when a user is created. This attribute uses the following syntax:
DestinationAttributeName=SourceAttributeName
If the source attribute name is missing, the default is the user ID (uid). For example:
cn sn=givenName
Both cn and sn are required in order to create a user profile. cn gets the value of the attribute named uid, and sn gets the value of the attribute named givenName.
Specifies the attribute name to indicate the user's status.
Specifies the attribute name for an active user status. The default is active.
Specifies the attribute name for an inactive user status. The default is inactive.
This field defines the attribute type for which to conduct a search on a group. The default is cn.
Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).
Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.
Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.
Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.
Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.
Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.
Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.
Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.
The DN value specified in this attribute automatically adds users to the group when it is created.
Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.
Specifies the value of the people container. The default is people.
The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty).
Specifies that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.
Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.
Defines the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.
Defines the scope to be used in a persistent search. The scope must be one of the following:
SCOPE_BASE – searches only the base DN.
SCOPE_ONE – searches only the entries under the base DN.
SCOPE_SUB (default) – searched the base DN and all entries within its subtree.
Defines the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.
If OpenSSO Enterprise is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.
Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.
Specifies the time to wait before each retry. This only applies to persistent search connection.
Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.
If enabled, this allows OpenSSO Enterprise to cache data retrieved from the data store.
Specifies the maximum time data is stored in the cache before it is removed. The values are defined in seconds.
Specifies the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. The values are defined in bytes.
The following attributes are used to configure Directory Server with OpenSSO Enterprise schema:
Enter the name of the LDAP server to which OpenSSO will be connected in the format host.domain:portnumber. If more than one entry is entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.
Optionally, a server identifier and site identifier can be appended to the value of the LDAP Server attribute for redundancy. In this case, the format is host.domain:portnumber|serverID|siteID. These identifiers are assigned to the server when they are configured globally.
serverID specifies a particular server as the primary LDAP server and others as secondary and tertiary (as defined) fallback servers. (If no number is specified, the LDAP server is primary.) The identifier is displayed in the OpenSSO console.
Click the Configuration tab, click the Servers and Sites tab.
Click the appropriate Server Name.
Under the Advanced tab, see the value of the com.iplanet.am.lbcookie.value property — for example, 01.
Click the Configuration tab, click the Servers and Sites tab.
siteID is not currently displayed in the OpenSSO console. It is a two digit number generated internally by OpenSSO — for example, 02. To find this value, use an LDAP browser to find ou=accesspoint,ou=site_name,ou=com-sun-identity sites,ou=default,ou=GlobalConfig,ou=iPlanetAMPlatformService,ou=services,root-suffix. Under this DN, see sunkeyvalue:primary-siteid=site-id for the site identifier.
This configuration should not be changed for the embedded data store as it may cause inconsistent behavior.
Specifies the DN name that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Plugin Supported Types and Operations attribute.
Specifies the DN password that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected
Confirm the password.
The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.
When enabled, OpenSSO Enterprise will connect to the primary server using the HTTPS protocol.
Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.
Specifies the maximum number of connections to allowed.
Specifies the maximum number of entries returned from a search operation. If this limit is reached, Directory Server returns any entries that match the search request.
Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any search entries that match the search request.
If enabled, this option specifies that referrals to other LDAP servers are followed automatically.
Specifies the location of the class file which implements the LDAPv3 repository.
Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive.
Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:
Filtered role: read, create, edit, delete
Group: read, create, edit, delete
Realm: read, create, edit, delete, service
User: read, create, edit, delete, service
Role: read, create, edit, delete
You can remove permissions from the above list (except role) based on your LDAP server settings and the tasks, but you can not add more permissions. If the configured LDAPv3 Repository plug-in is pointing to an instance of Sun Directory Server, then permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles.
If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets OpenSSO Enterprise services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.
The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations are assignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.
Defines the scope to be used to find LDAPv3 plug-in entries. The scope must be one of the following:
SCOPE_BASE – searches only the base DN.
SCOPE_ONE – searches only the entries under the base DN.
SCOPE_SUB (default) – searched the base DN and all entries within its subtree.
This field defines the attribute type to conduct a search for a user. For example, if the user's DN is uid=user1, ou=people, dc=example, dc=com, then you would specify uid in this field.
Specifies the search filter to be used to find user entries.
Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.
Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.
Specifies which attributes are required when a user is created. This attribute uses the following syntax:
DestinationAttributeName=SourceAttributeName
If the source attribute name is missing, the default is the user ID (uid). For example:
cn sn=givenName
Both cn and sn are required in order to create a user profile. cn gets the value of the attribute named uid, and sn gets the value of the attribute named givenName.
Specifies the attribute name to indicate the user's status.
This field defines the attribute type for which to conduct a search on a group. The default is cn.
Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).
Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.
Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.
Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.
Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.
Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.
Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.
Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.
This field defines the attribute type for which to conduct a search on a role. The default is cn.
Defines the filter used to search for an role. The LDAP Role Search attribute is prepended to this field to form the actual role search filter.
For example, if the LDAP Role Search Attribute is CN and LDAP Role Search Filter is (objectClass=sunIdentityServerDevice) , then the actual user search filter will be: (&(cn=*)(objectClass=sunIdentityServ erDevice))
Defines the object classes for roles. When a role is created, the list of user object classes will be added to the role's attributes list
Defines the list of attributes associated with a role. Any attempt to read/write agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.
This field defines the attribute type for which to conduct a search on a filter role. The default is cn.
Defines the filter used to search for an filtered role. The LDAP Filter Role Search attribute is prepended to this field to form the actual filtered role search filter.
For example, if the LDAP Filter Role Search Attribute is CN and LDAP Filter Role Search Filter is (objectClass=sunIdentityServerDevice) , then the actual user search filter will be: (&(cn=*)(objectClass=sunIdentityServ erDevice))
Defines the object classes for filtered roles. When a filtered role is created, the list of user object classes will be added to the filtered role's attributes list
Defines the list of attributes associated with a filtered role. Any attempt to read/write agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.
Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.
Specifies the value of the people container. The default is people.
The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty).
Specifies that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.
Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.
Defines the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.
Defines the scope to be used in a persistent search. The scope must be one of the following:
SCOPE_BASE – searches only the base DN.
SCOPE_ONE – searches only the entries under the base DN.
SCOPE_SUB (default) – searched the base DN and all entries within its subtree.
Defines the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.
If OpenSSO Enterprise is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.
Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.
Specifies the time to wait before each retry. This only applies to persistent search connection.
Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.
If enabled, this allows OpenSSO Enterprise to cache data retrieved from the data store.
Specifies the maximum time data is stored in the cache before it is removed. The values are defined in seconds.
Specifies the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. The values are defined in bytes.