Sun OpenSSO Enterprise 8.0 Administration Reference

Part II OpenSSO Attribute Reference

This section of the OpenSSO Enterprise 8.0 Administration Reference lists and describe the configurable attributes for entities and services in the OpenSSO Enterprise console. In previous releases, many of these attributes were only configurable through the AMConfig.properties file. This file has been deprecated, and all of its properties are now defined in the OpenSSO Enterprise console and stored in the configuration directory datastore.

Chapter 5 Centralized Agent Configuration Attributes

The Centralized Agent Configuration provides an agent administrator with a means to manage multiple agent configurations from one central place. The agent configurations are stored in OpenSSO Enterprise's data repository and managed by an administrator via the OpenSSO Enterprise Console.

Agent Configuration Attributes

Once you have created an agent, you can customize each agent's behavior. To do so, first click the name of the agent you wish to configure, and then modify the agent's attributes. See the following sections for definitions for each agent type:

Web Policy Agent

A web agent instance can be configured using this interface. The properties described only apply if during agent creation, centralized configuration was chosen. If local configuration was selected, the properties related to this agent must be edited in the OpenSSOAgentConfiguration.properites file in the agent installation directory.

For definitions of the Web Policy Agent attributes, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents, or the online help.

J2EE Policy Agent

A J2EE agent instance can be configured using this interface. The properties described only apply if during agent creation, centralized configuration was chosen. If local configuration was selected, the properties related to this agent must be edited in the OpenSSOAgentConfiguration.properites file in the agent installation directory.

For definitions of the J2EE Policy Agent attributes, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents, or the online help.

Web Service Provider

The Web Service Provider agent profile describes the configuration that is used for validating web service requests from web service clients and securing web service responses from a web service provider. The name of the web service provider must be unique across all agents.

General

The following General attributes define basic web service provider properties:

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the web service provider agent

Password Confirm

Confirm the password.

Status

Defines whether the web service provider agent will be Active or Inactive in the system. By default, it is set to Active, meaning that the agent will participate in validating web service requests from web service clients and securing service responses from a web service provider.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the web service provider agent.

Security

The following attributes define web service provider security attributes:

Security Mechanism

Defines the type of security credential that are used to validate the web service request. The type of security mechanism is part of the web service request from a web service client and is accepted by a web service provider. Choose from the following types:

Authentication Chain

Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming web service request's security token to generate OpenSSO Enterprise's authenticated SSOToken.

Token Conversion Type

Defines the type of token that will be converted when a web service provider requests a token conversion from the Security Token service. The token is converted to the specified SAML or SSOToken (session token) with the same identity, but with attribute definitions specific to the token type. This new token can be used by the web service provider making a web service call to another web service provider. The token types you can define are:

In order to use this attribute, any SAML token must be selected in the Security Mechanism attribute and any authentication chain defined for the web service provider.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security headers are preserved by the web service provider for further processing.

Private Key Type

Defines the key type used by the web service provider during the web service request signature verification process. The default value is PublicKey.

Liberty Service Type URN

The URN (Universal Resource Name) describes a Liberty service type that the web service provider will use for service lookups.

Credential for User Token

This attribute represents the username/password shared secrets that are used by the web service provider to validate a username security token from an incoming web service request. These credentials are compared against the credentials from the username security token from an incoming web service request.

SAML Configuration

The following attributes configure the Security Assertion Markup Language (SAML) for the web service provider:

SAML Attribute Mapping

This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.

SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.

SAML NameID Mapper Plugin

Defines the NameID mapper plug-in class that is used for SAML account mapping.

SAML Attributes Namespace

Defines the name space used for generating SAML attributes.

Include Memberships

If enabled, this attribute defines that the principal's membership must be included as a SAML attribute.

Signing and Encryption

The following attributes define signing and encryption configuration for web provider security:

Is Response Signed

When enabled, the web service provider signs the response using its X509 certificate.

Is Response Encrypted

When enabled, the web service response will be encrypted.

Is Request Signature Verified

When enabled, the web service request signature is verified.

Is Request Header Decrypted

When enabled, the web service client request's security header will be decrypted.

Is Request Decrypted

When enabled, the web service client request will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the wsp response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the web service response.

Encryption Strength

Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.

Key Store

The following attributes configure the keystore to be used for certificate storage and retrieval:

Public Key Alias of Web Service Client

This attribute defines the public certificate key alias that is sued to encrypt the web service response or verify the signature of the web service request.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service response or decrypt the web service request.

Key Storage Usage

This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:

End Points

The following attributes define web service endpoints:

Web Service Proxy End Point

This attribute defines a web service end point to which the web service client is making a request. The end point is optional unless it is configured to use web security proxy.

Web Service End Point

This attribute defines a web service end point to which the web service client is making a request.

Kerberos Configuration

Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the Kerberos principal as the owner of the generated Security token.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Key Tab File

This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:

hostname.HTTP.keytab

hostname is the hostname of the OpenSSO Enterprise instance.

Verify Kerberos Signature

If enabled, this attribute specifies that the Kerberos token is signed.

Web Service Client Attributes

The Web Service Client agent profile describes the configuration that is used for securing outbound web service requests from a web service client. The name of the web service client must be unique across all agents.

General

The following General attributes define basic web service client properties:

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the web service client agent.

Password Confirm

Confirm the password.

Status

Defines whether the web service client agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the web service client agent.

Security

The following attributes define web service client security attributes:

Security Mechanism

Defines the type of security credential that is used to secure the web service client request. You can choose one of the following security credential types:

STS Configuration

This attribute is enabled when the web service client uses Security Token service (STS) as the Security Mechanism. This configuration describes a list of STS agent profiles that are used to communicate with and secure the web service requests to the STS service.

Discovery Configuration

This attribute is enabled when the web service client is enabled for Discovery Service security. This configuration describes a list of Discovery Agent profiles that are used to secure requests made to the Discovery service.

User Authentication Required

When enabled, this attribute defines that the services client's protected page requires a user to be authenticated in order to gain access.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security headers are preserved by the web service client for further processing.

Use Pass Through Security Token

When enabled, this attribute indicates that the web service client will pass through the received Security token from the Subject. It will not try to create the token locally or from STS communication.

Liberty Service Type URN

The URN (Universal Resource Name) describes a Liberty service type that the web service client will use for service lookups.

Credential for User Token

The attribute represents the username/password shared secrets that are used by the web service client to generate a Username security token.

Signing and Encryption

The following attributes define signing and encryption configuration for web service security:

Is Request Signed

When enabled, the web services client signs the request using a given token type.

Is Request Header Encrypted

When enabled, the web services client security header will be encrypted.

Is Request Encrypted

When enabled, the web services client request will be encrypted.

Is Response Signature Verified

When enabled, the web services response signature is verified.

Is Response Decrypted

When enabled, the web services response will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the web service response.

Encryption Strength

Sets the encryption strength used by he Security Token service to encrypt the web service response. Select a greater value for greater encryption strength.

Key Store

The following attributes configure the keystore to be used for certificate storage and retrieval:

Public Key Alias of Web Service Provider

This attribute defines the public certificate key alias that is used to encrypt the web service request or verify the signature of the web service response.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.

Key Storage Usage

This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:

End Points

The following attributes define web service endpoints:

Web Service Security Proxy End Point

This attribute defines a web service end point to which the web service client is making a request. This end point is optional unless it is configured as a web security proxy.

Web Service End Point

This attribute defines a web service end point to which the web service client is making a request.

Kerberos Configuration

Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (KDC) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the web service principal registered with the KDC.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Ticket Cache Directory

Specifies the Kerberos TGT (Ticket Granting Ticket) cache directory. When the user authenticates to the desktop or initializes using kinit (the command used to obtain the TGT from KDC), the TGT is stored in the local cache, as defined in this attribute.

STS Client

The Security Token Service (STS) Client interface allows you to create and configure a client that communicates with OpenSSO Enterprise's Security Token service in order to obtain a Security Token. OpenSSO Enterprise provides the mechanism to create the following types of STS client agents:

Discovery Agent

Allows you to configure a Discovery Agent Client that communicates with the Liberty Discovery Service to obtain a Liberty-based security token. This configuration defines the attributes for securing Liberty requests from the Discovery client to the Liberty Discovery end point.

Security Token Service Agent

Allows you to configure a Security Token Service agent that communicates with OpenSSO Enterprise's Security Token Service to obtain web service-based security tokens. This configuration defines the attributes for securing web service Trust requests from the STS client to the STS end point.

Discovery Agent Attributes

The Discovery Agent profile holds a trust authority configuration that is used by the web services' client/profile to communicate with the Liberty Discovery service for web service lookups, registration, and for obtaining security credentials.

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the Discovery Agent.

Password Confirm

Confirm the password.

Status

Defines whether the agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.

Location of Agent Configuration Repository

This attribute defines the agent location of the configuration repository for the Discovery Agent.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.

Discovery Service End Point

This attribute defines the Discovery service end point where the trust authority client establishes communications for service registrations and lookups.

Authentication Web Service End Point

This attribute defines the authentication service end point which the web services client uses to authenticate using the end user's SSOToken to receive the Discovery service resource offering (also referred to as bootstrap resource offering.)

Security Token Service Agent Attributes

A Security Token Service is a Web service that provides issuance and management of security tokens. That is, it makes security statements or claims often, although not required to be, in encrypted sets. These statements are based on the receipt of evidence that it can directly verify security tokens from authorities that it trusts. To assert trust, a service might prove its right to assert a set of claims by providing a security token or set of security tokens issued by an STS, or it could issue a security token with its own trust statement (note that for some security token formats this can just be a re-issuance or co-signature). This forms the basis of trust brokering.

General

The following General attributes define basic Security Token service properties:

Group

The Group mechanism allows you to define a collection of similar types of agents. The group must be defined before including the particular agent into a collection.

Password

Defines the password for the Security Token service agent.

Password Confirm

Confirm the password.

Status

Defines whether the agent will be active or inactive in the system. By default, this attribute is set to active, meaning that the agent will participate in securing outbound web service requests from web service clients and will validate web service responses from a web service provider.

WS-Trust Version

Specifies the version of WS-Trust to use, either 1.0 or 1.3.

Universal Identifier

Lists the basic LDAP properties, that uniquely defines the Security Token service agent.

Security

The following attributes define Security Token service security attributes:

Security Mechanism

Defines the type of security credential that is used to secure the STS request. You can choose one of the following security credential types:

STS Configuration

This attribute is enabled when the Security Token service agent uses Security Token service (STS) as the Security Mechanism. This configuration describes a list of STS agent profiles that are used to communicate with and secure the requests to the STS service.

Preserve Security Headers in Message

When enabled, this attribute defines that the SOAP security headers are preserved by the Security Token service agent for further processing.

Credential for User Token

The attribute represents the username/password shared secrets that are used by the Security Token service agent to generate a Username security token.

Signing and Encryption

The following attributes define signing and encryption configuration for the Security Token service:

Is Request signed

When enabled, the Security Token service agent signs the request using a given token type.

Is Request Header Encrypted

When enabled, the Security Token service agent security header will be encrypted.

Is Request Encrypted

When enabled, the Security Token service request will be encrypted.

Is Response Signature Verified

When enabled, the Security Token service response signature is verified.

Is Response Decrypted

When enabled, the Security Token service response will be decrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the WSC response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used to encrypt the response.

Encryption Strength

Sets the encryption strength to encrypt the response. Select a greater value for greater encryption strength.

Key Store

The following attributes configure the keystore to be used for certificate storage and retrieval:

Public Key Alias of Web Service Provider

This attribute defines the public certificate key alias that is sued to encrypt the web service request or verify the signature of the web service response.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the web service request or decrypt the web service response.

Key Storage Usage

This configuration defines whether to use the default keystore, or a custom keystore. The following values must be defined for a custom key store:

End Points

The following attributes define web service endpoints:

Security Token Service End Point

This field takes a value equal to:

%protocol://%host:%port%uri/sts

This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.

Security Token Service MEX End Point

This field takes a value equal to:

%protocol://%host:%port%uri/sts/mex

This syntax allows for dynamic substitution of the Security Token Service MEX Endpoint URL based on the specific session parameters.

Kerberos Configuration

Kerberos is a security profile supported by the web services security to secure web services communications between a web service client and a web service provider. In a typical scenario, a user authenticates to the desktop and invokes a web service and the web service client. This requires a Kerberos ticket to secure the request to web service provider by identifying his principal as Kerberos token. Typically, Kerberos-based web services security is used in same the context of Kerberos domain (realm) as opposed to across boundaries, for example SAML-based web services security. However, Kerberos is one of the strongest authentication mechanisms, especially in the Windows Domain Controller environment.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (KDC) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the Security Token Service principal registered with the KDC.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Ticket Cache Directory

Specifies the Kerberos TGT (Ticket Granting Ticket) cache directory. When the user authenticates to the desktop or initializes using kinit (the command used to obtain the TGT from KDC), the TGT is stored in the local cache, as defined in this attribute.

2.2 Policy Agent

OpenSSO Enterprise is backward compatible with Policy Agent 2.2. Policy Agent 2.2 must be configured locally from the deployment container on which it is installed. Therefore, from the OpenSSO Enterprise Console, a very limited number of Policy Agent 2.2 options can be configured.

Password

The password was set when you created the agent profile. However, you can change the password at any time in the future.

Password Confirm

The confirmation of the password was performed when you created the agent profile. If you change the password, you must confirm the change.

Status

The Active option is selected when the agent is created. Choose Inactive only if you want to remove the protection the agent provides.

Description

A description of the agent, which you can add if desired.

Agent Key Value

A required setting when enabling CDSSO and when configuring the deployment to prevent cookie hijacking.

This attribute serves as a key in a pairing of a key and a value. This attribute is used by OpenSSO Enterprise to receive agent requests for credential assertions about users. Only one attribute is valid in this key-value pairing. All other attributes are ignored. Use the following format:

agentRootURL=protocol://hostname:port/

The entry must be precise. For example, the string representing the key, agentRootURL, is case sensitive.

Agent Authenticator

An agent authenticator is a type of agent that, once it is authenticated, can obtain the read-only data of agent profiles that are selected for the agent authenticator to read. The agent profiles can be of any type (J2EE, WSP, Discovery, and so forth), but must exist in the same realm. Users that have the agent authenticator's credentials (username and password) can read the agent profile data, but do not have the create, update, or delete permissions of the Agent Admin.

The agent Authenticator contains the following attributes:

Password

The password was set when you created the agent authenticator profile. However, you can change the password at any time in the future.

Password Confirm

The confirmation of the password was performed when you created the agent authenticator profile. If you change the password, you must confirm the change.

Status

The Active option is selected when the agent authenticator is created. Choose Inactive only if you want to remove the protection the agent provides.

Agent Profiles Allowed to Read

This attribute defines a list of OpenSSO Enterprise agents whose profile data is read by the agent authenticator. The agents can be of any type (J2EE, WSP, Discovery, and so forth), but must exist in the same realm. To add an agent to the list, select the agent name and click Add.

Chapter 6 Federation Attributes for Entity Providers

This section lists and describes the attributes available in the OpenSSO Enterprise console for entity provider customization. For instructions for creating the entity providers and entity provider roles, see Creating an Entity in Sun OpenSSO Enterprise 8.0 Administration Guide

SAMLv2 Entity Provider Attributes

The SAMLv2 entity provider type is based on the OASIS Security Assertion Markup Language (SAML) version 2 specification. This entity supports various profiles (single sign-on, single logout, and so forth) when interacting with remote SAMLv2 entities. The SAMLv2 provider entity allows you to assign and configure the following roles:

SAMLv2 Service Provider Customization

SAMLv2 service providers contain the following attribute groups:

Assertion Content

Request/Response Signing

Select any checkbox to enable signing for the following SAMLv2 service prover requests or responses:

Authentication Requests Signed 

All authentication requests received by this service provider must be signed. 

Assertions Signed 

All assertions received by this service provider must be signed. 

POST Response Signed 

The identity provider must sign the single sign-on Response element when POST binding is used 

Artifact Response 

The identity provider must sign the ArtifactResponse element.

Logout Request 

The identity provider must sign the LogoutRequest element.

Logout Response 

The identity provider must sign the LogoutResponse element.

Manage Name ID Request  

The identity provider must sign the ManageNameIDRequst element.

Manage Name ID Response 

The identity provider must sign the ManageNameIDResponse element.

Encryption

Select any checkbox to enable encryption for the following elements:

Attribute 

The identity provider must encrypt all AttributeStatement elements.

Assertion 

The identity provider must encrypt all Assertion elements.

NameID 

The identity provider must encrypt all NameID elements.

Certificate Aliases

This attribute defines the certificate alias elements for the service provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

Name ID Format

Defines the name identifier formats supported by the service provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:

The Name ID format list is an ordered list, the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.

A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store

Authentication Context

This attribute maps the SAMLv2-defined authentication context classes to the authentication level set for the user session for the service provider .

Mapper

Specifies the implementation of the SPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultSPAuthnContexteMapper.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The SAMLv2-defined authentication context classes are:

  • InternetProtocol

  • InternetProtocolPassword

  • Kerberos

  • MobileOneFactorUnregistered

  • MobileTwoFactorUnregistered

  • MobileOneFactorContract

  • MobileTwoFactorContract

  • Password

  • Password-ProtectedTransport

  • Previous-Session

  • X509

  • PGP

  • SPKI

  • XMLDSig

  • Smartcard

  • Smartcard-PKI

  • Software-PKI

  • Telephony

  • NomadTelephony

  • PersonalTelephony

  • AuthenticaionTelephony

  • SecureRemotePassword

  • TLSClient

  • Time-Sync-Token

  • Unspecified

Level

Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.

In this framework, each service provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.

Comparison Type

Specifies what the resulting authentication context must be when compared to the value of this property. Accepted values include:

  • exact where the authentication context statement in the assertion must be the exact match of, at least, one of the authentication contexts specified.

  • minimum where the authentication context statement in the assertion must be, at least, as strong (as deemed by the identity provider) one of the authentication contexts specified.

  • maximum where the authentication context statement in the assertion must be no stronger than any of the authentication contexts specified.

  • better where the authentication context statement in the assertion must be stronger than any of the authentication contexts specified.

The default value is exact.

Assertion Time Skew

Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.

Basic Authentication

Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.

Assertion Processing

Attribute Mapper

Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultSPAttributeMapper.

Mappings should be configured in the format:

SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Auto Federation

If enabled, Auto-federation automatically federates a user's different provider accounts based on a common attribute. The Attribute field specifies the attribute used to match a user's different provider accounts when auto-federation is enabled.

Account Mapper

Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultSPAccountMapper, the default implementation.

Artifact Message Encoding

This attribute defines the message encoding format for artifact, either URI or FORM.

Transient User

This attribute specifies the identifier of the user to which all identity provider users will be mapped on the service provider side in cases of single sign-on using the transient name identifier.

URL

The Local Authentication URL specifies the URL of the local login page.

The Intermediate URL specifies a URL to which a user can be directed after authentication and before the original request's URL. An example might be a successful account creation page after the auto-creation of a user account.

The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.

Default Relay State

After a successful SAML v2 operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.


Caution – Caution –

When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc&param2=xyz, it must be URL-encoded as:

http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz

and then appended to the URL. For example, the service provider initiated single sign-on URL would be:

http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz


Adapter

Defines the implementation class for the com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter interface, used to add application-specific processing during the federation process.

Services

Meta Alias

Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.


Caution – Caution –

The names used in the metaAlias must not contain a /.


Single Logout Service

The Single Logout Service synchronizes the logout functionality across all sessions authenticated by the service provider.

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL the expected response provider. The binding types are:

Manage Name ID Service

This services defines the URLs that will be used when communicating with the service provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL the expected response provider. The binding types are:

Assertion Artifact Consumer Service

This service processes the responses that a service provider receives from an identity provider. When a service provider wants to authenticate a user, it sends an authentication request to an identity provider.

Location specifies the URL of the provider to which the request is sent. Index specifies the URL in the standard metadata. Defaultis the default URL to be used for the binding.

Advanced

SP URL

Defines URL endpoint on Service Provider that can handle SAE (Secure Attribute Exchange) requests. If this URL is empty (not configured), SAE single sign-on will not be enabled. Normal SAMLv2 single sign-on responses will be sent to the service provider.

SP Logout URL

Defines the URL endpoint on a Service Provider that can handle SAE global logout requests.

App Secret List

This attribute defines the application security configuration. Each application must have one entry. Each entry has the following format:

url=SPAppURL|type=symmetric_orAsymmetric|secret=ampassword encoded shared secret

Request IDP List Finder Implementation

Defines the implementation class of the IDP list finder SPI. This returns a list of preferred identity providers that are trusted by the ECP.

Request IDP List Get Complete

Specifies a URI reference that can be used to retrieve the complete identity provider list if the IDPList element is not complete.

Request IDP List

Defines a list of identity providers for the ECP to contact. This is used by the default implementation of the IDP Finder (for example, com.sun.identity.saml2.plugins.ECPIDPFinder) .

IDP Proxy

Proxy Authentication Configuration attributes define values for dynamic identity provider proxying. Select the check box to enable proxy authentication for a service provider.

Introduction

Select the check box if you want introductions to be used to find the proxying identity provider.

Proxy Count

Enter the maximum number of identity providers that can be used for proxy authentication.

IDP Proxy List

Add a list of identity providers that can be used for proxy authentication. Type the URI defined as the provider's identifier in New Value and click Add.

SAMLv2 Identity Provider Customization

SAMLv2 identity providers contain the following attribute groups:

Assertion Content

Request/Response Signing

Setting the following flags indicate to the identity provider how the service provider signs specific messages:

Authentication Request 

All authentication requests received by this identity provider must be signed. 

Artifact Resolve 

The service provider must sign the ArtifactResolve element.

Logout Request 

The service provider must sign the LogoutRequest element.

Logout Response 

The service provider must sign the LogoutResponse element.

Manage Name ID Request  

The service provider must sign the ManageNameIDRequst element.

Manage Name ID Response 

The service provider must sign the ManageNameIDResponse element.

Encryption

Select the checkbox to enable encryption for the following elements:

NameID 

The service provider must encrypt all NameID elements.

Certificate Aliases

This attribute defines the certificate alias elements for the identity provider. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

Name ID Format

Defines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support the following types of identifiers:

The Name ID format list is an ordered list and the first Name ID has the highest priority in determining the Name ID format to use. If the user does not specify a Name ID to use when initiating single sign-on, the first one in this list is chosen and supported by the remote Identity Provider.

A persistent identifier is saved to a particular user's data store entry as the value of two attributes. A transient identifier is temporary and no data will be written to the user's persistent data store

Name ID Value Map

This attribute specifies mapping between the NameID Format attribute and a user profile attribute. If the defined Name ID format is used in protocol, the profile attribute value will be used as NameID value for the format in the Subject. The syntax of each entry is:

NameID Format=User profile attribute

For example:

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress=mail

To add new NameID format, the NameID Value Map attribute needs to be updated with a corresponding entry. The exceptions are persistent, transient and unspecified. For persistent and transient, the NameID value will be generated randomly. For this attribute, unspecified is optional. If it is specified, the NameID value will be the value of the user profile attribute. If it is not specified, an random number will be generated.

Authentication Context

This attribute maps the SAMLv2-defined authentication context classes to authentication methods available from the identity provider.

Mapper

Specifies the implementation of the IDPAuthnContextMapper interface used to create the requested authentication context. The default implementation is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.

Default Authentication Context

Specifies the default authentication context type used by the identity provider if the service provider does not send an authentication context request.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The SAMLv2-defined authentication context classes are:

  • InternetProtocol

  • InternetProtocolPassword

  • Kerberos

  • MobileOneFactorUnregistered

  • MobileTwoFactorUnregistered

  • MobileOneFactorContract

  • MobileTwoFactorContract

  • Password

  • Password-ProtectedTransport

  • Previous-Session

  • X509

  • PGP

  • SPKI

  • XMLDSig

  • Smartcard

  • Smartcard-PKI

  • Software-PKI

  • Telephony

  • NomadTelephony

  • PersonalTelephony

  • AuthenticaionTelephony

  • SecureRemotePassword

  • TLSClient

  • Time-Sync-Token

  • Unspecified

Key

Choose the OpenSSO Enterprise authentication type to which the context is mapped.

Value

Type the OpenSSO Enterprise authentication option.

Level

Takes as a value a positive number that maps to an authentication level defined in the OpenSSO Enterprise Authentication Framework. The authentication level indicates how much to trust a method of authentication.

In this framework, each identity provider is configured with a default authentication context (preferred method of authentication). However, the provider might like to change the assigned authentication context to one that is based on the defined authentication level. For example, provider B would like to generate a local session with an authentication level of 3 so it requests the identity provider to authenticate the user with an authentication context assigned that level. The value of this query parameter determines the authentication context to be used by the identity provider.

Assertion Time

Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the Not Before Time Skew value. The default value is 600. It has no relevance to the notAfter value.

Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.

Basic Authentication

Basic authentication can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.

Assertion Cache

If enabled, this allows the identity provider to cache assertions to be retrieved later.

Bootstrapping

Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.

Assertion Processing

Attribute Mapper

Specifies the values to define the mappings used by the default attribute mapper plug-in. The default plug-in class is com.sun.identity.saml2.plugins.DefaultIDPAttributeMapper.

Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Account Mapper

Specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.saml2.plugins.DefaultIDPAccountMapper, the default implementation.

Local Configuration

These attribute contains configuration specific to the OpenSSO Enterprise instance.

Auth URL

Defines the Authentication URL to which the identity provider will redirect for authentication.

External Application Logout URL

The External Application Logout URL defines the logout URL for an external application. Once the server receives logout request from the remote partner, a request will be sent to the logout URL using back channel HTTP POST with all cookies. Optionally, a user session property could be sent as HTTP header and POST parameter if a query parameter appsessionproperty (set to the session property name) is included in the URL.

Services

Meta Alias

Specifies a metaAlias for the provider being configured. The metaAlias is used to locate the provider's entity identifier and the organization in which it is located. The value is a string equal to the realm or organization name coupled with a forward slash and the provider name. For example, /suncorp/travelprovider.


Caution – Caution –

The names used in the metaAlias must not contain a /.


Artifact Resolution Service

Defines the endpoint(s) that support the Artifact Resolution profile. Location specifies the URL of the provider to which the request is sent. Index specifies a unique integer value to the endpoint so that it can be referenced in a protocol message.

Single Logout Service

The Single Logout Service synchronizes the logout functionality across all sessions authenticated by the identity provider.

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. The binding types are:

Manage Name ID Service

This services defines the URLs that will be used when communicating with the service provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

Location specifies the URL of the provider to which the request is sent. Response Location specifies the URL of the provider to which the response is sent. . The binding types are:

Single Sign-On Service

Defines the endpoint(s) that support the profiles of the Authentication Request protocol. All identity providers must support at least one such endpoint.

Location specifies the URL of the provider to which the request is sent. The binding types are:

Advanced

IDP URL

Defines the URL endpoint on Identity Provider that can handle SAE (Secure Attribute Exchange) requests.

App Secret List

Defines the application security configuration. Each application must one entry. Each entry has the following format:

url=IDPAppURL|type=symmetric_orAsymmetric|secret=ampassword encoded shared secret OR or pubkeyalias=idp app signing cert

IDP Mapper Session

Defines an implementation class for the session mapper SPI. The mapper finds a valid session from HTTP servlet request on the identity provider with an ECP profile.

SAMLv2 XACML PDP Customization

XACML PDP contains the following attributes for customization:

Protocol Support Enumeration

Displays the XACML PDP release that is supported by this provider.

urn:liberty:iff:2003-08 refers to Liberty Identity Federation Framework Version 1.2.

urn:liberty:iff:2002-12 refers to Liberty Identity Federation Framework Version 1.1.

Signing Key Alias

Defines the key alias that is used to sign requests and responses.

Encryption Key Alias

Defines the key alias to XACML encryption.

Basic Authorization

Basic authorization can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.

Authorization Decision Query Signed

When enabled, this attribute enforces that all queries be signed for the XACML authorization decision.

Authorization Service

This attribute defines the type (binding) of the authorization request, and the URL endpoint for receiving the request. By default, the binding type is SOAP.

SAMLv2 XACML PEP Customization

XACML PEP contains the following attributes for customization:

Protocol Support Enumeration

Displays the XACML PEP release that is supported by this provider.

Signing Key Alias

Defines the key alias that is used to sign requests and responses.

Encryption Key Alias

Defines the key alias to XACML encryption.

Basic Authorization

Basic authorization can be enabled to protect SOAP endpoints. Any provider accessing these endpoints must have the user and password defined in the following two properties: User Name and Password.

Authorization Decision Response Signed

When enabled, this attribute enforces that all responses be signed for the XACML authorization decision.

Assertion Encrypted

When enabled, this attribute enforces that all assertions are to be encrypted.

SAMLv2 Attribute Authority Customization

SAMLv2 Attribute Authority contains the following attributes for customization:

Signing and Encryption

Key Size

The length for keys used by the Attribute Authority entity when interacting with another entity.

Algorithm

The encryption algorithm used to interact with another entity.

Attribute Service

This attribute defines the URL endpoints that will receive attribute query requests. Location specifies the URL of the provider to which the request is sent. Mapper defines the SPI that finds the attribute mapping authority to return a list of attributes that will be included in a response. The SAMLv2–defined attribute query profiles are:

AssertionID Request

Defines the URLs to which the AssertionIDs are sent from a client to an identity provider in order to retrieve the corresponding assertion. Location specifies the URL of the provider to which the request is sent. Mapper defines the SPI that finds the AssertionID mapping authority to return a list of attributes that will be included in a response. The bindings are:

Attribute Profile

Defines the type of SAMLv2–defined supported attribute profile. Basic is the default type.

Cert Alias

Defines the certificate alias elements. Signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

Subject Data Store

Specifies the data store attribute name which contains the X509 subject DN. It is used to find a user whose attribute value matches the X. 509 subject DN. This field is used in the Attribute Query Profile for X. 509 subject only.

SAMLv2 Attribute Query Customization

SAMLv2 Attribute Query contains the following attributes for customization:

NameID Format

Defines the name identifier formats supported by the attribute query provider. Name identifiers are a way for providers to communicate with each other regarding a user. Single sign-on interactions support three types of identifiers:

Cert Alias

This attribute defines the certificate alias elements for the provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

SAMLv2 Authentication Authority Customization

SAMLv2 Authentication Authority contains the following attributes for customization:

Signing and Encryption

Key Size

The length for keys used by the Attribute Authority entity when interacting with another entity.

Algorithm

The encryption algorithm used to interact with another entity.

Authn Query Service

This attribute defines the URL to which authentication queries are sent.

AssertionID Request

Defines the URLs to which the AssertionIDs are sent from a client to an identity provider in order to retrieve the corresponding assertion. Location specifies the URL of the provider to which the request is sent. The AssertionID request types are:

Cert Alias

This attribute defines the certificate alias elements for the provider. signing specifies the provider certificate alias used to find the correct signing certificate in the keystore. Encryption specifies the provider certificate alias used to find the correct encryption certificate in the keystore.

ID-FF Entity Provider Attributes

The ID-FF provider entity is based on the Liberty-defined ID-FF (Liberty Identity Federation Framework) for implementing single sign-on with federated identities. The IF-FF provider entity allows you to assign and configure the following roles:

ID-FF Identity Provider Customization

The ID-FF identity provider attributes are grouped as follows:

Common Attributes

Provider Type

The static value of this attribute is the type of provider being configured: hosted or remote

Description

The value of this attribute is a description of the identity provider.

Protocol Support Enumeration

Choose the Liberty ID-FF release that is supported by this provider.

Signing Key

Defines the security certificate alias that is used to sign requests and responses.

Encryption Key

Defines the security certificate alias that is used for encryption for the Signing Key and Encryption Key. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

Name Identifier Encryption

Select the check box to enable encryption of the name identifier.

Communication URLs

SOAP Endpoint

Defines a URI to the identity provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

Single Sign-on Service URL

Defines a URL to which service providers can send single sign-on and federation requests.

Single Logout Service

Defines a URL to which service providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

Single Logout Return

Defines a URL to which the service providers can send single logout responses.

Federation Termination Service

Defines a URL to which a service provider will send federation termination requests.

Federation Termination Return

Defines a URL to which the service providers can send federation termination responses.

Name Registration Service

Defines a URL to which a service provider will send requests to specify a new name identifier to be used when communicating with the identity provider about a principal. This service can only be used after a federation session is established.

Name Registration Return

Defines a URL to which the service providers can send name registration responses.

Communication Profiles

Federation Termination

Select a profile to notify other providers of a principal’s federation termination:

Single Logout

Select a profile to notify other providers of a principal’s logout:

Name Registration

Select a profile to notify other providers of a principal’s name registration:

Single Sign-on/Federation

Select a profile for sending authentication requests:

Identity Provider Configuration

Provider Alias

Defines the alias name for the local identity provider.

Authentication Type

Select the provider that should be used for authentication requests from a provider hosted locally:

Assertion Issuer

Defines the name of the host that issues the assertion. This value might be the load balancer's host name if OpenSSO Enterprise is behind one.

Responds With

Specifies the type of statements the identity provider can generate. For example lib:AuthenticationStatement.

Provider Status

Defines whether the identity provider is active or inactive. Active, the default, means the identity provider can process requests and generate responses.

Service URL

Home Page URL

Defines the URL of the home page of the identity provider.

Single Sign-on Failure Redirect URL

Defines the URL to which a principal will be redirected if single sign-on has failed.

Federate Page URL

Specifies the URL which performs the federation operation.

Registration Done URL

Defines the URL to which a principal will be directed upon successful Federation registration.

List of COTs Page URL

Defines the URL that lists all of the circle of trusts to which the provider belongs.

Termination URL

Defines the URL to which a principal is directed upon Federation termination.

Termination Done URL

Defines the URL to which a principal is redirected after federation termination is completed.

Error Page URL

Defines the URL to which a principal is directed upon an error.

Logout Done URL

Defines the URL to which a principal is directed after logout.

Plug-ins

Name Identifier Implementation

This field defines the class used by an identity provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

Attribute Statement Plug-in

Specifies a plug-able class used for adding attribute statements to an assertion that is generated during the Liberty-based single sign-on process.

User Provider Class

Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth . The default value is:

com.sun.identity.federation.accountmgmt.DefaultFSUserProvider

Identity Provider Attribute Mapper

Attribute Mapper Class

The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.

Identity Provider Attribute Mapping

Specify values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.

Bootstrapping

The bootstrapping attribute is:

Generate Discovery Bootstrapping Resource Offering

Select the check box if you want a Discovery Service Resource Offering to be generated during the Liberty-based single sign-on process for bootstrapping purposes.

Auto Federation

Auto Federation

Select the check box to enable auto-federation.

Auto Federation Common Attribute Name

When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.

Authentication Context

This attribute defines the identity provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource.

Supported

Select the check box next to the authentication context class if the identity provider supports it.

Context Reference

The Liberty-defined authentication context classes are:

  • Mobile Contract

  • Mobile Digital ID

  • MobileUnregistered

  • Password

  • Password-ProtectedTransport

  • Previous-Session

  • Smartcard

  • Smartcard-PKI

  • Software-PKI

  • Time-Sync-Token

Key

Choose the OpenSSO Enterprise authentication type to which the context is mapped.

Value

Type the OpenSSO Enterprise authentication option.

Level

Choose a priority level for cases where there are multiple contexts.

SAML Attributes

Assertion Interval

Type the interval of time (in seconds) that an assertion issued by the identity provider will remain valid.

Cleanup Interval

Type the interval of time (in seconds) before a cleanup is performed to expired assertions.

Artifact Timeout

Type the interval of time (in seconds) to specify the timeout for assertion artifacts.

Assertion Limit

Type a number to define how many assertions an identity provider can issue, or how many assertions that can be stored.

ID-FF Service Provider Customization

The ID-FF service provider attributes are grouped into the following sections:

Common Attributes

Provider Type

The static value of this attribute is the type of provider being configured: hosted or remote

Description

The value of this attribute is a description of the service provider.

Protocol Support Enumeration

Choose the Liberty ID-FF release that is supported by this provider.

Signing Key

Defines the security certificate alias that is used to sign requests and responses. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate

Encryption Key

Defines the security certificate alias that is used for encryption. Certificates are stored in a Java keystore file. Each specific certificate is mapped to an alias that is used to fetch the certificate.

Name Identifier Encryption

Select the check box to enable encryption of the name identifier.

Sign Authentication Request

If enabled, the service provider will sign all authentication requests.

Communication URLs

SOAP Endpoint

Defines a URI to the service provider’s SOAP message receiver. This value communicates the location of the SOAP receiver in non browser communications.

Single Logout Service

Defines a URL to which identity providers can send logout requests. Single logout synchronizes the logout functionality across all sessions authenticated by the identity provider.

Single Logout Return

Defines a URL to which the identity providers can send single logout responses.

Federation Termination Service

Defines a URL to which an identity provider will send federation termination requests.

Federation Termination Return

Defines a URL to which the identity providers can send federation termination responses.

Name Registration Service

Defines a URL that will be used when communicating with the identity provider to specify a new name identifier for the principal. (Registration can occur only after a federation session is established.)

Name Registration Return

Defines a URL to which the identity providers can send name registration responses. (Registration can occur only after a federation session is established.)

Assertion Consumer URL

Defines the URL to which an Identity Provider can send SAML assertions.

Assertion Consumer Service URL ID

If the value of the Protocol Support Enumeration common attribute is urn:liberty:iff:2003-08, type the required ID.

Set Assertion consumer Service URL as Default

Select the check box to use the Assertion Consumer Service URL as the default value when no identifier is provided in the request.

Communication Profiles

Federation Termination

Select a profile to notify other providers of a principal’s federation termination:

Single Logout

Select a profile to notify other providers of a principal’s logout:

Name Registration

Select a profile to notify other providers of a principal’s name registration:

Supported SSO Profile

Select a profile for sending authentication requests:

Service Provider Configuration

Provider Alias

Defines an alias name for the local service provider.

Authentication Type

Select the provider that should be used for authentication requests from a provider hosted locally:

Identity Provider Forced Authentication

Select the check box to indicate that the identity provider must re-authenticate (even during a live session) when an authentication request is received. This attribute is enabled by default.

Request Identity Provider to be Passive

Select the check box to specify that the identity provider must not interact with the principal and must interact with the user.

Name Registration After Federation

This option, if enabled, allows for a service provider to participate in name registration after it has been federated.

Name ID Policy

An enumeration permitting requester influence over name identifier policy at the identity provider.

Affiliation Federation

Select the check box to enable affiliation federation.

Provider Status

Defines whether the service provider is active or inactive. Active, the default, means the service provider can process requests and generate responses.

Responds With

Specifies the type of statements the service provider can generate. For example , lib:AuthenticationStatement.

Service URL

List of COTs Page URL

Defines the URL that lists all of the circle of trusts to which the provider belongs.

Federate Page URL

Specifies the URL which performs the federation operation.

Home Page URL

Defines the URL of the home page of the identity provider.

Single Sign-on Failure Redirect URL

Defines the URL to which a principal will be redirected if single sign-on has failed.

Termination Done URL

Defines the URL to which a principal is redirected after federation termination is completed.

Error Page URL

Defines the URL to which a principal is directed upon an error.

Logout Done URL

Defines the URL to which a principal is directed after logout.

Plug-ins

Service Provider Adapter

Defines the implementation class for the com.sun.identity.federation.plugins.FSSPAdapter interface. The default value is:

com.sun.identity.federation.plugins.FSDefaultSPAdapter

Federation SP Adapter Env

Defines a list of environment properties to be used by the service provider adapter SPI implementation class.

User Provider Class

Specifies a plug-able class used to provide user operations such as finding a user, getting user attributes, and so forth. . The default value is:

com.sun.identity.federation.accountmgmt.DefaultFSUserProvider

Name Identifier Implementation

This field defines the class used by a service provider to participate in name registration. Name registration is a profile by which service providers specify a principal’s name identifier that an identity provider will use when communicating with the service provider. The value is com.sun.identity.federation.services.util.FSNameIdentifierImpl.

Service Provider Attribute Mapper

Attribute Mapper Class

The class used to map user attributes defined locally to attributes in the SAML assertion. There is no default class.

Service Provider Attribute Mapping

Specify values to define the mappings used by the default attribute mapper plug-in specified above. Mappings should be configured in the format:

SAML-attribute=local-attribute

For example, Email=emailaddress or Address=postaladdress. Type the mapping as a New Value and click Add.

Auto Federation

Auto Federation

Select the check box to enable auto-federation.

Auto Federation Common Attribute Name

Defines the user's common LDAP attribute name such as telephonenumber. For creating an Auto Federation Attribute Statement. When creating an Auto Federation Attribute Statement, the value of this attribute will be used. The statement will contain the attribute element and this common attribute as its value.

Authentication Context

This attribute defines the service provider's default authentication context class (method of authentication). This method will always be called when the service provider sends an authentication request. This value also specifies the authentication context used by the service provider when an unknown user tries to access a protected resource. The options are:

Supported

Select the check box next to the authentication context class if the service provider supports it.

Context Reference

The Liberty-defined authentication context classes are:

  • Mobile Contract

  • Mobile Digital ID

  • MobileUnregistered

  • Password

  • Password-ProtectedTransport

  • Previous-Session

  • Smartcard

  • Smartcard-PKI

  • Software-PKI

  • Time-Sync-Token

Level

Choose a priority level for cases where there are multiple contexts.

Proxy Authentication Configuration

Proxy Authentication Configuration attributes define values for dynamic provider proxying.

Proxy Authentication

Select the check box to enable proxy authentication for a service provider.

Proxy Identity Providers List

Type an identifier for an identity provider(s) that can be used for proxy authentication in New Value and click Add. The value is a URI defined as the provider's identifier.

Maximum Number of Proxies

Enter the maximum number of identity providers that can be used for proxy authentication.

Use Introduction Cookie for Proxying

Select the check box if you want introduction cookies to be used to find the proxying identity provider.

WS-Federation Entity Provider Attributes

The WS-Federation entity provider type is based on the WS-Federation protocol. The implementation of this protocol allows single sign-on between OpenSSO Enterprise and the Microsoft Active Directory Federation Service. The WS-Federation provider entity allows you to assign and configure the following roles:

WS-Federation General Attributes

The following attributes are common to both Identity and Service Provider types:

SP Display Name

This attribute defines the name the WS-Federation service provider. The default is the meta alias given at creation time.

IDP Display Name

This attribute defines the name the WS-Federation identity provider. The default is the meta alias given at creation time.

Realm

Displays the realm to which the provider belongs.

Token Issuer Name

Defines a unique identifier for the identity or service provider.

Token Issuer Endpoint

Specifies the URL at which the identity or service provider is providing WS-Federation services. For example:

https://demo.example.com/OpenSSO Enterprise/WSFederationServlet/metaAlias/example

WS-Federation Identity Provider Customization

The following attributes apply to the WS-Federation Identity Provider role:

NameID Format

Defines the format of the name identifier component of the single sign-on response sent from the identity provider to the service provider. WS-Federation single sign-on supports the following identifier formats (default is UPN):

NameID Attribute

Defines the attribute in the user's profile that will be used as the name ID value. The default is uid.

Name Includes Domain

When using the UPN format defined in the NameID Format attribute, this specifies whether the NameID Attribute in the user's profile includes a domain. If it does, then the NameID Attribute will be used for the UPN as it is currently defined. Otherwise, it is combined with a domain to form a UPN.

Domain Attribute

When using the UPN format, if the Name Includes Domain attribute is not selected, this specifies an attribute in the user's profile to be used as the UPN domain.

UPN Domain

When using UPN format, if the Name Includes Domain attribute is not selected, and if a value for Domain Attribute is not specified, or if there is no value for that attribute for a particular user, then this attribute is used to constructing the UPN.

Signing Cert Alias

This attribute specifies the provider certificate alias used to find the assertion signing certificate in the keystore.

Claim Types

Specifies the claim type so the WS-Federation service can recognize the type of token that is exchanged between federation partners.

The EmailAddress claim type is used to identify a specific security principal by an email address.

The UPN claim type is used to identify a specific security principal via a User Principal Name.

The CommonName claim type is used to identify a security principal via a CN value consistent with X.500 naming conventions. The value of this claim is not necessarily unique and should not be used for authorization purposes.

Account Mapper

This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.DefaultIDPAccountMapper.

Attribute Mapper

This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultIDPAttributeMapper.

Attribute Map

Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

SAML_Assertion_Attribute_Name=User_Profile_Attribute_Name

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Assertion Effective Time

Assertions are valid for a period of time and not before or after.

Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.

WS-Federation Service Provider Customization

The following attributes apply to the WS-Federation service provider role:

Assertion Signed

All assertions received by this service provider must be signed.

Account Mapper

This attribute specifies the implementation of the AccountMapper interface used to map a remote user account to a local user account for purposes of single sign-on. The default value is com.sun.identity.wsfed.plugins.

DefaultADFSPartnerAccountMapper is the default implementation.

Attribute Mapper

This defines the class used to map attributes in the assertion to user attributes defined locally by the identity provider. The default class is com.sun.identity.wsfederation.plugins.DefaultSPAttributeMapper.

Attribute Map

Specifies values to define the mappings used by the default attribute mapper plug-in. Mappings should be configured in the format:

SAML_attr=local-attribute

For example, EmailAddress=mail or Address=postaladdress. Type the mapping as a New Value and click Add.

Assertion Effective Time

Assertions are valid for a period of time and not before or after.

Effective Time specifies (in seconds) the amount of time that an assertion is valid counting from the assertion's issue time. The default value is 600 seconds.

Assertion Skew Time

Assertions are valid for a period of time and not before or after. This attribute specifies a grace period (in seconds) for the notBefore value. The default value is 300. It has no relevance to the notAfter value.

Default Relay State

After a successful WS-Federation operation (single sign-on, single logout, or federation termination), a page is displayed. This page, generally the originally requested resource, is specified in the initiating request using the RelayState element. If a RelayState is not specified, the value of this defaultRelayState property is displayed.


Caution – Caution –

When RelayState or defaultRelayState contains special characters (such as &), it must be URL-encoded. For example, if the value of RelayState is http://www.sun.com/apps/myapp.jsp?param1=abc&param2=xyz, it must be URL-encoded as:

http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz

and then appended to the URL. For example, the service provider initiated single sign-on URL would be:

http://host:port/deploy-uri/saml2/jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=http://www.idp.com&RelayState=http%3A%2F%2Fwww.sun.com%2Fapps%2Fmyapp.jsp%3Fparam1%3Dabc%26param2%3Dxyz


Home Realm Discovery

Specifies the service so that the service provider can identify the preferred identity provider. The service URL is specified as a contact endpoint by the service provider.

Account Realm Selection

Specifies the identity provider selection mechanism and configuration. Either the cookie or HTTP Request header attribute can be used to locate the identity provider.

Chapter 7 Configuration Attributes

The Configuration page allows administrators to manage attribute values of the services that OpenSSO Enterprise offers. The attributes that comprise an OpenSSO Enterprise service are classified as one of the following types:

Global – Applied across the OpenSSO Enterprise configuration. They cannot be applied to users, roles or realms as the goal of global attributes is to customize OpenSSO Enterprise.

Realm – Realm attributes are only assigned to realms. No object classes are associated with realm attributes. For instance, attributes listed in the authentication services are defined as realm attributes because authentication is done at the realm level rather than at a subtree or user level.

Dynamic – Applies to an OpenSSO Enterprise configured role or realm. When the role is assigned to a user or a user is created in an realm, the dynamic attribute then becomes a characteristic of the user.

User – Applies directly to each user. They are not inherited from a role or an realm and, typically, are different for each user.


Note –

In previous releases, many of attributes were only configurable through the AMConfig.properties file. This file has been deprecated, and all of its properties are now defined in the OpenSSO Enterprise console and stored in the configuration directory datastore. For information on AMConfig.properties for backwards compatibility for systems that have been upgraded to OpenSSO Enterprise 8.0. see the Sun Java System Access Manager 7.1 Administration Reference.


The Configuration attributes you can modify are:

Authentication

OpenSSO is installed with a set of default authentication module types. An authentication module instance is a plug-in that collects user information such as a user ID and password, checks the information against entries in a database, and allows or denies access to the user. Multiple instances of the same type can be created and configured separately.

This section provides attribute descriptions that configure the default authentication module types.

See Chapter 3, Configuring Authentication, in Sun OpenSSO Enterprise 8.0 Administration Guide for more information on the authentication modules and configuring an authentication process.

Active Directory

This module type works similarly to the LDAP authentication module type, but uses the Microsoft Active Directory instead of an LDAP directory. Using this module type makes it possible to have both LDAP and Active Directory coexist under the same realm. The Active Directory authentication attributes are realm attributes. The attributes are:

Primary Active Directory Server

Specifies the host name and port number of the primary Active Directory server specified during OpenSSO Enterprise installation. This is the first server contacted for Active Directory authentication. The format ishostname:port. If there is no port number, assume 389.

If you have OpenSSO Enterprise deployed with multiple domains, you can specify the communication link between specific instances of OpenSSO Enterprise and Directory Server in the following format (multiple entries must be prefixed by the local server name):

local_servername|server:port local_servername2|server2:port2 ...

For example, if you have two OpenSSO Enterprise instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:

L1-machine1-IS.example.com|L1-machine1-DS.example.com:389

L2-machine2-IS.example.com|L2-machine2-DS.example.com:389

Secondary Active Directory Server

Specifies the host name and port number of a secondary Active Directory server available to the OpenSSO Enterprise platform. If the primary Active Directory server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, OpenSSO Enterprise will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.


Caution – Caution –

When authenticating users from a Directory Server that is remote from the OpenSSO Enterprise, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one Directory Server location can be used for both fields.


DN to Start User Search

Specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search dn.

For multiple entries:

servername1|search dn servername2|search dn servername3|search dn...

If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.

DN for Root User Bind

Specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized.

Make sure that password is correct before you logout. If it is incorrect, you will be locked out. If this should occur, you can login with the super user DN. By default, this the amAdmin account with which you would normally log in, although you will use the full DN. For example:

uid_amAdmin,ou=People,OpenSSO-deploy-base

Password for Root User Bind

Carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid Active Directory password is recognized.

Password for Root User Bind (confirm)

Confirm the password.

Attribute Used to Retrieve User Profile

Specifies the attribute used for the naming convention of user entries. By default, OpenSSO Enterprise assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.

Attributes Used to Search for a User to be Authenticated

Lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber , and mail, the user could authenticate with any of these names.

User Search Filter

Specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.

Search Scope

Indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in DN to Start User Search. The default value is SUBTREE. One of the following choices can be selected from the list:

OBJECT

Searches only the specified node.

ONELEVEL

Searches at the level of the specified node and one level down.

SUBTREE

Search all entries at and below the specified node.

SSL Access to Active Directory Server

Enables SSL access to the Directory Server specified in the Primary and Secondary Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.

If the Active Directory server is running with SSL enabled (LDAPS), you must make sure that OpenSSO Enterprise is configured with proper SSL trusted certificates so that AM could connect to Directory server over LDAPS protocol

Return User DN to Authenticate

When the OpenSSO Enterprise directory is the same as the directory configured for Active Directory, this option may be enabled. If enabled, this option allows the Active Directory authentication module instance to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module instance returns only the User ID, and the authentication service searches for the user in the local OpenSSO Enterprise instance. If an external Active Directory is used, this option is typically not enabled.

Active Directory Server Check Interval

This attribute is used for Active Directory Server failback. It defines the number of minutes in which a thread will “sleep” before verifying that the primary Active Directory server is running.

User Creation Attributes

This attribute is used by the Active Directory authentication module instance when the Active Directory server is configured as an external Active Directory server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format:

attr1|externalattr1

attr2|externalattr2

When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profileattribute (in the Core Authentication module type) is set to Dynamically Created and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


Anonymous

This module type allows a user to log in without specifying credentials. You can create an Anonymous user so that anyone can log in as Anonymous without having to provide a password. Anonymous connections are usually customized by the OpenSSO Enterprise administrator so that Anonymous users have limited access to the server. The Anonymous authentication attributes are realm attributes. The attributes are:

Valid Anonymous Users

Contains a list of user IDs that have permission to login without providing credentials. If a user's login name matches a user ID in this list, access is granted and the session is assigned to the specified user ID.

If this list is empty, accessing the following default module instance login URL will be authenticated as the Default Anonymous User Name:

protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name

If this list is not empty, accessing Default module instance login URL (same as above) will prompt the user to enter any valid Anonymous user name. If this list is not empty, the user can log in without seeing the login page by accessing the following URL:

protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name&IDToken1=<valid Anonymous username>

Default Anonymous User Name

Defines the user ID that a session is assigned to if Valid Anonymous User List is empty and the following default module instance login URL is accessed:

protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name

The default value is anonymous. An Anonymous user must also be created in the realm.


Note –

If Valid Anonymous User List is not empty, you can login without accessing the login page by using the user defined in Default Anonymous User Name. This can be done by accessing the following URL:

protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name&IDToken1= DefaultAnonymous User Name


Case Sensitive User IDs

If enabled, this option allows for case-sensitivity for user IDs. By default, this attribute is not enabled.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


Authentication Configuration

Once an authentication module instance is defined, the instance can be configured for authentication module chaining, to supply redirect URLs, and a post-processing Java class specification based on a successful or failed authentication process. Before an authentication module instance can be configured, the Core authentication attribute Organization Authentication Configuration must be modified to include the specific authentication module instance name.

Certificate

This module enables a user to log in through a personal digital certificate (PDC). The module instance can require the use of the Online Certificate Status Protocol (OCSP) to determine the state of a certificate. Use of the OCSP is optional. The user is granted or denied access to a resource based on whether or not the certificate is valid. The Certificate authentication attributes are realm attributes. The attributes are:

Match Certificate in LDAP

Specifies whether to check if the user certificate presented at login is stored in the LDAP Server. If no match is found, the user is denied access. If a match is found and no other validation is required, the user is granted access. The default is that the Certificate Authentication service does not check for the user certificate.


Note –

A certificate stored in the Directory Server is not necessarily valid; it may be on the certificate revocation list. See Match Certificate to CRL. However, the web container may check the validity of the user certificate presented at login.


Subject DN Attribute Used to Search LDAP for Certificates

Specifies the attribute of the certificate's SubjectDN value that will be used to search LDAP for certificates. This attribute must uniquely identify a user entry. The actual value will be used for the search. The default is cn.

Match Certificate to CRL

Specifies whether to compare the user certificate against the Certificate Revocation List (CRL) in the LDAP Server. The CRL is located by one of the attribute names in the issuer's SubjectDN. If the certificate is on the CRL, the user is denied access; if not, the user is allowed to proceed. This attribute is, by default, not enabled.

Certificates should be revoked when the owner of the certificate has changed status and no longer has the right to use the certificate or when the private key of a certificate owner has been compromised.

Issuer DN Attribute Used to Search LDAP for CRLs

Specifies the attribute of the received certificate's issuer subjectDN value that will be used to search LDAP for CRLs. This field is used only when the Match Certificate to CRL attribute is enabled. The actual value will be used for the search. The default is cn.

HTTP Parameters for CRL Update

Specifies the HTTP parameters for obtaining a CRL from a servlet for a CRL update. Contact the administrator of your CA for these parameters.

OCSP Validation

Enables OCSP validation to be performed by contacting the corresponding OCSP responder. The OCSP responder is decided as follows during runtime. The attributes mentioned are located in the console at Configuration > Servers and Sites > Security:

Before enabling OCSP Validation, make sure that the time of the OpenSSO Enterprise machine and the OCSP responder machine are in sync as close as possible. Also, the time on the OpenSSO Enterprise machine must not be behind the time on the OCSP responder. For example:

OCSP responder machine - 12:00:00 pm

OpenSSO Enterprise machine - 12:00:30 pm

LDAP Server Where Certificates are Stored

Specifies the name and port number of the LDAP server where the certificates are stored. The default value is the host name and port specified when OpenSSO Enterprise was installed. The host name and port of any LDAP Server where the certificates are stored can be used. The format is hostname:port.

LDAP Start Search DN

Specifies the DN of the node where the search for the user's certificate should start. There is no default value. The field will recognize any valid DN.

Multiple entries must be prefixed by the local server name. The format is as follows:

servername|search dn

For multiple entries:

servername1|search dn servername2|search dn servername3|search dn...

If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.

LDAP Server Principal User

This field accepts the DN of the principal user for the LDAP server where the certificates are stored. There is no default value for this field which will recognize any valid DN. The principal user must be authorized to read, and search certificate information stored in the Directory Server.

LDAP Server Principal Password

This field carries the LDAP password associated with the user specified in the LDAP Server Principal User field. There is no default value for this field which will recognize the valid LDAP password for the specified principal user. This value is stored as readable text in the directory.

LDAP Server Principal Password (confirm)

Confirm the password.

Use SSL for LDAP Access

Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.

Certificate Field Used to Access User Profile

Specifies which field in the certificate's Subject DN should be used to search for a matching user profile. For example, if you choose email address, the certificate authentication service will search for the user profile that matches the attribute emailAddr in the user certificate. The user logging in then uses the matched profile. The default field is subject CN. The list contains:

Other Certificate Field Used to Access User Profile

If the value of the Certificate Field Used to Access User Profile attribute is set to other, then this field specifies the attribute that will be selected from the received certificate's subjectDN value. The authentication service will then search the user profile that matches the value of that attribute.

SubjectAltNameExt Value Type to Access User Profile

If any value type other than none is selected, this attribute has precedence over Certificate Field Used to Access User Profile or Other Certificate Field Used to Access User Profileattribute.

Trusted Remote Hosts

Defines a list of trusted hosts that can be trusted to send certificates to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the certificate emanated from one of these hosts. This attribute is used for the Portal Server gateway, for a load balancer with SSL termination and for Distributed Authentication.

none

Disables the attribute. This is set by default.

all

Accepts Portal Server Gateway-style certificate authentication from any client IP address.

IP ADDR

Lists the IP addresses from which to accept Portal Server Gateway-style certificate authentication requests (the IP Address of the Gateway(s)). The attribute is configurable on an realm basis.

SSL Port Number

Specifies the port number for the secure socket layer. Currently, this attribute is only used by the Gateway servlet. Before you add or change an SSL Port Number, see the "Policy-Based Resource Management" section in the OpenSSO Enterprise Administration Guide.

HTTP Header Name for Client Certificate

This attribute is used only when the Trusted Remote Hosts attribute is set to all or has a specific host name defined. The administrator must specify the http header name for the client certificate that is inserted by the load balancer or SRA.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core authentication attribute Default Authentication Level


Core

This module is the general configuration base for the OpenSSO Enterprise authentication services. It must be registered and configured to use any of the specific authentication module instances. It enables the administrator to define default values that will be picked up for the values that are not specifically set in the OpenSSO Enterprise default authentication modules. The Core attributes are global and realm. The attributes are:

Pluggable Authentication Module Classes

Specifies the Java classes of the available authentication modules. Takes a text string specifying the full class name (including package) of each authentication module. After writing a custom authentication module (by implementing the OpenSSO Enterprise AMLoginModule or the Java Authentication and Authorization Service [JAAS] LoginModule service provider interfaces), the new class value must be added to this property.

Supported Authentication Module for Clients

Specifies a list of authentication modules supported for a specific client. Formatted as:


clientType | module1,module2,module3

This attribute is read by the Client Detection Service when it is enabled.

LDAP Connection Pool Size

Specifies the minimum and maximum connection pool to be used on a specific LDAP server and port. Formatted as:


host:port:min:max

This attribute is for LDAP and Membership authentication services only.


Note –

This connection pool is different than the SDK connection pool configured in serverconfig.xml.


Default LDAP Connection Pool Size

Sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. Formatted as:


min:max

This value is superseded by a value defined for a specific host and port in the LDAP Connection Pool Size property.

User Profile

This option determines the profile status of a successfully authenticated user.

Dynamic

Specifies that on successful authentication the Authentication Service will create a user profile if one does not already exist. The SSOToken will then be issued. The user profile is created in the realm's configured user data store.

Dynamic With User Alias

Specifies that on successful authentication the Authentication Service will create a user profile that contains the User Alias List attribute which defines one or more aliases that for mapping a user's multiple profiles.

Ignore

Specifies that a user profile is not required for the Authentication Service to issue an SSOToken after a successful authentication.

Required

Specifies that on successful authentication the user must have a user profile in the realm's configured user data store in order for the Authentication Service to issue an SSOToken.

Remote Auth Security

Requires that OpenSSO Enterprise validate the identity of the calling application; thus all remote authentication requests require the calling application's SSOToken. This allows the Authentication Service to obtain the username and password associated with the application.

Administrator Authentication Configuration

Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list.

User Profile Dynamic Creation Default Roles

Specifies the Distinguished Name (DN) of a role to be assigned to a new user whose profile is created when either of the Dynamic options is selected under the User Profile attribute. There are no default values. The role specified must be within the realm for which the authentication process is configured.


Tip –

This role can be either an OpenSSO Enterprise or LDAP role, but it cannot be a filtered role. If you wish to automatically assign specific services to the user, you have to configure the Required Services attribute in the User Profile.


Persistent Cookie Mode

Determines whether users can return to their authenticated session after restarting the browser. When enabled, a user session will not expire until its persistent cookie expires (as specified by the value of the Persistent Cookie Maximum Time attribute), or the user explicitly logs out. By default, the Authentication Service uses only memory cookies (expires when the browser is closed).


Tip –

A persistent cookie must be explicitly requested by the client by appending the iPSPCookie=yes parameter to the login URL.


Persistent Cookie Maximum Time

Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The maximum value is 2147483647 (time in seconds). The field will accept any integer value less than the maximum.

Alias Search Attribute Name

After a user is successfully authenticated, the user's profile is retrieved. This field specifies a second LDAP attribute to use in a search for the profile if a search using the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field takes any valid LDAP attribute.

Default Authentication Locale

Specifies the default language subtype to be used by the Authentication Service. The default value is en_US. See Supported Language Locales for a listing of valid language subtypes. To use a different locale, authentication templates for that locale must first be created. A new directory must then be created for these templates. See Supported Language Locales for a listing of valid language subtypes.

Organization Authentication Configuration

Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list.

Login Failure Lockout Mode

Selecting this attribute enables a physical lockout. Physical lockout will inactivate an LDAP attribute (defined in the Lockout Attribute Name property) in the user's profile. This attribute works in conjunction with several other lockout and notification attributes.

Login Failure Lockout Count

Defines the number of attempts that a user has to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.

Login Failure Lockout Interval

Defines (in minutes) the time in which failed login attempts are counted. If one failed login attempt is followed by a second failed attempt, within this defined lockout interval time, the lockout count is begun and the user will be locked out if the number of attempts reaches the number defined in Login Failure Lockout Count. If an attempt within the defined lockout interval time proves successful before the number of attempts reaches the number defined in Login Failure Lockout Count, the lockout count is reset.

Email Address to Send Lockout Notification

Specify one (or more) email address(es) to which notification will be sent if a user lockout occurs. If sending:

Warn User After N Failures

Specifies the number of authentication failures that can occur before OpenSSO Enterprise displays a warning message that the user will be locked out.

Login Failure Lockout Duration

Defines (in minutes) how long a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0, enables memory lockout and disables physical lockout. Memory lockout is when the user's account is locked in memory for the number of minutes specified. The account is unlocked after the time period has passed.

Lockout Duration Multiplier

Defines a value with which to multiply the value of the Login Failure Lockout Duration attribute for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user will be locked out of the account for 6 minutes. Once the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration would then be 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.

Lockout Attribute Name

Defines the LDAP attribute used for physical lockout. The default value is inetuserstatus (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Value field must also contain an appropriate value.

Lockout Attribute Value

Specifies the action to take on the attribute defined in Lockout Attribute Name. The default value is inactive (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Name field must also contain an appropriate value.

Default Success Login URL

Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /opensso/console. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.

Default Failure Login URL

Accepts a list of values that specifies where users are directed after an attempted authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.

Authentication Post Processing Class

Specifies one or more Java classes used to customize post authentication processes for successful or unsuccessful logins. The Java class must implement the com.sun.identity.authentication.spi.AMPostAuthProcessInterface OpenSSO Enterprise interface. Additionally, add a JAR containing the post processing class to the classpath of the web container instance on which OpenSSO Enterprise is configured. If the web container on which OpenSSO Enterprise is configured explodes the WAR follow this procedure.

  1. Stop the web container instance.

  2. Change to the WEB-INF/lib directory in the exploded OpenSSO Enterprise WAR directory.

    For example, if using Sun Application Server, AS=Deploy=BaseAS=Domain-Dir/AS-Domain/applications/j2ee-modules/opensso/WEB-INF/lib.

  3. Copy the JAR that contains the post processing class to the lib directory.

  4. Restart the web container instance.

Generate UserID Mode

When enabled, the Membership module will generate a list of alternate user identifiers if the one entered by a user during the self-registration process is not valid or already exists. The user identifiers are generated by the class specified in the Pluggable User Name Generator Class property.

Pluggable User Name Generator Class

Specifies the name of the class used to generate alternate user identifiers when Generate UserID Mode is enabled. The default value is com.sun.identity.authentication.spi.DefaultUserIDGenerator.

Identity Types

Lists the type or types of identities for which OpenSSO Enterprise will search. Options include:

Pluggable User Status Event Classes

Specifies one or more Java classes used to provide a callback mechanism for user status changes during the authentication process. The Java class must implement the com.sun.identity.authentication.spi.AMAuthCallBack OpenSSO Enterprise interface. Account lockout and password changes are supported — the latter through the LDAP authentication module as the feature is only available for the module.

Store Invalid Attempts in Data Store

Enables the storage of information regarding failed authentication attempts as the value of the sunAMAuthInvalidAttemptsData attribute in the user data store. In order to store data in this attribute, the OpenSSO Enterprise schema has to be loaded. Information stored includes number of invalid attempts, time of last failed attempt, lockout time and lockout duration. Storing this information in the identity repository allows it to be shared among multiple instances of OpenSSO Enterprise.

Module-based Authentication

Enables users to authenticate using module-based authentication. Otherwise, all attempts at authentication using the module=module-instance-name login parameter will result in failure.

User Attribute Mapping to Session Attribute

Enables the authenticating user's identity attributes (stored in the identity repository) to be set as session properties in the user's SSOToken. The value takes the format User-Profile-Attribute|Session-Attribute-Name. If Session-Attribute-Name is not specified, the value of User-Profile-Attribute is used. All session attributes contain the am.protected prefix to ensure that they cannot be edited by the Client SDK.

For example, if you define the user profile attribute as mail and the user's email address (available in the user session) as user.mail, the entry for this attribute would be mail|user.mail. After a successful authentication, the SSOToken.getProperty(String) method is used to retrieve the user profile attribute set in the session. The user's email address is retrieved from the user's session using the SSOToken.getProperty("am.protected.user.mail") method call.

Properties that are set in the user session using User Attribute Mapping to Session Attributes can not be modified (for example, SSOToken.setProperty(String, String)). This will result in an SSOException. Multi-value attributes, such as memberOf, are listed as a single session variable separated by the pipe symbol. For example, Value1|Value2|Value3

Default Authentication Level

The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the user's SSOToken. When the SSOToken is presented to an application, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level does not meet the minimum value required by the application, it can prompt the user to authenticate again in order to attain a higher authentication level. The authentication level should be set within a realm's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific realm's authentication template. The Default Authentication Level default value is 0. The value of this attribute is not used by OpenSSO Enterprise but by any external application that may chose to use it.

Data Store

The Data Store authentication module allows a login using the Identity Repository of the realm to authenticate users. Using the Data Store module removes the requirement to write an authentication plug- in module, load, and then configure the authentication module if you need to authenticate against the same data store repository. Additionally, you do not need to write a custom authentication module where flat-file authentication is needed for the corresponding repository in that realm.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


Federation

The Federation authentication module is used by a service provider to create a user session after validating single sign-on protocol messages. This authentication module is used by the SAML, SAMLv2, ID-FF, and WS-Federation protocols.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


HTTP Basic

The HTTP authentication module allows a login using the HTTP basic authentication with no data encryption. A user name and password are requested through the use of a web browser. Credentials are validated internally using any LDAP or Data Store authentication module to verify the user's credentials.

Backend Module Name

Specifies the authentication module used to validate the credentials.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


JDBC

The Java Database Connectivity (JDBC) authentication module allows OpenSSO Enterprise to authenticate users through any Structured Query Language (SQL) databases that provide JDBC-enabled drivers. The connection to the SQL database can be either directly through a JDBC driver or through a JNDI connection pool. The JDBC attributes are realm attributes. The attributes are:

Connection Type

Specifies the connection type to the SQL database, using either a JNDI (Java Naming and Directory Interface) connection pool or JDBC driver. The options are:

The JNDI connection pool utilizes the configuration from the underlying web container.

Connection Pool JNDI Name

If JNDI is selected in Connection Type, this field specifies the connection pool name. Because JDBC authentication uses the JNDI connection pool provided by the web container, the setup of JNDI connection pool may not be consistent among other web containers. See the OpenSSO Enterprise Administration Guide for examples

JDBC Driver

If JDBC is selected in Connection Type, this field specifies the JDBC driver provided by the SQL database. For example, com.mysql.jdbc.Driver. The class specified by JDBC Driver must be accessible to the web container instance on which OpenSSO has been deployed and configured. Include the .jar file that contains the JDBC driver class in the OpenSSO-deploy-base/WEB-INF/lib directory.

JDBC URL

Specifies the database URL if JDBC is select in Connection Type. For example, the URL for mySQL is jdbc.mysql://hostname:port/databaseName.

Connect This User to Database

Specifies the user name from whom the database connection is made for the JDBC connection.

Password for Connecting to Database

Defines the password for the user specified in User to Connect to Database.

Password for Connecting to Database Confirm

Confirm the password.

Password Column String

Specifies the password column name in the SQL database.

Prepared Statement

Specifies the SQL statement that retrieves the password of the user that is logging in. For example:


 select Password from Employees where USERNAME = ?

Class to Transform Password Syntax

Specifies the class name that transforms the password retrieved from the database, to the format of the user input, for password comparison. This class must implement the JDBCPasswordSyntaxTransform interface.

By default, the value of this attribute is com.sun.identity.authentication.modules.jdbc.ClearTextTransform which expects the password to be in clear text.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


ProcedureTo Configure a Connection Pool — Example

The following example shows how to set up a connection pool for Web Server and MySQL 4.0:

  1. In the Web Server console, create a JDBC connection pool with the following attributes:

    poolName

    samplePool

    DataSource Classname

    com.mysql.jdbc.jdbc2.optional.MysqlDatacSource

    serverName

    Server name of the mySQL server.

    port

    Port number on which mySQL server is running.

    user

    User name of the database password.

    password

    The password of the user.

    databaseName

    The name of the database.


    Note –

    The jar file which contain the DataSource class and the JDBC Driver class mentioned in the following steps should be added to the application class path


  2. Configure the JDBC Resources. In the Web Server console, create a JDBC resource with the following attributes:

    JNDI name

    jdbc/samplePool

    Pool name

    samplePool

    Data Resource Enabled

    on

  3. Add the following lines to the sun-web.xml file of the application:

    <resource-ref>
          <res-ref-name>jdbc/mySQL</res-ref-name>
          <jndi-name>jdbc/samplePool</jndi-name>
    </resource-ref>
  4. Add the following lines to the web.xml file of the application:

    <resource-ref>
           <description>mySQL Database</description>
           <res-ref-name>jdbc/mySQL</res-ref-name>
           <res-type>javax.sql.DataSource</res-type>
           <res-auth>Container</res-auth>
    </resource-ref>
  5. Once you have completed the settings the value for this attribute is becomes java:comp/env/jdbc/mySQL.

LDAP

This module enables authentication using LDAP bind, a Directory Server operation which associates a user ID password with a particular LDAP entry. You can define multiple LDAP authentication configurations for a realm. The LDAP authentication attributes are realm attributes. The attributes are:

Primary LDAP Server

Specifies the host name and port number of the primary LDAP server specified during OpenSSO Enterprise installation. This is the first server contacted for authentication. The format ishostname:port. If there is no port number, assume 389.

If you have OpenSSO Enterprise deployed with multiple domains, you can specify the communication link between specific instances of OpenSSO Enterprise and Directory Server in the following format (multiple entries must be prefixed by the local server name):

local_servername|server:port local_servername2|server2:port2 ...

For example, if you have two OpenSSO Enterprise instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:

L1-machine1-IS.example.com|L1-machine1-DS.example.com:389

L2-machine2-IS.example.com|L2-machine2-DS.example.com:389

Secondary LDAP Server

Specifies the host name and port number of a secondary LDAP server available to the OpenSSO Enterprise platform. If the primary LDAP server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, OpenSSO Enterprise will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.


Caution – Caution –

When authenticating users from a Directory Server that is remote from the OpenSSO Enterprise, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one Directory Server location can be used for both fields.


DN to Start User Search

Specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search dn.

For multiple entries:

servername1|search dn servername2|search dn servername3|search dn...

If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.

DN for Root User Bind

Specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized.

Password for Root User Bind

Carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid LDAP password will be recognized.

Password for Root User Bind (confirm)

Confirm the password.

Attribute Used to Retrieve User Profile

Specifies the attribute used for the naming convention of user entries. By default, OpenSSO Enterprise assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.

Attributes Used to Search for a User to be Authenticated

Lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber , and mail, the user could authenticate with any of these names. These attributes must be set separately.

User Search Filter

Specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.

Search Scope

Indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in the DN to Start User Search attribute. The default value is SUBTREE. One of the following choices can be selected from the list:

OBJECT

Searches only the specified node.

ONELEVEL

Searches at the level of the specified node and one level down.

SUBTREE

Search all entries at and below the specified node.

SSL to Access LDAP Server

Enables SSL access to the Directory Server specified in the Primary and Secondary LDAP Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.

If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that OpenSSO Enterprise is configured with proper SSL trusted certificates so that AM could connect to Directory server over LDAPS protocol

Return User DN to Authenticate

When the OpenSSO Enterprise directory is the same as the directory configured for LDAP, this option may be enabled. If enabled, this option allows the LDAP authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local OpenSSO Enterprise LDAP. If an external LDAP directory is used, this option is typically not enabled.

LDAP Server Check Interval

This attribute is used for LDAP Server failback. It defines the number of minutes in which a thread will “sleep” before verifying that the LDAP primary server is running.

User Creation Attribute List

This attribute is used by the LDAP authentication module when the LDAP server is configured as an external LDAP server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format:

attr1|externalattr1

attr2|externalattr2

When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profileattribute (in the Core Authentication module) is set to Dynamically Created and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


Membership

The Membership Authentication module is implemented for personalized sites that allow a user to self-register. This means the user can create an account, personalize it, and access it as a registered user without the help of an administrator. The attributes are realm attributes. The attributes are:

Minimum Password Length

Specifies the minimum number of characters required for a password set during self-registration. The default value is 8.

Default User Roles

Specifies the roles assigned to new users whose profiles are created through self-registration. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.


Note –

The role specified must be under the realm for which authentication is being configured. Only the roles that can be assigned to the user will be added during self-registration. All other DNs will be ignored. The role can be either an OpenSSO Enterprise role or an LDAP role, but filtered roles are not accepted.


User Status After Registration

Specifies whether services are immediately made available to a user who has self-registered. The default value is Active and services are available to the new user. By selecting Inactive, the administrator chooses to make no services available to a new user.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


MSISDN

The Mobile Station Integrated Services Digital Network (MSISDN) authentication module enables authentication using a mobile subscriber ISDN associated with a device such as a cellular telephone. It is a non-interactive module. The module retrieves the subscriber ISDN and validates it against the Directory Server to find a user that matches the number. The MSISDN Authentication attributes are realm attributes. The MSISDN Authentication attributes are:

Trusted Gateway IP Address

Specifies a list of IP addresses of trusted clients that can access MSIDSN modules. You can set the IP addresses of all clients allows to access the MSISDN module by entering the address (for example, 123.234.123.111) in the entry field and clicking Add. By default, the list is empty. If the attribute is left empty, then all clients are allowed. If you specify none, no clients are allowed.

MSISDN Number Argument

Specifies a list of parameter names that identify which parameters to search in the request header or cookie header for the MSISDN number. For example, if you define x-Cookie-Param, AM_NUMBER, and COOKIE-ID, the MSISDN authentication services will search those parameters for the MSISDN number.

LDAP Server and Port

Specifies the host name and port number of the Directory Server in which the search will occur for the users with MSISDN numbers. The format ishostname:port. If there is no port number, assume 389.

If you have OpenSSO Enterprise deployed with multiple domains, you can specify the communication link between specific instances of OpenSSO Enterprise and Directory Server in the following format (multiple entries must be prefixed by the local server name):

local_servername|server:port local_servername2|server2:port2 ...

For example, if you have two OpenSSO Enterprise instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:

L1-machine1-IS.example.com|L1-machine1-DS.example.com:389

L2-machine2-IS.example.com|L2-machine2-DS.example.com:389

LDAP Start Search DN

Specifies the DN of the node where the search for the user's MSISDN number should start. There is no default value. The field will recognize any valid DN. Multiple entries must be prefixed by the local server name. The format is servername|search dn.

For multiple entries:

servername1|search dn servername2|search dn servername3|search dn...

If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.

Attribute To Use To Search LDAP

Specifies the name of the attribute in the user's profile that contains the MSISDN number to search for a particular user. The default value is sunIdentityMSISDNNumber. This value should not be changed, unless you are certain that another attribute in the user's profile contains the same MSISDN number.

LDAP Server Principal User

Specifies the LDAP bind DN to allow MSISDN searches in the Directory Server. The default bind DN is cn=amldapuser,ou=DSAME Users,dc=sun,dc=com .

LDAP Server Principal Password

Specifies the LDAP bind password for the bind DN, as defined in LDAP Server Principal User.

LDAP Server Principal Password (confirm)

Confirm the password.

SSL for LDAP Access

Enables SSL access to the Directory Server specified in the LDAP Server and Port attribute. By default, this is not enabled and the SSL protocol will not be used to access the Directory Server. However, if this attribute is enabled, you can bind to a non-SSL server.

MSISDN Header Search Attribute

Specifies the headers to use for searching the request for the MSISDN number. The supported values are as follows:

Cookie Header

Performs the search in the cookie.

RequestHeader

Performs the search in the request header.

RequestParameter

Performs the search in the request parameter. By default, all options are selected.

LDAP Attribute Used to Retrieve User Profile

Specifies the LDAP attribute that is used during a search to return the user profile for MSISDN authentication service. The default is uid.

Return User DN on Authentication

When the OpenSSO Enterprise directory is the same as the directory configured for MSISDN, this option may be enabled. If enabled, this option allows the authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local OpenSSO Enterprise. If an external directory is used, this option is typically not enabled.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


RADIUS

This module allows for authentication using an external Remote Authentication Dial-In User Service (RADIUS) server. The RADIUS Authentication attributes are realm attributes. The attributes are:

Server 1

Displays the IP address or fully qualified host name of the primary RADIUS server. The default IP address is 127.0.0.1. The field will recognize any valid IP address or host name. Multiple entries must be prefixed by the local server name as in the following syntax:

local_servername|ip_address local_servername2|ip_address ...

Server 2

Displays the IP address or fully qualified domain name (FQDN) of the secondary RADIUS server. It is a failover server which will be contacted if the primary server could not be contacted. The default IP address is 127.0.0.1. Multiple entries must be prefixed by the local server name as in the following syntax:

local_servername|ip_address local_servername2|ip_address ...

Shared Secret

Carries the shared secret for RADIUS authentication. The shared secret should have the same qualifications as a well-chosen password. There is no default value for this field.

Shared Secret Confirm

Confirmation of the shared secret for RADIUS authentication.

Port Number

Specifies the port on which the RADIUS server is listening. The default value is 1645.

Timeout

Specifies the time interval in seconds to wait for the RADIUS server to respond before a timeout. The default value is 3 seconds. It will recognize any number specifying the timeout in seconds.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


SAE

The Secure Attribute Exchange (SAE) authentication module is used when a external entity (such as an existing application ) has already authenticated the user and wishes to securely inform a local OpenSSO Enterprise instance about the authentication to trigger the creation of a OpenSSO Enterprise session for the user. The SAE authentication module is also used by the Virtual Federation functionality where the existing entity instructs the local OpenSSO Enterprise instance to use federation protocols to transfer authentication and attribute information to a partner application. The SAE attribute is a realm attribute.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


SafeWord

This module allows for users to authenticate using Secure Computing's SafeWord or SafeWord PremierAccess authentication servers. The SafeWord Authentication Attributes are realm attributes. The attributes are:

Server

Specifies the SafeWord or SafeWord PremiereAccess server name and port. Port 7482 is set as the default for a SafeWord server. The default port number for a SafeWord PremierAccess server is 5030.

Server Verification Files Directory

Specifies the directory into which the SafeWord client library places its verification files. The default is as follows:

ConfigurationDirectory/uri/auth/safeword/serverVerification

If a different directory is specified in this field, the directory must exist before attempting SafeWord authentication.

Logging

Enables SafeWord logging. By default, SafeWord logging is enabled.

Logging Level

Specifies the SafeWord logging level. Select a level in the Drop-down menu. The levels are DEBUG, ERROR, INFO and NONE .

Log File

Specifies the directory path and log file name for SafeWord client logging. The default path isConfigurationDirectory/uri/auth/safeword/safe.log .

If a different path or filename is specified, it must exist before attempting SafeWord authentication. If more than one realm is configured for SafeWord authentication, and different SafeWord servers are used, then different paths must be specified or only the first realm where SafeWord authentication occurs will work. Likewise, if a realm changes SafeWord servers, the swec.dat file in the specified directory must be deleted before authentications to the newly configured SafeWord server will work.

Authentication Connection Timeout

Defines the timeout period (in seconds) between the SafeWord client (OpenSSO Enterprise) and the SafeWord server. The default is 120 seconds.

Client Type

Defines the Client Type that the SafeWord server uses to communicate with different clients, such as Mobile Client, VPN, Fixed Password, Challenge/Response, and so forth.

EASSP Version

This attribute specifies the Extended Authentication and Single Sign-on Protocol (EASSP) version. This field accepts either the standard (101), SSL-encrypted premier access (200), or premier access (201) protocol versions.

Minimum Authenticator Strength

Defines the minimum authenticator strength for the client/SafeWord server authentication. Each client type has a different authenticator value, and the higher the value, the higher the authenticator strength. 20 is the highest value possible. 0 is the lowest value possible.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


SecurID

This module allows for authentication using RSA (a division of EMC) ACE/Server software and RSA SecurID authenticators. For this release of OpenSSO Enterprise, the SecurID Authentication module is available for Solaris/SPARC, Solaris/x86, Linux, and Windows platforms supported by OpenSSO Enterprise. The SecurID authentication attributes are realm attributes. The attributes are:

ACE/Server Configuration Path

Specifies the directory in which the SecurID ACE/Server sdconf.rec file is located, by default in ConfiugrationDirectory/uri/auth/ace/data If you specify a different directory in this field, the directory must exist before attempting SecurID authentication.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


Unix

This module allows for authentication using a user's Unix identification and password. If any of the Unix authentication attributes are modified, both OpenSSO Enterprise and the amunixd helper must be restarted. For more information on starting the amunixid helper, see Running the Unix Authentication Helper (amunixd Daemon) in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide. This authentication module is supported on Solaris and Linux. The Unix authentication attributes are:

Configuration Port

This attribute specifies the port to which the Unix Helper `listens' upon startup for the configuration information contained in the UNIX Helper Authentication Port, Unix Helper Timeout, and Unix Helper Threads attributes. The default is 58946.

Authentication Port

This attribute specifies the port to which the Unix Helper `listens' for authentication requests after configuration. The default port is 57946.

Timeout

This attribute specifies the number of minutes that users have to complete authentication. If users surpass the allotted time, authentication automatically fails. The default time is set to 3 minutes.

Threads

This attribute specifies the maximum number of permitted simultaneous Unix authentication sessions. If the maximum is reached at a given moment, subsequent authentication attempts are not allowed until a session is freed up. The default is set to 5.

Authentication Level

This is a realm attribute. The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


PAM Service Name

This is a realm attribute. It defines the PAM (Pluggable Authentication Module) configuration or stack that is shipped for you operating system and is used for Unix authentication. For Solaris, the name is defaulted toother and for Linux, the name is password.

For more information on PAM, please consult the documentation for your system. For Solaris, see pam.conf(4) and for Linux, see the PAM files in /etc/pam.d.

Windows Desktop SSO

This module is specific to Windows and is also known as Kerberos authentication. The user presents a Kerberos token to OpenSSO Enterprise through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication plug-in module provides a client (user) with desktop single sign-on. This means that a user who has already authenticated with a key distribution center can be authenticated with OpenSSO Enterprise without having to provide the login information again. The Windows Desktop SSO attributes are global attributes. The attributes are:

Service Principal

Specifies the Kerberos principal that is used for authentication. Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possibly different from the domain name of the OpenSSO Enterprise.

Keytab File Name

This attribute specifies the Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file.

Kerberos Realm

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Server Name

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Return Principal with Domain Name

If enabled, this attributes allows OpenSSO Enterprise to automatically return the Kerberos principal with the domain controller's domain name during authentication.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


Windows NT

The Windows NT Authentication module allows for authentication against a Microsoft Windows NT server. The attributes are realm attributes. The values applied to them under Service Configuration become the default values for the Windows NT Authentication template. The service template needs to be created after registering the service for the realm. The default values can be changed after registration by the realm's administrator. Realm attributes are not inherited by entries in the subtrees of the realm.

In order to activate the Widows NT Authentication module, Samba Client 2.2.2 or 3.x must be downloaded and installed to the following directory:

ConfigurationDirectory/uri/bin

The Samba Client is a file and print server for blending Windows and UNIX machines without requiring a separate Windows NT/2000 Server.

Red Hat Linux ships with a Samba client, located in the/usr/bin directory.

In order to authenticate using the Windows NT Authentication service for Linux, copy the client binary to/bin.

The Windows NT attributes are:

Authentication Domain

Defines the Domain name to which the user belongs.

Authentication Host

Defines the Windows NT authentication hostname. The hostname should be the netBIOS name, as opposed to the fully qualified domain name (FQDN). By default, the first part of the FQDN is the netBIOS name.

If the DHCP (Dynamic Host Configuration Protocol) is used, you would put a suitable entry in the HOSTS file on the Windows 2000 machine.

Name resolution will be performed based on the netBIOS name. If you do not have any server on your subnet supplying netBIOS name resolution, the mappings should be hardcoded. For example, the hostname should be example1 not example1.company1.com.

Samba Configuration File Name

Defines the Samba configuration filename and supports the -s option in the smbclient command. The value must be the full directory path where the Samba configuration file is located.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.


Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.


Console Properties

The Console properties contain services that enable you to configure the OpenSSO Enterprise console and to define console properties for different locales and character sets. The Console properties contain the following:

Administration

The Administration service enables you to configure the OpenSSO Enterprise console at both the global level as well as at a configured realm level (Preferences or Options specific to a configured realm). The Administration service attributes are global and realm attributes.


Note –

If you have upgraded to OpenSSO Enterprise 8.0 and are running in legacy mode, a large number attributes will be displayed in the console. The complete list of attributes and their descriptions are listed in the OpenSSO Enterprise 8.0 online help and in the Sun Java System Access Manager 7.1 Administration Reference.


The attributes are:

Federation Management

Enables Federation Management. It is selected by default. To disable this feature, deselect the field The Federation Management tab will not appear in the console.

Default Agents Container

Specifies the default agent container into which the agent is created. The default is Agents.

Maximum Results Returned From Search

This field defines the maximum number of results returned from a search. The default value is 100.

Do not set this attribute to a large value (greater than 1000) unless sufficient system resources are allocated.


Note –

OpenSSO Enterprise is preconfigured to return a maximum size of 4000 search entries. This value can be changed through the console or by using ldapmodify. If you wish to change it using ldapmodify,create a newConfig.xml, with the following values (in this example, nsSizeLimit: -1 means unlimited):

dn: cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX
changetype: modify
replace:nsSizeLimit
nsSizeLimit: -1

Then, run ldapmodify. For example:

setenv LD_LIBRARY_PATH /opt/SUNWam/lib/:
/opt/SUNWam/ldaplib/ldapsdk:/usr/lib/mps:/usr/share/lib/mps/secv1:/usr/lib/mps/secv1:
$LD_LIBRARY_PATH

./ldapmodify -D "cn=Directory Manager" -w "iplanet333" -c -a 
-h hostname.domain -p 389 -f  newConfig.xml

Modifications to this attribute done through LDAPModify will take precedence to those made through the OpenSSO Enterprise Console.


Timeout For Search

Defines the amount of time (in number of seconds) that a search will continue before timing out. It is used to stop potentially long searches. After the maximum search time is reached, the search terminates and returns an error. The default is 5 seconds.


Note –

Directory Server is been preconfigured with a timeout value of 120 seconds. This value can be changed through the Directory Server console or by using ldapmodify. If you wish to change it using ldapmodify,create a newConfig.xml, with the following values (this example changes the timeout from 120 seconds to 3600 seconds):

dn: cn=config
changetype: modify
replace:nsslapd-timelimit
nsslapd-timelimit: 3600

Then, run ldapmodify. For example:

setenv LD_LIBRARY_PATH /opt/SUNWam/lib/:
/opt/SUNWam/ldaplib/ldapsdk:/usr/lib/mps:/usr/share/lib/mps/secv1:/usr/lib/mps/secv1:
$LD_LIBRARY_PATH

./ldapmodify -D "cn=Directory Manager" -w "iplanet333" 
-c -a -h hostname.domain -p 389 -f  newConfig.xml

User Search Key

This attribute defines the attribute name that is to be searched upon when performing a simple search in the Navigation page. The default value for this attribute is cn.

For example, if you enter j* in the Name field in the Navigation frame, users whose names begins with "j" or "J" will be displayed.

Search Return Attribute

This field defines the attribute name used when displaying the users returned from a simple search. The default of this attribute is uid cn. This will display the user ID and the user's full name.

The attribute name that is listed first is also used as the key for sorting the set of users that will be returned. To avoid performance degradation, use an attribute whose value is set in a user's entry.

Maximum Entries Displayed per Page

This attribute allows you to define the maximum rows that can be displayed per page. The default is 25. For example, if a user search returns 100 rows, there will be 4 pages with 25 rows displayed in each page.

External Attributes Fetch

This option enables callbacks for plug-ins to retrieve external attributes (any external application-specific attribute). External attributes are not cached in the OpenSSO Enterprise SDK, so this attribute allows you enable attribute retrieval per realm level. By default, this option is not enabled

Globalization Settings

The Globalization Settings service contains global attributes that enable you to configure OpenSSO Enterprise for different locales and character sets. The attributes are:

Charsets Supported By Each Locale

This attribute lists the character sets supported for each locale, which indicates the mapping between locale and character set. The format is as follows:

To add a New Supported Charset, click Add and define the following parameters:

Locale

The new locale you wish to add. SeeSupported Language Locales for more information.

Supported Charsets

Enter the supported charset for the specified locale. Charsets are delimited by a semicolon. For example, charset=charset1;charset2;charset3;...;charsetn

To edit any existing Supported Charset, click the name in the Supported Charset table. Click OK when you are finished.

Charset Aliases

This attribute lists the codeset names (which map to IANA names) that will be used to send the response. These codeset names do not need to match Java codeset names. Currently, there is a hash table to map Java character sets into IANA charsets and vice versa.

To add a New Charset Alias, click Add button and define the following parameters:

MIME name

The IANA mapping name. For example, Shift_JIS

Java Name

The Java character set to map to the IANA character set.

To edit any existing Charset Alias, click the name in the table. Click OK when you are finished.

Auto Generated Common Name Format

This display option allows you to define the way in which a name is automatically generated to accommodate name formats for different locales and character sets. The default syntax is as follows (please note that including commas and/or spaces in the definition will display in the name format):

en_us = {givenname} {initials} {sn}

For example, if you wanted to display a new name format for a user (User One) with a uid (11111) for the Chinese character set, define:

zh = {sn}{givenname}({uid})

The display is:

OneUser 11111

Supported Language Locales

The following table lists the language locales that OpenSSO Enterprise supports:

Language Tag 

Language 

af 

Afrikaans 

be 

Byelorussian 

bg 

Bulgarian 

ca 

Catalan 

cs 

Czechoslovakian 

da 

Danish 

de 

German 

el 

Greek 

en 

English 

es 

Spanish 

eu 

Basque 

fi 

Finnish 

fo 

Faroese 

fr 

French 

ga 

Irish 

gl 

Galician 

hr 

Croatian 

hu 

Hungarian 

id 

Indonesian 

is 

Icelandic 

it 

Italian 

ja 

Japanese 

ko 

Korean 

nl 

Dutch 

no 

Norwegian 

pl 

Polish 

pt 

Portuguese 

ro 

Romanian 

ru 

Russian 

sk 

Slovakian 

sl 

Slovenian 

sq 

Albanian 

sr 

Serbian 

sv 

Swedish 

tr 

Turkish 

uk 

Ukrainian 

zh 

Chinese 

Global Properties

Global Properties contain services that enable to define password reset functionality and policy configuration for OpenSSO Enterprise. The services you can configure are:

Common Federation Configuration

Datastore SPI Implementation Class

This attribute specifies the implementation class for the com.sun.identity.plugin.datastore.DataStoreProvider SPI which is used for managing federation user data store information.

Configuration Instance SPI Implementation Class

This attribute specifies the implementation class for the com.sun.identity.plugin.configuration.ConfigurationInstance SPI which is used for managing federation service configuration data.

Logger SPI Implementation Class

This attribute specifies the implementation class for the com.sun.identity.plugin.log.Logger SPI which is used for managing federation logging.

Session Provider SPI Implementation Class

This specifies the implementation class for the com.sun.identity.plugin.session.SessionProvider SPI which is used for managing federation session.

Maximum Allowed Content Length

This attribute specifies the maximum allowed content length for an HTTP Request that will be used in federation services. Any request whose content exceeds the specified maximum content length will be rejected.

Password Decoder SPI Implementation Class

This attribute specifies the implementation class for the com.sun.identity.saml.xmlsig.PasswordDecoder interface which is used to decode stored password for XML signing keystore and password for basic authentication under SAML 1.x.

Signature Provider SPI Implementation Class

This attribute specifies the SAML XML signature provider class. The default SPI is com.sun.identity.saml.xmlsig.AMSignatureProvider.

Key Provider SPI Implementation Class

This attribute specifies the XML signature key provider class. The default SPI is com.sun.identity.saml.xmlsig.JKSKeyProvider.

Check Presence of Certificates

If set to on, the certificate must be presented to the keystore for XML signature validation. If set to off, presence checking of the certificate is skipped. This applies to SAML1.x only.

XML Cannonicalization Algorithm

This attribute specifies XML cannonicalization algorithm used for SAML XML signature generation and verification. The default value is http://www.w3.org/2001/10/xml-exc-c14n#.

XML Signature Algorithm

This attribute specifies XML signature algorithm used for SAML XML Signature generation and verification. When not specified or value is empty, the default value (http://www.w3.org/2000/09/xmldsig#rsa-sha1) is used.

XML Transformation Algorithm

This attribute specifies transformation algorithm used for SAML XML signature generation and verification. When not specified or the value is empty, the default value (http://www.w3.org/2001/10/xml-exc-c14n#) is used.

Liberty ID-FF Service Configuration

Federation Cookie Name

This attribute specifies the name of the ID-FF Services cookie. The cookie is used to remember if the user is federated already.

IDP Proxy Finder SPI Implementation Class

This attribute specifies the implementation class for finding a preferred identity provider to be proxied.

Request Cache Cleanup Interval

This attribute specifies the cleanup interval (in seconds) for ID-FF internal request cleanup thread.

Request Cache Timeout

This attribute specifies the timeout value (in seconds) for the ID-FF Authentication Request. AnyAuthnRequest object will be purged from the memory if it exceeds the timeout value.

IDP Login URl

This attribute specifies the login URL to which the IDP will redirect if a valid session is not found while processing the Authentication Request. If the key is not specified, a default login URL is used.

XML Signing On

This attribute specifies the level of signature verification for Liberty requests and responses.

Liberty ID-WSF Security Service

Security Attribute Plugin Class

This attribute specifies the implementation class name for the com.sun.identity.liberty.ws.security.SecurityAttributePlugin interface. The class returns a list of SAML attributes to be included in the credentials generated by the Discovery Service.

Key Info Type

The value set in this attribute is used in the com.sun.identity.liberty.ws.security.LibSecurityTokenProvider implementation class. It specifies the data type to be put into the KeyInfo block inside the XML signature. If value is certificate, the signer's X059 Certificate will be included inside KeyInfo. Otherwise, corresponding DSA/RSA key will be included in KeyInfo.

Security Token Provider Class

This attribute specifies the implementation class for the security token provider.

Default WSC Certificate Alias

This attribute specifies default certificate alias for the issuing web service security token for this web service client.

Trusted Authority Signing Certificate Alias

This attribute specifies the certificate alias for the trusted authority that will be used to sign the SAML or SAML BEARER token of response message.

Trusted CA Signing Certificate Aliases

This attribute specifies the certificate aliases for trusted CA. SAML or SAML BEARER tokens of an incoming request. The message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|.....

Example: myalias1:myissuer1|myalias2|myalias3:myissuer3.

The value issuer is used when the token does not have a KeyInfo inside of the signature. The issuer of the token must be in this list and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.

Liberty Interaction Service

WSP to Redirect User for Interaction

This attribute indicates whether the web service provider will redirect the user for consent. The default value is yes.

WSP to Redirect User for Interaction for Data

This initiates an interaction to get user consent or to collect additional data. This property indicates whether the web service provider will redirect the user to collect additional data. The default value is yes.

WSP's Expected Duration for Interaction

This attribute indicates the length of time (in seconds) that the web service provider expects to take to complete an interaction and return control back to the web service client. For example, the web service provider receives a request indicating that the web service client will wait a maximum 30 seconds (set in WSC's Expected Duration for Interaction) for interaction. If this attribute is set to 40 seconds, the web service provider returns a SOAP fault (timeNotSufficient), indicating that the time is insufficient for interaction.

WSP to Enforce That returnToURL must be SSL

This attribute indicates whether the web service provider will enforce a HTTPS returnToURLspecified by the web service client. The Liberty Alliance Project specifications state that the value of this property is always yes. The false value is primarily meant for ease of deployment in a phased manner.

WSP to Enforce Return to Host be the Same as Request Host

This attribute indicates whether the web service provider would enforce the address values of returnToHost and requestHost if they are the same. The Liberty Alliance Project specifications state that the value of this property is always yes. The false value is primarily meant for ease of deployment in a phased manner.

HTML Style Sheet Location

This attribute points to the location of the style sheet that is used to render the interaction page in HTML.

WML Style Sheet Location

This attribute points to the location of the style sheet that is used to render the interaction page in WML.

WSP Interaction URL

This attribute specifies the URL where the WSPRedirectHandler servlet is deployed. The servlet handles the service provider side of interactions for user redirects.

WSP Interaction URL if Behind Load Balancer

Defines the WSP redirect handler URL exposed by a Load Balancer.

List of Interaction URLs of the WSP Cluster (site) Behind the Load Balancer

Defines the WSP redirect handler URLs of trusted servers in the cluster.

Interaction Configuration Class

This attribute specifies the class that provides access methods to read interaction configurations.

Options for WSC to Participate in Interaction

This attribute indicates the level of interaction in which the WSC will participate if configured to participate in user redirects. The possible values are interactIfNeeded, doNotInteract, and doNotInteractForData. The affirmative interactIfNeeded is the default.

WSC to Include userInteractionHeader

This attribute indicates whether the web service client will include a SOAP header to indicate certain preferences for interaction based on the Liberty specifications. The default value is yes.

WSC to redirect user for Interaction

This attribute defines whether the WSC will participate in user redirections. The default value is yes.

WSC's Expected Duration for Interaction

This attribute defines the maximum length of time (in seconds) that the web service client is willing to wait for the web service provider to complete its portion of the interaction. The web service provider will not initiate an interaction if the interaction is likely to take more time than what is set. For example, the web service provider receives a request where this property is set to a maximum 30 seconds. If the web service provider property WSP's Expected Duration for Interaction is set to 40 seconds, the web service provider returns a SOAP fault (timeNotSufficient), indicating that the time is insufficient for interaction.

WSC to Enforce that Redirection URL Must be SSL

This attribute specifies whether the web service client will enforce HTTPS in redirected URLs. The Liberty Alliance Project specifications state that the value of this property is always yes, which indicates that the web service provider will not redirect the user when the value of redirectURL (specified by the web service provider) is not an HTTPS URL. The false value is primarily meant for easy, phased deployment.

Multi Federation Protocol

Single Logout Handler List

This attribute defines a list of values each specifying a Single Logout Handler implementation class for an individual federation protocol. Each value has following format: key=Federation_Protocol_Name|class=SPI_Implementation_Class_Name

The default is, OASIS SAMLv2 (key=SAML2),

Liberty ID-FF (key=IDFF) and WS-Federation (key=WSFED) are defined in the list. For example:


key=SAML2|class=com.sun.identity.multiprotocol.SAML2SingleLogoutHandler
key=IDFF|class=com.sun.identity.multiprotocol.IDFFSingleLogoutHandler
key=WSFED|class=com.sun.identity.multiprotocol.WSFederationSingleLogoutHandler 

Password Reset

OpenSSO Enterprise provides a Password Reset service to allow users to receive an email message containing a new password or to reset their password for access to a given service or application protected by OpenSSO Enterprise. The Password Reset attributes are realm attributes. The attributes are:

User Validation

This attribute specifies the name of user attribute that is used to search for the user whose password is to be reset.

Secret Question

This field allows you to add a list of questions that the user can use to reset his/her password. To add a question, type it in the Secret Question filed and click Add. The selected questions will appear in the user's User Profile page. The user can then select a question for resetting the password. Users may create their own question if the Personal Question Enabled attribute is selected.

Search Filter

This attribute specifies the search filter to be used to find user entries.

Base DN

This attribute specifies the DN from which the user search will start. If no DN is specified, the search will start from the realm DN. You should not use cn=directorymanager as the base DN, due to proxy authentication conflicts.

Bind DN

This attribute value is used with Bind Password to reset the user password.

Bind Password

This attribute value is used with Bind DN to reset the user password.

Bind Password Confirm

Confirm the password.

Password Reset Option

This attribute determines the classname for resetting the password. The default classname is com.sun.identity.password.RandomPasswordGenerator . The password reset class can be customized through a plug-in. This class needs to be implemented by the PasswordGenerator interface.

Password Change Notification Option

This attribute determines the method for user notification of password resetting. The default classname is: com.sun.identity.password.EmailPassword The password notification class can be customized through a plug-in. This class needs to be implemented by the NotifyPassword interface. See the OpenSSO Enterprise Developer's Guide for more information.

Password Reset

Selecting this attribute will enable the password reset feature.

Personal Question

Selecting this attribute will allow a user to create a unique question for password resetting.

Maximum Number of Questions

This value specifies the maximum number of questions to be asked in the password reset page.

Force Change Password on Next Login

When enabled, this option forces the user to change his or her password on the next login. If you want an administrator, other than the top-level administrator, to set the force password reset option, you must modify the Default Permissions ACIs to allow access to that attribute.

Password Reset Failure Lockout

This attribute specifies whether to disallow users to reset their password if that user initially fails to reset the password using the Password Reset application. By default, this feature is not enabled.

Password Reset Failure Lockout Count

This attributes defines the number of attempts that a user may try to reset a password, within the time interval defined in Password Reset Failure Lockout Interval, before being locked out. For example, if Password Reset Failure Lockout Count is set to 5 and Login Failure Lockout Interval is set to 5 minutes, the user has five chances within five minutes to reset the password before being locked out.

Password Reset Failure Lockout Interval

This attribute defines (in minutes) the amount of time in which the number of password reset attempts (as defined in Password Reset Failure Lockout Count) can be completed, before being locked out.

Email Address to Send Lockout Notification

This attribute specifies an email address that will receive notification if a user is locked out from the Password Reset service. Specify multiple email address in a space-separated list.

Warn User After N Failures

This attribute specifies the number of password reset failures that can occur before OpenSSO Enterprise sends a warning message that user will be locked out.

Password Reset Failure Lockout Duration

This attribute defines (in minutes) the duration that user will not be able to attempt a password reset if a lockout has occurred.

Password Reset Lockout Attribute Name

This attribute contains the inetuserstatus value that is set in Password Reset Lockout Attribute Value. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.

Password Reset Lockout Attribute Value

This attribute specifies the inetuserstatus value (contained in Password Reset Lockout Attribute Name) of the user status, as either active or inactive. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.

Policy Configuration

The Policy Configuration attributes enable the administrator to set configuration global and realm properties used by the Policy service.

Global Properties

The Global Properties are:

Resource Comparator

Specifies the resource comparator information used to compare resources specified in a Policy rule definition. Resource comparison is used for both policy creation and evaluation.

Click the Add button and define the following attributes:

Service Type

Specifies the service to which the comparator should be used.

Class

Defines the Java class that implements the resource comparison algorithm.

Delimiter

Specifies the delimiter to be used in the resource name.

Wildcard

Specifies the wildcard that can be defined in resource names.

One Level Wildcard

Matches zero or more characters, at the same delimiter boundary.

Case Sensitive

Specifies if the comparison of the two resources should consider or ignore case. False ignores case, True considers case.

Continue Evaluation on Deny Decision

Specifies whether or not the policy framework should continue evaluating subsequent policies, even if a DENY policy decision exists. If it is not selected (default), policy evaluation would skip subsequent policies once the DENY decision is recognized.

Advices Handleable by OpenSSO

Defines the names of policy advice keys for which the Policy Enforcement Point (Policy Agent) would redirect the user agent to OpenSSO Enterprise. If the agent receives a policy decision that does not allow access to a resource, but does posses advices, the agent checks to see whether it has a advice key listed in this attribute.

If such an advice is found, the user agent is redirected to OpenSSO Enterprise, potentially allowing the access to the resource.

Realm Alias Referrals

When set to Yes, this attribute allows you to create policies in sub-realms without having to create referral policies from the top-level or parent realm. You can only create policies to protect HTTP or HTTPS resources whose fully qualified hostname matches the DNSAlias of the realm. By default, this attribute is defined as No.

Realm Attributes

The LDAP Properties are:

Primary LDAP Server

Specifies the host name and port number of the primary LDAP server specified during OpenSSO Enterprise installation that will be used to search for Policy subjects, such as LDAP users, LDAP roles, LDAP groups, and so forth.

The format is hostname:port. For example: machine1.example.com:389

For failover configuration to multiple LDAP server hosts, this value can be a space-delimited list of hosts. The format is hostname1:port1 hostname2:port2...

For example: machine1.example1.com:389 machine2.example1.com:389

Multiple entries must be prefixed by the local server name. This is to allow specific OpenSSO Enterprise instances to be configured to talk to specific Directory Servers.

The format is servername|hostname:port For example:

machine1.example1.com|machine1.example1.com:389

machine1.example2.com|machine1.example2.com:389

For failover configuration:

AM_Server1.example1.com|machine1.example1.com:389 machine2.example.com1:389

AM_Server2.example2.com|machine1.example2.com:389 machine2.example2.com:389

LDAP Base DN

Specifies the base DN in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation.

LDAP Users Base DN

This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation base.

OpenSSO Enterprise Roles Base DN

Defines the DN of the realm or organization which is used as a base while searching for the values of OpenSSO Enterprise Roles. This attribute is used by the AccessManagerRoles policy subject.

LDAP Bind DN

Specifies the bind DN in the LDAP server.

LDAP Bind Password

Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.

LDAP Bind Password Confirm

Confirm the password.

LDAP Organizations Search Filter

Specifies the search filter to be used to find organization entries. The default is (objectclass=sunMangagedOrganization).

LDAP Organizations Search Scope

Defines the scope to be used to find organization entries. The scope must be one of the following:

LDAP Groups Search Scope

Defines the scope to be used to find group entries. The scope must be one of the following:

LDAP Groups Search Filter

Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).

LDAP Users Search Filter

Specifies the search filter to be used to find user entries. The default is (objectclass=inetorgperson).

LDAP Users Search Scope

Defines the scope to be used to find user entries. The scope must be one of the following:

LDAP Roles Search Filter

Specifies the search filter to be used to find entries for roles. The default is (&(objectclass=ldapsubentry)(objectclass=nsroledefinitions)) .

LDAP Roles Search Scope

This attribute defines the scope to be used to find entries for roles. The scope must be one of the following:

OpenSSO Roles Search Scope

Defines the scope to be used to find entries for OpenSSO Enterprise Roles subject.

LDAP Organization Search Attribute

Defines the attribute type for which to conduct a search on an organization. The default is o.

LDAP Groups Search Attribute

Defines the attribute type for which to conduct a search on a group. The default is cn.

LDAP Users Search Attribute

Defines the attribute type for which to conduct a search on a user. The default is uid.

LDAP Roles Search Attribute

This field defines the attribute type for which to conduct a search on a role. The default is cn.

Maximum Results Returned from Search

This field defines the maximum number of results returned from a search. The default value is 100. If the search limit exceeds the amount specified, the entries that have been found to that point will be returned.

Search Timeout

Specifies the amount of time before a timeout on a search occurs. If the search exceeds the specified time, the entries that have been found to that point will be returned

LDAP SSL

Specifies whether or not the LDAP server is running SSL. Selecting enables SSL, deselecting (default) disables SSL.

If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that OpenSSO Enterprise is configured with proper SSL-trusted certificates so that OpenSSO Enterprise can connect to Directory server over LDAPS protocol.

LDAP Connection Pool Minimum Size

Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.

Connection Pool Maximum Size

This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.

Selected Policy Subjects

Allows you to select a set of subject types available to be used for policy definition in the realm.

Selected Policy Conditions

Allows you to select a set of conditions types available to be used for policy definition in the realm.

Selected Policy Referrals

Allows you to select a set of referral types available to be used for policy definition in the realm.

Subject Results Time To Live

This attribute specifies the amount of time (in minutes) that a cached subject result can be used to evaluate the same policy request based on the single sign-on token.

When a policy is initially evaluated for an SSO token, the subject instances in the policy are evaluated to determine whether the policy is applicable to a given user. The subject result, which is keyed by the SSO token ID, is cached in the policy. If another evaluation occurs for the same policy for the same SSO token ID within the time specified in the Subject Result Time To Live attribute, the policy framework retrieves the cached subjects result, instead of evaluating the subject instances. This significantly reduces the time for policy evaluation.

User Alias

This attribute must be enabled if you create a policy to protect a resource whose subject's member in a remote Directory Server aliases a local user. This attribute must be enabled, for example, if you create uid=rmuser in the remote Directory Server and then add rmuser as an alias to a local user (such as uid=luser) in OpenSSO Enterprise. When you login as rmuser, a session is created with the local user (luser) and policy enforcement is successful.

Selected Response Providers

Defines the policy response provider plug-ins that are enabled for the realm. Only the response provider plug-ins selected in this attribute can be added to policies defined in the realm.

Selected Dynamic Response Attributes

Defines the dynamic response attributes that are enabled for the realm. Only a subset of names selected in this attribute can be defined in the dynamic attributes list in IDResponseProvider to be added to policies defined in the realm.

SAMLv2 Service Configuration

Cache Cleanup Interval

This attribute specifies the duration (in seconds) between each cache cleanup.

Attribute Name for Name ID Information

Specifies the attribute name used to store name identifier information on a user's entry. If nothing is specified, the default attribute (sun-fm-saml2-nameid-info) will be used. The corresponding datastore bind user must have read/write/search/compare permission to this attribute.

Attribute Name for Name ID Information Key

Specifies the attribute name used to store name identifier key on a user's entry. If not specified, the default attribute (sun-fm-saml2-nameid-infokey) will be used. The corresponding datastore bind user must have read/write/search/compare permission to this attribute. You must also must make sure that the equality type index is added.

Cookie Domain for IDP Discovery Service

Specifies the cookie domain for the SAMLv2 IDP discovery cookie.

Cookie Type for IDP Discovery Service

Specifies cookie type used in SAMLv2 IDP Discovery Service, either Persistent or Session. Default is Session.

URL Scheme for IDP Discovery Service

Specifies URL scheme used in SAMLv2 IDP Discovery Service.

XML Encryption SPI Implementation Class

Specifies implementation class name for the SAMLv2 Encryption Provider interface. The class is used to perform XML encryption and decryption in SAMLv2 profiles.

Include Encrypted Key Inside KeyInfo Element

This is used in the com.sun.identity.saml2.xmlenc.FMEncProvider class. If enabled, it will include EncryptedKey inside a KeyInfo in the EncryptedData element when performing XML encryption operation. If it is not enabled, EncryptedKey is paralleled to the EncryptedData element. Default is enabled.

XML Signing Implementation Class

If enabled, the signing certificate used by identity provider and service provider will be validated against certificate revocation list (CRL) configured in the Security settings under the Sites and Servers tab. If the certificate is not validated and accepted, it will stop and return a validation error without doing further XML signature validation.

XML Signing Certificate Validation

If enabled, the SAML identity provider or service provider will validate the certificate that is used in signing . If the certificate is validated and accepted, the provider will validate the signature. If not, it will stop and return a validation error.

CA Certificate Validation

If enabled, the signing certificate used by identity provider and service provider will be validated against the trusted CA list. If the certificate is not validated and accepted, it will stop and return a validation error without doing further XML signature validation.

SAMLv2 SOAP Binding

The SAMLv2 SOAP Binding service provides SOAP-based exchange of SAMLv2 Request and Response message between a OpenSSO Enterprise Client and the OpenSSO Enterprise Server. The requests received are delegated to the request handler for further processing. The key to the Request Handler and the meta alias is in the SOAP Binding service URL. A mapping of the meta alias and the RequestHandler is stored in the SAMLv2 SOAP Binding service which can be read from the OpenSSO Enterprise configuration store.

Request Handler List

The RequestHandlerList is a list of key/value pair entries containing the mapping of the meta alias to the RequestHandler implementation. This attribute must be set if a OpenSSO Enterprise 8.0 server is being configured to act as Policy Decision Point (PDP).

The Key is the Policy Decision Point meta alias and the Class is the Java class name, which is the implementation of RequestHandler Interface which can process XACML Requests.

For example, If the meta Alias of the XACML Policy Decision Point is /pdp and the implementation of the interface is com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler, then the key should be set to /pdp and the class should be set to com.sun.identity.xacml.plugins.XACMLAuthzDecisionQueryHandler.

ProcedureTo Configure a Request Handler

The RequestHandler interface must be implemented on the server side by each SAMLv2 service that uses the SOAP Binding Service. The Request Handler List attribute stores information about the implementation classes that implement the Request Handler. The Request Handler List displays entries that contain key/value pairs.

  1. Click New to display the New Request Handler attributes or click on a configured key value to modify existing attributes.

  2. Provide values for the attributes based on the following information:

    key

    The Key is the Policy Decision Point meta alias.

    class

    The Class is the Java class name, which is the implementation of RequestHandler Interface which can process XACML Requests.

  3. Click OK to complete the Request Handler configuration.

  4. Click Save on the SAMLv2 SOAP Binding page to complete the service configuration.

Security Token Service

The attributes contained in this service define the dynamic configuration for the OpenSSO Enterprise Security Token Service (STS). These attributes define the following configuration:

Issuer

The name of the Security Token service that issues the security tokens.

End Point

This field takes a value equal to:

%protocol://%host:%port%uri/sts

This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.

Encryption Issued Key

When enabled, this attribute encrypts the key issued by the Security Token service.

Encryption Issued Token

When enabled, this attribute encrypts the security token issued by the Security Token service.

Lifetime for Security Token

Defines the amount of time for which the issued token is valid.

Token Implementation Class

This attribute specifies the implementation class for the security token provider/issuer.

Certificate Alias Name

Defines the alias name for the certificate used to sign the security token issues by the Security Token service.

STS End User Token Plug-in Class

Defines the implementation class for the end user token conversion.

Security Mechanism

Defines the type of security credential that is used to secure the security token itself, or the security credential accepted by the Security Token service from the incoming WS-Trust request sent the by the client. You can choose from the following security types:

Authentication Chain

Defines the authentication chain or service name that can be used to authenticate to the OpenSSO Enterprise authentication service using the credentials from an incoming issuer request's security token to generate OpenSSO Enterprise's authenticated security token.

User Credential

The attribute represents the username/password shared secrets that are used by the Security Token service to validate a UserName token sent by the client as part of the incoming WS-Trust request.

Is Request Signature Verified

Specifies that the Security Token service must verify the signature of the incoming WS-Trust request.

Is Request Header Decrypted

Specifies that all request headers received by the Security Token Service must be decrypted.

Is Request Decrypted

Specifies that all requests received by the Security Token Service must be decrypted.

Is Response Signed

Specifies that all responses received by the Security Token Service must be signed.

Is Response Encrypted

Specifies that all responses sent by the Security Token service must be encrypted.

Signing Reference Type

Defines the reference types used when the Security Token service signs the WS-Trust response. The possible reference types are DircectReference, KeyIdentifier, and X509.

Encryption Algorithm

Defines the encryption algorithm used by the Security Token service to encrypt the WS-Trust response.

Encryption Strength

Sets the encryption strength used by he Security Token service to encrypt the WS-Trust response. Select a greater value for greater encryption strength.

Private Key Alias

This attribute defines the private certificate key alias that is used to sign the WS-Trust response or to decrypt the incoming WS-Trust request.

Private Key Type

This attribute defines the certificate private key type used for signing WS-Trust responses or decrypting WS-Trust requests. The possible types are PublicKey, SymmetricKey, or NoProofKey.

Public Key Alias of Web Service (WS-Trust) Client

Defines the public certificate key alias used to verify the signature of the incoming WS-Trust request or to encrypt the WS-Trust response.

Kerberos Domain Server

This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.

Kerberos Domain

This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.

Kerberos Service Principal

Specifies the Kerberos principal as the owner of the generated Security token.

Use the following format:

HTTP/hostname.domainname@dc_domain_name

hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possible that the Kerberos server is different from the domain name of the OpenSSO Enterprise instance.

Kerberos Key Tab File

This attribute specifies the Kerberos keytab file that is used for issuing the token. Use the following format, although the format is not required:

hostname.HTTP.keytab

hostname is the hostname of the OpenSSO Enterprise instance.

Verify Kerberos Signature

If enabled, this attribute specifies that the Kerberos token is signed.

SAML Attribute Mapping


Note –

All of the following SAML-related attributes are to be used in the configuration where the current instance of the Security Token service haves as the web service provider and receives a SAML Token generated from another Security Token service instance.


This configuration represents a SAML attribute that needs to be generated as an Attribute Statement during SAML assertion creation by the Security Token Service for a web service provider. The format is SAML_attr_name=Real_attr_name.

SAML_attr_name is the SAML attribute name from a SAML assertion from an incoming web service request. Real_attr_name is the attribute name that is fetched from either the authenticated SSOToken or the identity repository.

NameID Mapper

The SAML NameID Mapper for an assertion that is generated for the Security Token service.

Should Include Memberships

When enabled, the generated assertion contains user memberships as SAML attributes.

Attribute Namespace

Defines the SAML Attribute Namespace for an assertion that is generated for the Security Token service.

Trusted Issuers

Defines a list of trusted issuers that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these issuers.

Trusted IP Addresses

Defines a list of IP addresses that can be trusted to send security tokens to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the security token was sent from one of these hosts.

Session

The Session service defines values for an authenticated user session such as maximum session time and maximum idle time. The Session attributes are global, dynamic, or user attributes. The attributes are:

Secondary Configuration Instance

Provides the connection information for the session repository used for the session failover functionality in OpenSSO Enterprise. The URL of the load balancer should be given as the identifier to this secondary configuration. If the secondary configuration is defined in this case, the session failover feature will be automatically enabled and become effective after the server restart.

ProcedureTo Add a Sub Configuration

  1. Click New in the Secondary Configuration Instance list.

  2. Enter a name for the new Sub Configuration.

  3. Enter data for the following fields:

    Session Store User

    Defines the database user who is used to retrieve and store the session data.

    Session Store Password

    Defines the password for the database user defined in Session Store.

    Session Store Password (Confirm)

    Confirm the password.

    Maximum Wait Time

    Defines the total time a thread is willing to wait for acquiring a database connection object. The value is in milliseconds.

    Database URL

    Specifies the URL of the database.

  4. Click Add.

Maximum Number of Search Results

This attribute specifies the maximum number of results returned by a session search. The default value is 120.

Timeout for Search

This attributed defines the maximum amount of time before a session search terminates. The default value is 5 seconds.

Enable Property Change Notifications

Enables or disables the feature session property change notification. In a single sign-on environment, one OpenSSO Enterprise session can be shared by multiple applications. If this feature is set to ON, if one application changes any of the session properties specified in the Notification Properties list (defined as a separate session service attribute), the notification will be sent to other applications participating in the same single sign-on environment.

Enable Quota Constraints

Enables or disables session quota constraints. The enforcement of session quota constraints enables administrators to limit a user to have a specific number of active/concurrent sessions based on the constraint settings at the global level, or the configurations associated with the entities (realm/role/user) to which this particular user belongs.

The default setting for this attribute is OFF. You must restart the server if the settings are changed.

Read Timeout for Quota Constraint

Defines the amount of time (in number of milliseconds) that an inquiry to the session repository for the live user session counts will continue before timing out.

After the maximum read time is reached, an error is returned. This attribute will take effect only when the session quota constraint is enabled in the session failover deployment. The default value is 6000 milliseconds. You must restart the server if the settings are changed.

Exempt Top-Level Admins From Constraint Checking

Specifies whether the users with the Top-level Admin Role should be exempt from the session constraint checking. If YES, even though the session constraint is enabled, there will be no session quota checking for these administrators.

The default setting for this attribute is NO. You must restart the server if the settings are changed. This attribute will take effect only when the session quota constraint is enabled.

Resulting Behavior If Session Quota Exhausted

Specifies the resulting behavior when the user session quota is exhausted. There are two selectable options for this attribute:

DESTROY_OLD_SESSION

The next expiring session will be destroyed.

DENY_ACCESS

The new session creation request will be denied.

This attribute will take effect only when the session quota constraint is enabled and the default setting is DESTROY_OLD_SESSION .

Deny User Login When Session Repository is Down

If set to YES, this attribute will enforce user lockout to the server when the session repository is down. This attribute takes effect only when the session Enable Quota Constrain is selected.

Notification Properties

When a change occurs on a session property defined in the list, the notification will be sent to the registered listeners. The attribute will take effect when the feature of Session Property Change Notification is enabled.

Enable Session Trimming

When set to YES, a minimum set of session properties are stored by the server between the session timeout and purge delay states. This is used to improve memory performance. The following properties are stored:

If set to OFF, then all session-related attributes are stored by OpenSSO Enterprise after a session timeout.

Maximum Session Time

This attribute accepts a value in minutes to express the maximum time before the session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 120. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.) Max Session Time limits the validity of the session. It does not get extended beyond the configured value.

Maximum Idle Time

This attribute accepts a value (in minutes) equal to the maximum amount of time without activity before a session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 30. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.)

Maximum Caching Time

This attribute accepts a value (in minutes) equal to the maximum interval before the client contacts OpenSSO Enterprise to refresh cached session information. A value of 0 or higher will be accepted. The default value is 3. It is recommended that the maximum caching time should always be less than the maximum idle time.

Active User Sessions

Specifies the maximum number of concurrent sessions allowed for a user.

User

The default user preferences are defined through the user service. These include time zone, locale and DN starting view. The User service attributes are dynamic attributes.

User Preferred Language

This field specifies the user's choice for the text language displayed in the OpenSSO Enterprise console. The default value is en. This value maps a set of localization keys to the user session so that the on-screen text appears in a language appropriate for the user.

User Preferred Timezone

This field specifies the time zone in which the user accesses the OpenSSO Enterprise console. There is no default value.

Administrator Starting View

If this user is a OpenSSO Enterprise administrator, this field specifies the node that would be the starting point displayed in the OpenSSO Enterprise console when this user logs in. There is no default value. A valid DN for which the user has, at the least, read access can be used.

Default User Status

This option indicates the default status for any newly created user. This status is superseded by the User Entry status. Only active users can authenticate through OpenSSO Enterprise. The default value is Active. Either of the following can be selected from the pull-down menu:

Active

The user can authenticate through OpenSSO Enterprise.

Inactive

The user cannot authenticate through OpenSSO Enterprise, but the user profile remains stored in the directory.

The individual user status is set by registering the User service, choosing the value, applying it to a role and adding the role to the user's profile.

System Properties

System Properties contain the following default services that you can configure:

Client Detection

An initial step in the authentication process is to identify the type of client making the HTTP(S) request. This OpenSSO Enterprise feature is known as client detection. The URL information is used to retrieve the client's characteristics. Based on these characteristics, the appropriate authentication pages are returned. For example, when a Netscape browser is used to request a web page, OpenSSO Enterprise 8.0 displays an HTML login page. Once the user is validated, the client type ( Netscape browser) is added to the session token. The attributes defined in the Client Detection service are global attributes.

Default Client Type

This attribute defines the default client type derived from the list of client types in the Client Types attribute. The default is genericHTML.

Client Detection Class

This attribute defines the client detection class for which all client detection requests are routed. The string returned by this attribute should match one of the client types listed in the Client Types attribute. The default client detection class is com.sun.mobile.cdm.FEDIClientDetector. OpenSSO Enterprise also contains com.iplanet.services.cdm.ClientDetectionDefaultImpl .

Enable Client Detection

Enables client detection. If client detection is enabled (default), every request is routed thought the class specified in the Client Detection Class attribute. By default, the client detection capability is enabled. If this attribute is not selected, OpenSSO Enterprise assumes that the client is genericHTML and will be accessed from a HTML browser.

Logging

The Logging service provides status and error messages related to OpenSSO Enterprise administration. An administrator can configures values such as log file size and log file location. OpenSSO Enterprise can record events in flat text files or in a relational database. The Logging service attributes are global attributes. The attributes are:

Maximum Log Size

This attribute accepts a value for the maximum size (in bytes) of a OpenSSO Enterprise log file. The default value is 100000000.

The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by OpenSSO Enterprise to the size of the files.

Number of History Files

This attribute has a value equal to the number of backup log files that will be retained for historical analysis. Any integer can be entered depending on the partition size and available disk space of the local system. The default value is 1.

The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by OpenSSO Enterprise to the size of the files.


Note –

Entering a value of 0 is interpreted to be the same as a value of 1, meaning that if you specify 0, a history log file will be created.


Log File Location

The file-based logging function needs a location where log files can be stored. . The default location is:

OpenSSO-deploy-base/uri/log

OpenSSO-deploy-base/uri/logare tags representing the base configuration directory and the OpenSSO Enterprise deployment URI. each specified during post-installation configuration. At runtime, the logging service determines the instance's proper directory for logging. This attribute's value can be set to an explicit path , but the base path should be its configuration directory (the value of OpenSSO-deploy-base) to avoid permissions problems.

If a non-default directory is specified, OpenSSO Enterprise will create the directory if it does not exist. You should then set the appropriate permissions for that directory (for example, 0700).

When configuring the log location for DB (database) logging (such as, Oracle or MySQL), part of the log location is case sensitive. For example, if you are logging to an Oracle database, the log location should be (note case sensitivity):

jdbc:oracle:thin:@machine.domain:port:DBName

To configure logging to DB, add the JDBC driver files to the web container's JVM classpath. You need to manually add JDBC driver files to the classpath of the ssoadm script, otherwise ssoadm logging can not load the JDBC driver.

Changes to logging attributes usually take effect after you save them. This does not require you to restart the server. If you are changing to secure logging, however, you should restart the server.

Log Status

Specifies whether logging is turned on (ACTIVE) or off (INACTIVE). Value is set to ACTIVE during installation.

Log Record Resolve Host Name

If set to false, host lookups will not be performed to populate the LogRecord's HostName field.

Logging Type

Enables you to specify either File, for flat file logging, or DB for database logging.

If the Database User Name or Database User Password is invalid, it will seriously affect OpenSSO Enterprise processing. If OpenSSO Enterprise or the console becomes unstable, you set the Log Status attribute to Inactive.

After you have set the property, restart the server. You can then log in to the console and reset the logging attribute. Then, change the Log Status property to ACTIVE and restart the server.

Database User Name

This attribute accepts the name of the user that will connect to the database when the Logging Type attribute is set to DB.

Database User Password

This attribute accepts the database user password when the Logging Type attribute is set to DB.

Database User Password (confirm)

Confirm the database password.

Database Driver Name

This attribute enables you to specify the driver used for the logging implementation class.

Configurable Log Fields

Represents the list of fields that are to be logged. By default, all of the fields are logged. The fields are:

At minimum you should log CONTEXTID, DOMAIN, HOSTNAME, LOGINID and MESSAGEID.

Log Verification Frequency

This attribute sets the frequency (in seconds) that the server should verify the logs to detect tampering. The default time is 3600 seconds. This parameter applies to secure logging only.

Log Signature Time

This parameter sets the frequency (in seconds) that the log will be signed. The default time is 900 seconds. This parameter applies to secure logging only.

Secure Logging

This attribute enables or disables secure logging. By default, secure logging is off. Secure Logging enables detection of unauthorized changes or tampering of security logs.


Note –

Secure logging can only be used for flat files. This option does not work for Database (DB) logging.


Secure Logging Signing Algorithm

This attribute defines RSA and DSA (Digital Signature Algorithm), which have private keys for signing and a public key for verification. You can select from the following:

MD2, MD5 and RSA are one-way hashes. For example, if you select the signing algorithm MD2 w/RSA, the secure logging feature generates a group of messages with MD2 and encrypts the value with the RSA private key. This encrypted value is the signature of the original logged records and will be appended to the last record of the most recent signature. For validation, it well decrypt the signature with the RSA public key and compare the decrypted value to the group of logged records. The secure logging feature will then will detect any modifications to any logged record.

Logging Certificate Store Location

When secure logging is enabled, the logging service looks for its certificate at the location specified by this attribute. The actual directory path is determined at runtime. The value can be set to an explicit path, but the base path should be accessible by the OpenSSO Enterprise instance.

The default value is OpenSSO-deploy-base/uri/Logger.jks.

Maximum Number of Records

This attribute sets the maximum number of records that the Java LogReader interfaces return, regardless of how many records match the read query. By default, it is set to 500. This attribute can be overridden by the caller of the Logging API through the LogQuery class.

Number of Files per Archive

This attribute is only applicable to secure logging. It specifies when the log files and keystore need to be archived, and the secure keystore regenerated, for subsequent secure logging. The default is five files per logger.

Buffer Size

This attribute specifies the maximum number of log records to be buffered in memory before the logging service attempts to write them to the logging repository. The default is one record.

DB Failure Memory Buffer Size

This attribute defines the maximum number of log records held in memory if database (DB) logging fails. This attribute is only applicable when DB logging is specified. When the OpenSSO Enterprise logging service loses connection to the DB, it will buffer up to the number of records specified. This attribute defaults to two times of the value defined in the Buffer Size attribute.

Buffer Time

This attribute defines the amount of time that the log records will be buffered in memory before they are sent to the logging service to be written. This attribute applies if Time Buffering is ON. The default is 3600 seconds.

Time Buffering

When selected as ON, OpenSSO Enterprise will set a time limit for log records to be buffered in memory before they are written. The amount of time is set in the Buffer Time attribute.

Logging Level

Use this attribute to configure the degree of detail for all OpenSSO Enterprise log files. the default is the INFO level. FINE, FINER, FINEST provide more detail and more log records. In addition there is a level OFF that can be used to turn off logging, which is essentially the same as setting the Log Status attribute to INACTIVE..

Naming

The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other OpenSSO Enterprise services such as session, authentication, logging, SAML and Federation.

This service enables clients to find the correct service URL if the platform is running more than one OpenSSO Enterprise. When a naming URL is found, the naming service will decode the session of the user and dynamically replace the protocol, host, and port with the parameters from the session. This ensures that the URL returned for the service is for the host that the user session was created on. The Naming attributes are:

Profile Service URL

This field takes a value equal to :

%protocol://%host:%port/Server_DEPLOY_URI/profileservice

This syntax allows for dynamic substitution of the profile URL based on the specific session parameters.

Session Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/sessionservice

This syntax allows for dynamic substitution of the session URL based on the specific session parameters.

Logging Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/loggingservice

This syntax allows for dynamic substitution of the logging URL based on the specific session parameters.

Policy Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/policyservice

This syntax allows for dynamic substitution of the policy URL based on the specific session parameters.

Authentication Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/authservice

This syntax allows for dynamic substitution of the authentication URL based on the specific session parameters.

SAML Web Profile/Artifact Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/SAMLAwareServlet

This syntax allows for dynamic substitution of the SAML web profile/artifact URL based on the specific session parameters.

SAML SOAP Service URL

This field takes a value equal to

%protocol://%host:%port/Server_DEPLOY_URI/SAMLSOAPReceiver

This syntax allows for dynamic substitution of the SAML SOAP URL based on the specific session parameters.

SAML Web Profile/POST Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/SAMLPOSTProfileServlet

This syntax allows for dynamic substitution of the SAML web profile/POST URL based on the specific session parameters.

SAML Assertion Manager Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/AssertionManagerServlet/AssertionM anagerIF

This syntax allows for dynamic substitution of the SAML Assertion Manager Service URL based on the specific session parameters.

Federation Assertion Manager Service URL

This field takes a value equal to:

%protocol://%host:%port/amserver/FSAssertionManagerServlet/FSAssertionMana gerIF

This syntax allows for dynamic substitution of the Federation Assertion Manager Service URL based on the specific session parameters.

Security Token Manager URL

This field takes a value equal to:

%protocol://%host:%port/amserver/SecurityTokenManagerServlet/SecurityToken ManagerIF/

This syntax allows for dynamic substitution of the Security Token Manager URL based on the specific session parameters.

JAXRPC Endpoint URL

This field takes a value equal to:

%protocol://%host:%port/amserver/jaxrpc/

This syntax allows for dynamic substitution of the JAXRPC Endpoint URL based on the specific session parameters.

Identity Web Services Endpoint URL

This field takes a value equal to:

%protocol://%host:%port%uri/identityservices/

This syntax allows for dynamic substitution of the Identity Web Services Endpoint URL based on the specific session parameters.

Identity REST Services Endpoint URL

This field takes a value equal to:

%protocol://%host:%port%uri/identity//

This syntax allows for dynamic substitution of the Identity REST Services Endpoint URL based on the specific session parameters.

Security Token Service Endpoint URL

This field takes a value equal to:

%protocol://%host:%port%uri/sts

This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.

Security Token Service MEX Endpoint URL

This field takes a value equal to:

%protocol://%host:%port%uri/sts/mex

This syntax allows for dynamic substitution of the Security Token Service MEX Endpoint URL based on the specific session parameters.

Platform

The Platform service is where additional servers can be added to the OpenSSO Enterprise configuration as well as other options applied at the top level of the OpenSSO Enterprise application. The Platform service attributes are global attributes. The attributes are:

Platform Locale

The platform locale value is the default language subtype that OpenSSO Enterprise was installed with. The authentication, logging and administration services are administered in the language of this value. The default is en_US. See Supported Language Localesfor a listing of supported language subtypes.

Cookie Domains

The list of domains that will be returned in the cookie header when setting a cookie to the user's browser during authentication. If empty, no cookie domain will be set. In other words, the OpenSSO Enterprise session cookie will only be forwarded to the OpenSSO Enterprise itself and to no other servers in the domain.

If SSO is required with other servers in the domain, this attribute must be set with the cookie domain. If you had two interfaces in different domains on one OpenSSO Enterprise then you would need to set both cookie domains in this attribute. If a load balancer is used, the cookie domain must be that of the load balancer's domain, not the servers behind the load balancer. The default value for this field is the domain of the installed OpenSSO Enterprise.

Hex Encode Cookies

If set to yes, this attribute enable hex encoding for cookies. The default is No.

Client Character Sets

This attribute specifies the character set for different clients at the platform level. It contains a list of client types and the corresponding character sets.

ProcedureTo Specify a New Character Set

  1. Click New from the Client Character Sets list.

  2. Enter a value for the Client Type.

  3. Enter a value for the Character Set. See Supported Language Locales for the character sets available.

  4. Click OK.

  5. Click Save in the Platform Service main page.

Servers and Sites

The Servers and Sites configuration attributes allow for centralized configuration management of sites and servers for the entire deployment.

Multiple (two or more) OpenSSO Enterprise instances can be deployed on at least two different host servers. For example, you might deploy two instances on one server and a third instance on another server. Or you might deploy all instances on different servers. You can also configure the OpenSSO Enterprise instances in session failover mode, if required for your deployment.

One or more load balancers route client requests to the various OpenSSO Enterprise instances. You configure each load balancer according to your deployment requirements (for example, to use round-robin or load average) to distribute the load between the OpenSSO Enterprise instances. A load balancer simplifies the deployment, as well as resolves issues such as a firewall between the client and the back-end OpenSSO Enterprise servers. You can use a hardware or software load balancer with your OpenSSO Enterprise deployment. All OpenSSO Enterprise instances access the same Directory Server.


Caution – Caution –

If you make any changes to the configuration attributes for Servers and Sites, either through the console or the command line interface, you must restart the web container on which OpenSSO Enterprise is deployed for the changes to take effect.


ProcedureTo Create a New Server Instance

An entry for each server is automatically created in the server list when the OpenSSO Enterprise Configurator is run for server configuration. Under normal circumstances, these steps should not be required.

  1. Log into the OpenSSO Enterprise console as the top-level administrator.

  2. Click the Configuration tab and then click Sites and Servers.

  3. Click New in the Servers list.

  4. Enter the FQDN of the server that you wish to add and click OK.

    The FQDN should be in the format of http(s)://host.domain:port/uri.

  5. The newly created server instance appears in the list.

  6. To edit the server, click on the name of the server. The configuration attributes for the server are available for you to customize.

    The Default Server Settings are the set of default values for server instances. Each server instance needs to have a minimum set of properties values and most of the properties values, depending on your deployment, can be the same for all server instance. This setting allows you to enter the basic properties in one place, without having to change hem for each additional server instance.

    These default values can be overwritten. This done by clicking on the Inheritance Settings button, located at the top of the server instance profile page. After this button is clicked, the console displays a page where you can select and deselect which values to inherit or overwrite.

Inheritance Settings

The Inheritance Settings allow you to select which default values can be overwritten for each server instance. Make sure that the attributes that you wish to define for the server instance are unchecked, and then click Save.

General

The General attributes configure basic configuration data for your centralized server management.

Site Attributes

The site attribute is:

Parent Site

This attribute maps the load balancer Site Name (site ID) to the OpenSSO Enterprise server. Note that the site must be created before you can add the site.

System Attributes

The system attributes list location information for the server instance:

Base Installation Directory

Specifies the base directory where product's data resides.

Default Locale

The locale value is the default language subtype that OpenSSO Enterprise was installed with. The default is en_us.

Notification URL

The location of notification service end point. This value is set during installation.

XML Validation

Default value is no. Determines if validation is required when parsing XML documents using the OpenSSO Enterprise XMLUtils class. This property is in effect only when value for the Debug Level attribute is set to warning or message. Allowable values are yes and no. The XML document validation is turned on only if the value for this property yes, and if value for Debug Level attribute is set to warning or message.

Debugging Attributes

The Debugging attributes list basic error checking information:

Debug Level

Specifies debug level. Default value is error. Possible values are:

Merge Debug Files

If set to on, the server directs all debug data to a single file (debug.out). If set to OFF, the server creates separate per-component debug files.

Debug Directory

Specifies the output directory where debug files will be created. Value is set during installation. Example: OpenSSO-deploy-base/uri/debug.

Mail Server

The Mail Server attributes list the host name and port for the mail server:

Mail Server Host Name

Default value is localhost. Specifies the mail server host.

Mail Server Port Number

Default value is 25. Specifies the mail server port.

Security

The Security attributes define encryption, validation and cookie information to control the level of security for the server instance.

Encryption

The encryption attributes are:

Password Encryption Key

Specifies the key used to encrypt and decrypt passwords and is stored in the Service Management System configuration. Value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd

Authentication Service Shared Secret

The shared secret for application authentication module. Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl

Encryption Class

Default value is com.iplanet.services.util.JCEEncryption. Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption.

Secure Random Factory Class

Default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java.

Validation

The validation attributes are:

Platform Low Level Comm. Max. Content Length

Default value is 16384 or 16k. Specifies the maximum content-length for an HttpRequest that OpenSSO Enterprise will accept.

Client IP Address Check

Default value is NO. Specifies whether or not the IP address of the client is checked in all SSOToken creations or validations.

Cookie

The cookie attributes are:

Cookie Name

Default value is iPlanetDirectoryPro. Cookie name used by Authentication Service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information.

Secure Cookie

Allows the OpenSSO Enterprise cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. Default value is false.

Encode Cookie Value

This property allows OpenSSO Enterprise to URLencode the cookie value which converts characters to ones that are understandable by HTTP.

Keystore

The following attributes allow you to configure keystore information for additional sites and servers that you create:

Keystore File

Value is set during installation. Example: OpenSSO-deploy-base/URI/keystore.jks. Specifies the path to the SAML XML keystore password file.

Keystore Password File

Value is set during installation. Example: OpenSSO-deply-base/URI/.storepass. Specifies the path to the SAML XML key storepass file.

Private Key Password File

Value is set during installation. Example: OpenSSO-deploy-base/URI/.keypass Specifies the path to the SAML XML key password file.

Certificate Alias

Default value is test.

Certificate Revocation List Caching

These attributes define the local Certificate Revocation List (CRL) caching repository that is used for keeping the CRL from certificate authorities. Any service that needs to obtain a CRL for certificate validation will receive the CRL based on this information.

LDAP Server Host Name

Specifies the name of the LDAP server where the certificates are stored. The default value is the host name specified when OpenSSO Enterprise was installed. The host name of any LDAP Server where the certificates are stored can be used.

LDAP Server Port Number

Specifies the port number of the LDAP server where the certificates are stored. The default value is the port specified when OpenSSO Enterprise was installed. The port of any LDAP Server where the certificates are stored can be used.

SSL Enabled

Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.

LDAP Server Bind User Name

Specifies the bind DN in the LDAP server.

LDAP Server Bind Password

Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.

LDAP Search Base DN

This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation base.

Search Attributes

Any DN component of issuer's subjectDN can be used to retrieve a CRL from a local LDAP server. It is a single value string, like, "cn". All Root CAs need to use the same search attribute.

Online Certificate Status Protocol Check

The Online Certificate Status Protocol (OCSP) enables OpenSSO Enterprise services to determine the (revocation) state of a specified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.

Check Enabled

This attribute enables OCSP checking. It is enabled by default.

Responder URL

This attribute defines is a URL that identifies the location of the OCSP responder. For example, http://ocsp.example.net:80.

By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.

Certificate Nickname

The OCSP responder nickname is the CA certificate nick name for that responder, for example Certificate Manager - sun. If set, the CA certificate must be presented in the web server's certificate database. If the OCSP URL is set, the OCSP responder nickname must be set also. Otherwise, both will be ignored. If they are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, no OCSP validation will be performed.

Federal Information Processing Standards

Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions.

FIPS Mode

This property can be true or false. All the cryptography operations will be running FIPS compliant mode only if it is true.

Session

The session attributes allow you to configure session information for a additional site and server instances.

Session Limits

The following attributes set server session limits:

Maximum Sessions

Default value is 5000. Specify the maximum number of allowable concurrent sessions. Login sends a Maximum Sessions error if the maximum concurrent sessions value exceeds this number.

Invalidate Session Max Time

Default value is 3. Specifies the number of minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file.

Session Purge Delay

Default value is 0. Specifies the number of minutes to delay the purge session operation. After a session times out, this is an extended time period during which the session continues to reside in the session server. This property is used by the client application to check if the session has timed out through SSO APIs. At the end of this extended time period, the session is destroyed. The session is not sustained during the extended time period if the user logs out or if the session is explicitly destroyed by an OpenSSO Enterprise component. The session is in the INVALID state during this extended period.

Statistics

The following attributes set statistical configuration:

Logging Interval

Default value is 60. Specifies number of minutes to elapse between statistics logging. Minimum is 5 seconds to avoid CPU saturation. OpenSSO Enterprise assumes any value less than 5 seconds to be 5 seconds.

State

Default value is file. Specifies location of statistics log. Possible values are:

Directory

Value is set during installation. Example: OpenSSO Enterprise-base/server-URI/stats. Specifies directory where debug files are created.

Enable Host Lookup

Default value is false. Enables or disables host lookup during session logging.

Notification

The following attributes set notification configuration:

Notification Pool Size

Default value is 10. Defines the size of the pool by specifying the total number of threads.

Notification Thread Pool Threshold

Default value is 100. Specifies the maximum task queue length. When a notification task comes in, it is sent to the task queue for processing. If the queue reaches the maximum length, further incoming requests will be rejected along with a ThreadPoolException, until the queue has a vacancy.

Validation

The following attribute sets validation configuration:

Case Insensitive Client DN Comparison

Default value is true. Compares the Agent DN. If the value is false, the comparison is case-sensitive.

SDK

The SDK attributes set configuration definitions for the back-end data store.

Data Store

The Data Store attributes basic datastore configuration:

Enable Datastore Notification

Specifies if the back-end datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled.

Enable Directory Proxy

The default is false. The purpose of this flag is to report to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used. This flag must be set to "true" when the Access Manager SDK (from version 7 or 7.1) is communicating with Access Manager version 6.3.

For example, in the co-existence/legacy mode this value should be "true". In the legacy DIT, the delegation policies were not supported. Only ACIs were supported, so o to ensure proper delegation check, this flag must be set to 'true' in legacy mode installation to make use of the ACIs for access control. Otherwise the delegation check will fail.

In realm mode, this value should be set to false so only the delegation policies are used for access control. In version 7.0 and later, Access Manager or OpenSSO Enterprise supports data-agnostic feature in realm mode installation. So, in addition to Directory Server, other servers may be used to store service configuration data. Additionally, this flag will report to the Service Management feature that the Directory Proxy does not need to be used for the read, write, and/or modify operations to the back-end storage. This is because some data stores, like Active Directory, may not support proxy.

Notification Pool Size

Default value is 10. Defines the size of the pool by specifying the total number of threads.

Event Service

The following attributes define event service notification for the data store:

Number of Retries for Event Service Connections

Default value is 3. Specifies the number of attempts made to successfully re-establish the Event Service connections.

Delay Between LDAP Connection Tries

Default value is 3000. Specifies the delay in milliseconds between retries to re-establish the Event Service connections.

Error Codes for LDAP Connection Tries

Default values are 80,81,91. Specifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger.

Idle Timeout

Default value is 0. Specifies the number of minutes after which the persistent searches will be restarted.

This property is used when a load balancer or firewall is between the policy agents and the Directory Server, and the persistent search connections are dropped when TCP idle timeout occurs. The property value should be lower than the load balancer or firewall TCP timeout. This ensures that the persistent searches are restarted before the connections are dropped. A value of 0 indicates that searches will not be restarted. Only the connections that are timed out will be reset.

Disabled Event Service Connection

Specifies which event connection can be disabled. Values (case insensitive) can be:

For example, to disable persistent searches for changes to the OpenSSO Enterprise information tree (or service management node):

com.sun.am.event.connection.disable.list=sm


Caution – Caution –

Persistent searches cause some performance overhead on Directory Server. If you determine that removing some of this performance overhead is absolutely critical in a production environment, you can disable one or more persistent searches using this property.

However, before disabling a persistent search, you should understand the limitations described above. It is strongly recommended that this property not be changed unless absolutely required. This property was introduced primarily to avoid overhead on Directory Server when multiple 2.1 J2EE agents are used, because each of these agents establishes these persistent searches. The 2.2 J2EE agents no longer establish these persistent searches, so you might not need to use this property.

Disabling persistent searches for any of these components is not recommended, because a component with a disabled persistent search does not receive notifications from Directory Server. Consequently, changes made in Directory Server for that particular component will not be notified to the component cache. For example, if you disable persistent searches for changes in the user directory (um), OpenSSO Enterprise will not receive notifications from Directory Server. Therefore, an agent would not get notifications from OpenSSO Enterprise to update its local user cache with the new values for the user attribute. Then, if an application queries the agent for the user attributes, it might receive the old value for that attribute.

Use this property only in special circumstances when absolutely required. For example, if you know that Service Configuration changes (related to changing values to any of services such as Session Service and Authentication Services) will not happen in production environment, the persistent search to the Service Management (sm) component can be disabled. However, if any changes occur for any of the services, a server restart would be required. The same condition also applies to other persistent searches, specified by the aci and um values.


LDAP Connection

The following attributes set connection data for the back end data store:

Number of Retries for LDAP Connection

Default is 1000. Specifies the number milliseconds between retries.

Delay Between LDAP Connection Retries

Default value is 3. Specifies the number of attempts made to successfully re-establish the LDAP connection.

Error Codes for LDAP Connection Retries

Default values are 80,81,91. Specifies the LDAPException error codes for which retries to re-establish the LDAP connection will trigger.

Caching and Replica

The following attributes define caching and replication configuration:

SDK Caching Max. Size

Default value is 10000. Specifies the size of the SDK cache when caching is enabled. Use an integer greater than 0, or the default size (10000 users) will be used.

SDK Replica Retries

Default value is 0. Specifies the number of times to retry.

Delay Between SDK Replica Tries

Default value is 1000. Specifies the number of milliseconds between retries.

Time To Live Configuration

Cache Entry Expiration Enabled

When enabled, the cache entries will expire based on the time specified in User Entry Expiration Time attribute.

User Entry Expiration Time

This attribute specifies time in minutes for which the user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the Directory Server), the data for the entry that is cached will expire. At this point, new requests for data for these user entries are read from the Directory Server.

Default Entry Expiration Time

This attribute specifies the time in minutes for which the non-user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the Directory Server), the data for the entry that is cached will expire. At this point, new requests for data for these non-user entries are read from the Directory Server.

Directory Configuration

The Directory Configuration attributes define basic configuration information for the embedded directory store:

Directory Configuration

The Directory Configuration attributes are:

Minimum Connection Pool

Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.

Maximum Connection Pool

This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.

Bind DN

Specifies the bind DN in the LDAP server.

Bind Password

Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.

Server

This attribute defines the directory server that will serve as the configuration data store for the OpenSSO Enterprise instance. To add a configuration server, click the Add button, and provide values for the following attributes:

Name

Enter a name for the server.

Host Name

Specifies fully-qualified host name of the Directory Server. For example:

DirectoryServerHost.domainName.com

Port Number

Specifies the Directory Server port number .

Connection Type

Defines the connection type for the Directory Server. By default, SIMPLE is selected. You can also choose SSL.

Legacy Configuration

The following attribute define basic directory-server configurations for Legacy mode instances of OpenSSO Enterprise. These attributes will only appear in a Legacy mode installation.

Minimum Connection Pool

Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.

Maximum Connection Pool

This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.

Server

This attribute lists the load balancer protocol, host name, and port. For example: http://lb.example.com:80.

Advanced

The advanced properties enable an administrator to select and add values to server configuration properties that are not present in the OpenSSO Enterprise Console. All Server and Sites properties were located in the AMConfig.properties file in previous releases.

In addition to the default properties displayed in the Advance table of the console, the following properties can be added.


am.encryption.pwd=
am_load_balancer_cookie=
com.iplanet.am.clientIPCheckEnabled=true,false
com.iplanet.am.console.deploymentDescriptor=
com.iplanet.am.console.host=
com.iplanet.am.console.port=integer
com.iplanet.am.console.protocol=https,http
com.iplanet.am.console.remote=true,false
com.iplanet.am.cookie.encode=true,false
com.iplanet.am.cookie.name=
com.iplanet.am.cookie.secure=true,false
com.iplanet.am.directory.host=
com.iplanet.am.directory.port=integer
com.iplanet.am.directory.ssl.enabled=true,false
com.iplanet.am.domaincomponent=
com.iplanet.am.event.connection.delay.between.retries=integer
com.iplanet.am.event.connection.ldap.error.codes.retries=
com.iplanet.am.event.connection.num.retries=integer
com.iplanet.am.jssproxy.checkSubjectAltName=true,false
com.iplanet.am.jssproxy.resolveIPAddress=true,false
com.iplanet.am.jssproxy.SSLTrustHostList=
com.iplanet.am.jssproxy.trustAllServerCerts=true,false
com.iplanet.am.lbcookie.name=
com.iplanet.am.lbcookie.value=
com.iplanet.am.ldap.connection.delay.between.retries=integer
com.iplanet.am.ldap.connection.ldap.error.codes.retries=
com.iplanet.am.ldap.connection.num.retries=integer
com.iplanet.am.locale=
com.iplanet.am.notification.threadpool.size=integer
com.iplanet.am.notification.threadpool.threshold=integer
com.sun.identity.client.notification.url=
com.iplanet.am.replica.delay.between.retries=integer
com.iplanet.am.replica.num.retries=integer
com.iplanet.am.rootsuffix=
com.iplanet.am.sdk.cache.entry.default.expire.time=integer
com.iplanet.am.sdk.cache.entry.expire.enabled=true,false
com.iplanet.am.sdk.cache.entry.user.expire.time=integer
com.iplanet.am.sdk.cache.maxSize=integer
com.iplanet.am.sdk.caching.enabled=true,false
com.iplanet.am.sdk.ldap.debugFileName=
com.iplanet.am.sdk.package=
com.iplanet.am.sdk.remote.pollingTime=integer
com.iplanet.am.server.host=
com.iplanet.am.server.port=integer
com.iplanet.am.server.protocol=https,http
com.iplanet.am.serverMode=true,false
com.iplanet.am.service.secret=
com.iplanet.am.services.deploymentDescriptor=
com.iplanet.am.session.client.polling.enable=true,false
com.iplanet.am.session.client.polling.period=integer
com.iplanet.am.session.failover.cluster.stateCheck.period=integer
com.iplanet.am.session.failover.cluster.stateCheck.timeout=integer
com.iplanet.am.session.failover.httpSessionTrackingCookieName=
com.iplanet.am.session.failover.sunAppServerLBRoutingCookieName=
com.iplanet.am.session.failover.useInternalRequestRouting=true,false
com.iplanet.am.session.failover.useRemoteSaveMethod=true,false
com.iplanet.am.session.invalidsessionmaxtime=integer
com.iplanet.am.session.maxSessions=integer
com.iplanet.am.session.protectedPropertiesList=
com.iplanet.am.session.purgedelay=integer
com.iplanet.am.smtphost=
com.iplanet.am.smtpport=integer
com.iplanet.am.stats.interval=integer
com.iplanet.am.util.xml.validating=on,off
com.iplanet.am.version=
com.iplanet.security.SSLSocketFactoryImpl=
com.iplanet.security.SecureRandomFactoryImpl=
com.iplanet.security.encryptor=
com.iplanet.services.cdsso.cookiedomain=
com.iplanet.services.comm.server.pllrequest.maxContentLength=integer
com.iplanet.services.configpath=
com.iplanet.services.debug.directory=
com.sun.identity.configFilePath=
com.iplanet.am.sdk.userEntryProcessingImpl=
com.iplanet.am.profile.host=
com.iplanet.am.profile.port=integer
com.iplanet.am.pcookie.name=
com.iplanet.am.jssproxy.SSLTrustHostList=
com.sun.identity.authentication.ocspCheck=
com.sun.identity.authentication.ocsp.responder.url=
com.sun.identity.authentication.ocsp.responder.nickname=
com.sun.identity.authentication.super.user=
com.sun.identity.password.deploymentDescriptor=
com.iplanet.am.session.httpSession.enabled=
unixHelper.port=integer
com.sun.identity.policy.Policy.policy_evaluation_weights=
unixHelper.ipaddrs=
com.sun.identity.authentication.uniqueCookieDomain=
com.sun.identity.monitoring.local.conn.server.url=
com.sun.identity.monitoring=
com.iplanet.services.debug.level=off,error,warning,message
com.sun.services.debug.mergeall=on,off
com.sun.embedded.sync.servers=on,off
com.sun.embedded.replicationport=integer
com.iplanet.services.stats.directory=
com.iplanet.services.stats.state=off,file,console
com.sun.am.event.connection.disable.list=
com.sun.am.event.connection.idle.timeout=integer
com.sun.am.ldap.connnection.idle.seconds=integer
com.sun.am.ldap.fallback.sleep.minutes=integer
com.sun.am.session.SessionRepositoryImpl=
com.sun.am.session.caseInsensitiveDN=true,false
com.sun.am.session.enableAddListenerOnAllSessions=true,false
com.sun.am.session.enableHostLookUp=true,false
com.sun.am.session.trustedSourceList=
com.sun.identity.agents.true.value=
com.sun.identity.amsdk.cache.enabled=true,false
com.sun.identity.client.encryptionKey=
com.sun.identity.cookieRewritingInPath=true,false
com.sun.identity.delegation.cache.size=integer
com.sun.identity.enableUniqueSSOTokenCookie=true,false
com.sun.identity.idm.cache.enabled=true,false
com.sun.identity.idm.cache.entry.default.expire.time=integer
com.sun.identity.idm.cache.entry.expire.enabled=true,false
com.sun.identity.idm.cache.entry.user.expire.time=integer
com.sun.identity.jsr196.authenticated.user=
com.sun.identity.jss.donotInstallAtHighestPriority=true,false
com.sun.identity.liberty.ws.util.providerManagerClass=
com.sun.identity.log.logSubdir=
com.sun.identity.loginurl=
com.sun.identity.overrideAMC=true,false
com.sun.identity.plugin.datastore.class.*=
com.sun.identity.security.checkcaller=true,false
com.sun.identity.security.x509.pkg=
com.sun.identity.server.fqdnMap=map
com.sun.identity.session.application.maxCacheTime=integer
com.sun.identity.session.connectionfactory.provider=
com.sun.identity.session.failover.connectionPoolClass=
com.sun.identity.session.httpClientIPHeader=
com.sun.identity.session.polling.threadpool.size=integer
com.sun.identity.session.polling.threadpool.threshold=integer
com.sun.identity.session.repository.cleanupGracePeriod=integer
com.sun.identity.session.repository.cleanupRunPeriod=integer
com.sun.identity.session.repository.dataSourceName=
com.sun.identity.session.repository.enableEncryption=true,false
com.sun.identity.session.repository.healthCheckRunPeriod=integer
com.sun.identity.session.resetLBCookie=true,false
com.sun.identity.session.returnAppSession=true,false
com.sun.identity.sitemonitor.SiteStatusCheck.class=
com.sun.identity.sitemonitor.interval=integer
com.sun.identity.sitemonitor.timeout=integer
com.sun.identity.sm.authservicename.provider=
com.sun.identity.sm.cache.enabled=true,false
com.sun.identity.sm.cacheTime=integer
com.sun.identity.sm.enableDataStoreNotification=true,false
com.sun.identity.sm.flatfile.root_dir=
com.sun.identity.sm.ldap.enableProxy=true,false
com.sun.identity.sm.notification.threadpool.size=integer
com.sun.identity.sm.sms_object_class_name=
com.sun.identity.url.readTimeout=integer
com.sun.identity.url.redirect=
com.sun.identity.urlchecker.invalidate.interval=integer
com.sun.identity.urlchecker.sleep.interval=integer
com.sun.identity.urlchecker.targeturl=
com.sun.identity.util.debug.provider=
com.sun.identity.webcontainer=
com.sun.identity.wss.discovery.config.plugin=
com.sun.identity.wss.provider.config.plugin=
com.sun.identity.wss.security.authenticator=
com.sun.identity.xmlenc.EncryptionProviderImpl=
s1is.java.util.logging.config.class=
s1is.java.util.logging.config.file=
com.sun.identity.authentication.special.users=
com.sun.identity.auth.cookieName=
com.iplanet.am.naming.failover.url=
com.sun.identity.authentication.uniqueCookieName=
securidHelper.ports=integer
com.iplanet.am.daemons=
bootstrap.file=
com.sun.identity.crl.cache.directory.host=
com.sun.identity.crl.cache.directory.port=integer
com.sun.identity.crl.cache.directory.ssl=true,false
com.sun.identity.crl.cache.directory.user=
com.sun.identity.crl.cache.directory.password=
com.sun.identity.crl.cache.directory.searchlocs=
com.sun.identity.crl.cache.directory.searchattr=
com.sun.identity.authentication.ocspCheck=true,false
com.sun.identity.authentication.ocsp.responder.url=
com.sun.identity.authentication.ocsp.responder.nickname=
com.sun.identity.security.fipsmode=true,false
com.sun.identity.urlconnection.useCache=true,false
com.sun.identity.sm.cache.ttl.enable=true,false
com.sun.identity.sm.cache.ttl=integer
com.sun.identity.common.systemtimerpool.size=integer
com.iplanet.services.cdc.invalidGotoStrings=

ProcedureTo Create a New Site Instance

  1. Click New in the Site list.

  2. Enter the Site Name.

    This value uniquely identifies the server and allows the possibility of specifying a second entry point (in addition to the primary URL) to the site. This is also used to shorten the cookie length by mapping the server URL to the server ID.

  3. Enter the Primary URL for the site instance, including the site URI.

  4. Click Save.

    The created site will appear in the site list in the correct format.

ProcedureTo Edit a Site Instance

  1. Click on the name of the site you wish to edit from the Site list.

  2. The primary URL for the site is listed in the Primary URL attribute.

  3. If you wish, add a Secondary URL.

    The secondary URL provides the connection information for the session repository used for the session failover functionality in OpenSSO Enterprise. The URL of the load balancer should be given as the identifier to this secondary configuration. If the secondary configuration is defined in this case, the session failover feature will be automatically enabled and become effective after the server restart.

  4. Click Save.

Servers and Sites Console Attribute Maps

The following table lists the Servers and Sites properties that were included in AMConfig.properties in previous releases, but are now managed as attributes through the OpenSSO Enterprise console. The properties are listed alphabetically. To search for a particular property, use your browser's Search or Find function.

Property Name

The name of the property located in the AMConfig.properties file.

Attribute Name in Console

Is the name of the attribute as it appears in the OpenSSO Enterprise console.

Location in Console

Lists the console location where the attribute is located.

Table 7–1 Servers and Sites Attribute Map

Property Name 

Attribute Name in Console 

Location in Console 

am.encryption.pwd 

Password Encryption Key 

Servers and Sites > Security 

com.iplanet.am.clientIPCheckEnabled 

Client IP Address Check 

Servers and Sites > Security 

com.iplanet.am.cookie.encode 

Encode Cookie Value 

Servers and Sites > Security 

com.iplanet.am.cookie.name 

Cookie Name 

Servers and Sites > Security 

com.iplanet.am.cookie.secure 

Secure Cookie 

Servers and Sites > Security 

com.iplanet.am.event.connection.delay.between.retries 

Delay Between Event Service Connection Retries 

Servers and Sites > SDK 

com.iplanet.am.event.connection.ldap.error.codes.retries 

Error Codes for Event Service Connection Retries 

Servers and Sites > SDK 

com.iplanet.am.event.connection.num.retries 

Number of retries for Event Service Notification  

Servers and Sites > SDK 

com.iplanet.am.ldap.connection.delay.between.retries 

Number of Retries for LDAP Connection  

Servers and Sites > SDK 

com.iplanet.am.ldap.connection.ldap.error.codes.retries 

Error Codes for LDAP Connection Retries 

Servers and Sites > SDK 

com.iplanet.am.ldap.connection.num.retries 

Delay Between LDAP Connection Retries 

Servers and Sites > SDK 

com.iplanet.am.locale 

Default Locale 

Servers and Sites > General 

com.iplanet.am.notification.threadpool.size 

Notification Pool Size 

Servers and Sites > Session 

com.iplanet.am.notification.threadpool.threshold 

Notification Thread Pool Threshold 

Servers and Sites > Session 

com.iplanet.am.replica.delay.between.retries 

Delay Between SDK Replica Retries 

Servers and Sites > SDK 

com.iplanet.am.replica.num.retries 

SDK Replica Retries 

Servers and Sties > SDK 

com.iplanet.am.rootsuffix 

   

com.iplanet.am.sdk.cache.entry.default.expire.time 

Default Entry Expiration Time 

Servers and Sites > SDK 

com.iplanet.am.sdk.cache.entry.expire.enabled 

Cache Entry Expiration Enabled 

Servers and Sites > SDK 

com.iplanet.am.sdk.cache.entry.user.expire.time 

User Entry Expiration Time 

Servers and Sites > SDK 

com.iplanet.am.sdk.cache.maxSize 

SDK Caching Max. Size 

Servers and Sites > SDK 

com.iplanet.am.service.secret 

Authentication Service Shared Secret 

Servers and Sites > Security 

com.iplanet.am.session.invalidsessionmaxtime 

Invalidate Session Max Time 

Servers and Sites > Session 

com.iplanet.am.session.maxSessions 

Maximum Sessions 

Servers and Sites > Session 

com.iplanet.am.session.purgedelay 

Sessions Purge Delay 

Servers and Sites > Session 

com.iplanet.am.smtphost 

Mail Server Host Name 

Servers and Sites > General 

com.iplanet.am.smtpport 

Mail Server Port Number 

Servers and Sites > General 

com.iplanet.am.stats.interval 

Logging Interval 

Servers and Sites > Session 

com.iplanet.security.encryptor 

Encryption Class 

Servers and Sites > Security 

com.iplanet.services.comm.server.pllrequest.maxContentLength 

Platform Low Level. Comm. Max. Content Length 

Servers and Sites > Security 

com.iplanet.services.configpath 

Base Installation Directory 

Servers and Sites > General 

com.iplanet.services.debug.directory 

Debug Directory 

Servers and Sites > General 

com.iplanet.services.debug.level 

Debug Level 

Servers and Sites > General 

com.iplanet.services.stats.directory 

Directory  

Servers and Sites > General 

com.iplanet.services.stats.state 

State 

Servers and Sites > Session 

com.sun.am.event.connection.disable.list 

Disabled Even Service Connection  

Servers and Sites > SDK 

com.sun.am.session.caseInsensitiveDN 

Case Insensitive Client DN Comparison 

Servers and Sites > Session 

com.sun.am.session.enableHostLookUp 

Enable Host Lookup 

Servers and Sites > Session 

com.sun.identity.saml.xmlsig.certalias 

Certificate Alias 

Servers and Sites > Security 

com.sun.identity.saml.xmlsig.keypass 

Private Key Password File 

Servers and Sites > Security 

com.sun.identity.saml.xmlsig.keystore 

Keystore File 

Servers and Sites > Security 

com.sun.identity.saml.xmlsig.storepass 

Keystore Password File 

Servers and Sites > Security 

com.sun.identity.sm.ldap.enableProxy 

Enable Directory Proxy 

Servers and Sites > SDK 

Chapter 8 Data Store Attributes

This chapter contains definitions of the attributes for configuring the OpenSSO Enterprise data store types. The Active Directory, Generic LDAPv3, and Sun Directory Server with OpenSSO Enterprise Schema data store types share the same underlying plug-in, so the configuration attributes are the same. (The default values for some of the attributes are different for each datastore type and are displayed accordingly in the OpenSSO Enterprise console.) This chapter contains the following sections:

Active Directory Attributes

When configuring Microsoft Active Directory to work with OpenSSO Enterprise, you have to map the predefined properties to properties defined in your instance of Active Directory; this is called attribute mapping. Following are the attributes that need to be defined when adding Active Directory as a data store to a realm.

LDAP Server

Enter the name of the LDAP server to which OpenSSO will be connected in the format host.domain:portnumber. If more than one entry is entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.

Optionally, a server identifier and site identifier can be appended to the value of the LDAP Server attribute for redundancy. In this case, the format is host.domain:portnumber|serverID|siteID. These identifiers are assigned to the server when they are configured globally.


Caution – Caution –

This configuration should not be changed for the OpenSSO embedded data store as it may cause inconsistent behavior.


LDAP Bind DN

Specifies the DN name that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Plugin Supported Types and Operations attribute.

LDAP Bind Password

Specifies the DN password that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected.

LDAP Bind Password (confirm)

Confirm the password.

LDAP Organization DN

The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.

LDAP SSL

When enabled, OpenSSO Enterprise will connect to the primary server using the HTTPS protocol.

LDAP Connection Pool Minimum Size

Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

LDAP Connection Pool Maximum Size

Specifies the maximum number of connections to allowed.

Maximum Results Returned from Search

Specifies the maximum number of entries returned from a search operation. If this limit is reached, Active Directory returns any entries that match the search request.

Search Timeout

Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Active Directory returns any search entries that match the search request.

LDAP Follows Referral

If enabled, this option specifies that referrals to other LDAP servers are followed automatically.

LDAPv3 Repository Plugin Class Name

Specifies the location of the class file which implements the LDAPv3 repository.

Attribute Name Mapping

Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive. The defaults are:

LDAPv3 Plugin Supported Types and Operations

Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:

You can remove permissions from the above list (except role) based on your LDAP server settings and the tasks, but you can not add more permissions. If the configured LDAPv3 Repository plug-in is pointing to an instance of Sun Directory Server, permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles.

If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets OpenSSO Enterprise services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.

The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations are assignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.

LDAPv3 Plug-in Search Scope

Defines the scope to be used to find LDAPv3 plug-in entries. The scope must be one of the following:

LDAP Users Search Attribute

This field defines the attribute type to conduct a search for a user. For example, if the user's DN is uid=user1, ou=people, dc=example, dc=com, then you would specify uid in this field.

LDAP Users Search Filter

Specifies the search filter to be used to find user entries.

LDAP User Object Class

Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.

LDAP User Attributes

Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.

Create User Attribute Mapping

Specifies which attributes are required when a user is created. This attribute uses the following syntax:

DestinationAttributeName=SourceAttributeName

If the source attribute name is missing, the default is the user ID (uid). For example:

cn
sn=givenName

Both cn and sn are required in order to create a user profile. cn gets the value of the attribute named uid, and sn gets the value of the attribute named givenName.

Attribute Name of User Status

Specifies the attribute name to indicate if the user is active or inactive.

User Status Active Value

This attribute value is assigned to the user when the user is created. For a user to be active, the Active Directory value is 544. For a user to be inactive, the Active Directory value is 546.

User Status Inactive Value

For Active Directory, this field is not used.

LDAP Groups Search Attribute

This field defines the attribute type for which to conduct a search on a group. The default is cn.

LDAP Group Search Filter

Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).

LDAP Groups Container Naming Attribute

Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.

LDAP Groups Container Value

Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.

LDAP Groups Object Classes

Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.

LDAP Groups Attributes

Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.

Attribute Name for Group Membership

Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.

Attribute Name of Unique Member

Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.

Attribute Name of Group Member URL

Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.

LDAP People Container Naming Attribute

Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.

LDAP People Container Value

Specifies the value of the people container. The default is people.


Caution – Caution –

The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty).


Identity Types That Can be Authenticated

Specifies that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.

Authentication Naming Attribute

This value is currently not used.

Persistent Search Base DN

Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.

Persistent Search Filter

Defines the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.

Persistent Search Scope

Defines the scope to be used in a persistent search. The scope must be one of the following:

Persistent Search Maximum Idle Time Before Restart

Defines the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.

If OpenSSO Enterprise is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.

Maximum Number of Retries After Error Code

Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.

The Delay Time Between Retries

Specifies the time to wait before each retry. This only applies to persistent search connection.

LDAPException Error Codes to Retry

Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.

Caching

If enabled, this allows OpenSSO Enterprise to cache data retrieved from the data store.

Maximum Age of Cached Items

Specifies the maximum time data is stored in the cache before it is removed. The values are defined in seconds.

Maximum Size of the Cache

Specifies the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. The values are defined in bytes.

Generic LDAPv3 Attributes

The following attributes are used to configure a LDAPv3 repository plug-in:

LDAP Server

Enter the name of the LDAP server to which OpenSSO will be connected in the format host.domain:portnumber. If more than one entry is entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.

Optionally, a server identifier and site identifier can be appended to the value of the LDAP Server attribute for redundancy. In this case, the format is host.domain:portnumber|serverID|siteID. These identifiers are assigned to the server when they are configured globally.


Caution – Caution –

This configuration should not be changed for the OpenSSO embedded configuration data store as it may cause inconsistent behavior.


LDAP Bind DN

Specifies the DN name that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Plugin Supported Types and Operations attribute.

LDAP Bind Password

Specifies the DN password that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected

LDAP Bind Password (confirm)

Confirm the password.

LDAP Organization DN

The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.

LDAP SSL

When enabled, OpenSSO Enterprise will connect to the primary server using the HTTPS protocol.

LDAP Connection Pool Minimum Size

Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

LDAP Connection Pool Maximum Size

Specifies the maximum number of connections to allowed.

Maximum Results Returned from Search

Specifies the maximum number of entries returned from a search operation. If this limit is reached, the data store returns any entries that match the search request.

Search Timeout

Specifies the maximum number of seconds allocated for a search request. If this limit is reached, the data store returns any search entries that match the search request.

LDAP Follows Referral

If enabled, this option specifies that referrals to other LDAP servers are followed automatically.

LDAPv3 Repository Plugin Class Name

Specifies the location of the class file which implements the LDAPv3 repository.

Attribute Name Mapping

Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive.

LDAPv3 Plugin Supported Types and Operations

Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:

You can remove permissions from the above list based on your LDAP server settings and the tasks, but you can not add more permissions.

If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets OpenSSO Enterprise services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.

The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations are assignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.

LDAPv3 Plug-in Search Scope

Defines the scope to be used to find LDAPv3 plug-in entries. The scope must be one of the following:

LDAP Users Search Attribute

This field defines the attribute type to conduct a search for a user. For example, if the user's DN is uid=user1, ou=people, dc=example, dc=com, then you would specify uid in this field.

LDAP Users Search Filter

Specifies the search filter to be used to find user entries.

LDAP User Object Class

Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.

LDAP User Attributes

Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.

Create user Attribute Mapping

Specifies which attributes are required when a user is created. This attribute uses the following syntax:

DestinationAttributeName=SourceAttributeName

If the source attribute name is missing, the default is the user ID (uid). For example:

cn
sn=givenName

Both cn and sn are required in order to create a user profile. cn gets the value of the attribute named uid, and sn gets the value of the attribute named givenName.

Attribute Name of User Status

Specifies the attribute name to indicate the user's status.

User Status Active Value

Specifies the attribute name for an active user status. The default is active.

User Status Inactive Value

Specifies the attribute name for an inactive user status. The default is inactive.

LDAP Groups Search Attribute

This field defines the attribute type for which to conduct a search on a group. The default is cn.

LDAP Group Search Filter

Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).

LDAP Groups Container Naming Attribute

Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.

LDAP Groups Container Value

Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.

LDAP Groups Object Classes

Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.

LDAP Groups Attributes

Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.

Attribute Name for Group Membership

Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.

Attribute Name of Unique Member

Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.

Attribute Name of Group Member URL

Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.

Default Group Member's User DN

The DN value specified in this attribute automatically adds users to the group when it is created.

LDAP People Container Naming Attribute

Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.

LDAP People Container Value

Specifies the value of the people container. The default is people.


Caution – Caution –

The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty).


Identity Types That Can Be Authenticated

Specifies that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.

Persistent Search Base DN

Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.

Persistent Search Filter

Defines the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.

Persistent Search Scope

Defines the scope to be used in a persistent search. The scope must be one of the following:

Persistent Search Maximum Idle Time Before Restart

Defines the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.

If OpenSSO Enterprise is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.

Maximum Number of Retries After Error Code

Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.

The Delay Time Between Retries

Specifies the time to wait before each retry. This only applies to persistent search connection.

LDAPException Error Codes to Retry

Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.

Caching

If enabled, this allows OpenSSO Enterprise to cache data retrieved from the data store.

Maximum Age of Cached Items

Specifies the maximum time data is stored in the cache before it is removed. The values are defined in seconds.

Maximum Size of the Cache

Specifies the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. The values are defined in bytes.

Sun Directory Server with OpenSSO Enterprise Schema Attributes

The following attributes are used to configure Directory Server with OpenSSO Enterprise schema:

LDAP Server

Enter the name of the LDAP server to which OpenSSO will be connected in the format host.domain:portnumber. If more than one entry is entered, an attempt is made to connect to the first host in the list. The next entry in the list is tried only if the attempt to connect to the current host fails.

Optionally, a server identifier and site identifier can be appended to the value of the LDAP Server attribute for redundancy. In this case, the format is host.domain:portnumber|serverID|siteID. These identifiers are assigned to the server when they are configured globally.


Caution – Caution –

This configuration should not be changed for the embedded data store as it may cause inconsistent behavior.


LDAP Bind DN

Specifies the DN name that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected. The user with the DN name used to bind should have the correct add/modification/delete privileges that you configured in the LDAPv3 Plugin Supported Types and Operations attribute.

LDAP Bind Password

Specifies the DN password that OpenSSO Enterprise will use to authenticate to the LDAP server to which you are currently connected

LDAP Bind Password (confirm)

Confirm the password.

LDAP Organization DN

The DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.

LDAP SSL

When enabled, OpenSSO Enterprise will connect to the primary server using the HTTPS protocol.

LDAP Connection Pool Minimum Size

Specifies the initial number of connections in the connection pool. The use of connection pool avoids having to create a new connection each time.

LDAP Connection Pool Maximum Size

Specifies the maximum number of connections to allowed.

Maximum Results Returned from Search

Specifies the maximum number of entries returned from a search operation. If this limit is reached, Directory Server returns any entries that match the search request.

Search Timeout

Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any search entries that match the search request.

LDAP Follows Referral

If enabled, this option specifies that referrals to other LDAP servers are followed automatically.

LDAPv3 Repository Plugin Class Name

Specifies the location of the class file which implements the LDAPv3 repository.

Attribute Name Mapping

Enables common attributes known to the framework to be mapped to the native data store. For example, if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive.

LDAPv3 Plugin Supported Types and Operations

Specifies the operations that are permitted to or can be performed on this LDAP server. The default operations that are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin:

You can remove permissions from the above list (except role) based on your LDAP server settings and the tasks, but you can not add more permissions. If the configured LDAPv3 Repository plug-in is pointing to an instance of Sun Directory Server, then permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles.

If you have user as a supported type for the LDAPv3 repository, the read, create, edit, and delete service operations are possible for that user. In other words, if user is a supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation lets OpenSSO Enterprise services access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs.

The user is also allowed to manage the user attributes for any assigned service. If the user has service as the operation (user=service), then it specifies that all service-related operations are supported. These operations are assignService, unassignService, getAssignedServices, getServiceAttributes, removeServiceAttributes and modifyService.

LDAPv3 Plug-in Search Scope

Defines the scope to be used to find LDAPv3 plug-in entries. The scope must be one of the following:

LDAP Users Search Attribute

This field defines the attribute type to conduct a search for a user. For example, if the user's DN is uid=user1, ou=people, dc=example, dc=com, then you would specify uid in this field.

LDAP Users Search Filter

Specifies the search filter to be used to find user entries.

LDAP User Object Class

Specifies the object classes for a user. When a user is created, this list of user object classes will be added to the user's attributes list.

LDAP User Attributes

Defines the list of attributes associated with a user. Any attempt to read/write user attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

Create User Attribute Mappings

Specifies which attributes are required when a user is created. This attribute uses the following syntax:

DestinationAttributeName=SourceAttributeName

If the source attribute name is missing, the default is the user ID (uid). For example:

cn
 sn=givenName

Both cn and sn are required in order to create a user profile. cn gets the value of the attribute named uid, and sn gets the value of the attribute named givenName.

Attribute Name of User Status

Specifies the attribute name to indicate the user's status.

LDAP Groups Search Attribute

This field defines the attribute type for which to conduct a search on a group. The default is cn.

LDAP Group Search Filter

Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).

LDAP Groups Container Naming Attribute

Specifies the naming attribute for a group container, if groups resides in a container. Otherwise, this attribute is left empty. For example, if a group DN of cn=group1,ou=groups,dc=iplanet,dc=comresides in ou=groups, then the group container naming attribute is ou.

LDAP Groups Container Value

Specifies the value for the group container. For example, a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container name ou=groups, then the group container value would be groups.

LDAP Groups Object Classes

Specifies the object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.

LDAP Groups Attributes

Defines the list of attributes associated with a group. Any attempt to read/write group attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

Attribute Name for Group Memberships

Specifies the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.

Attribute Name of Unique Member

Specifies the attribute name whose values is a DN belonging to this group. The default is uniqueMember.

Attribute Name of Group Member URL

Specifies the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.

LDAP Roles Search Attribute

This field defines the attribute type for which to conduct a search on a role. The default is cn.

LDAP Role Search Filter

Defines the filter used to search for an role. The LDAP Role Search attribute is prepended to this field to form the actual role search filter.

For example, if the LDAP Role Search Attribute is CN and LDAP Role Search Filter is (objectClass=sunIdentityServerDevice) , then the actual user search filter will be: (&(cn=*)(objectClass=sunIdentityServ erDevice))

LDAP Role Object Class

Defines the object classes for roles. When a role is created, the list of user object classes will be added to the role's attributes list

LDAP Roles Attributes

Defines the list of attributes associated with a role. Any attempt to read/write agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

LDAP Filter Roles Search Attribute

This field defines the attribute type for which to conduct a search on a filter role. The default is cn.

LDAP Filter Role Search Filter

Defines the filter used to search for an filtered role. The LDAP Filter Role Search attribute is prepended to this field to form the actual filtered role search filter.

For example, if the LDAP Filter Role Search Attribute is CN and LDAP Filter Role Search Filter is (objectClass=sunIdentityServerDevice) , then the actual user search filter will be: (&(cn=*)(objectClass=sunIdentityServ erDevice))

LDAP Filter Role Object Class

Defines the object classes for filtered roles. When a filtered role is created, the list of user object classes will be added to the filtered role's attributes list

LDAP Filter Roles Attributes

Defines the list of attributes associated with a filtered role. Any attempt to read/write agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.

LDAP People Container Naming Attribute

Specifies the naming attribute of the people container if a user resides in a people container. This field is left blank if the user does not reside in a people container.

LDAP People Container Value

Specifies the value of the people container. The default is people.


Caution – Caution –

The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty).


Identity Types that can be Authenticated

Specifies that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.

Persistent Search Base DN

Defines the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.

Persistent Search Filter

Defines the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.

Persistent Search Scope

Defines the scope to be used in a persistent search. The scope must be one of the following:

Persistent Search Maximum Idle Time Before Restart

Defines the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search irrespective of the idle time of the connection.

If OpenSSO Enterprise is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.

Maximum Number of Retries After Error Code

Defines the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAPException Error Codes to Retry On.

The Delay Time Between Retries

Specifies the time to wait before each retry. This only applies to persistent search connection.

LDAPException Error Codes to Retry

Specifies the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.

Caching

If enabled, this allows OpenSSO Enterprise to cache data retrieved from the data store.

Maximum Age of Cached Items

Specifies the maximum time data is stored in the cache before it is removed. The values are defined in seconds.

Maximum Size of the Cache

Specifies the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. The values are defined in bytes.