Chapter 34 Authentication Configuration Service Attributes

The Authentication Configuration Service attributes are dynamic and organization attributes. These attributes can be defined for an organization, service, or role. The organization attributes are defined in the Core Authentication module.

If the role is assigned to a user or a user is assigned to the organization, these attributes, by default, are inherited by the user. The Authentication Configuration Attributes are:

Authentication Configuration

Clicking on the Edit link will display the Authentication Configuration interface. It allows you to configure the authentication modules for role-based or organization-based authentication.



Module Name	Allows you to select from the list of default authentication modules available to Access Manager.
Flag	This pull-down menu allows you specify the authentication module requirements. It can be one of: REQUIRED - The authentication module is required to succeed. If it succeeds or fails, authentication continues to proceed down the authentication module list. REQUISITE - The authentication module is required to succeed. If it succeeds, authentication continues down the authentication module list. If it fails, control returns to the application (authentication does not proceed down the authentication module list.) SUFFICIENT - The authentication module is not required to succeed. If it does succeed, control immediately returns to the application (authentication does not proceed down the authentication module list.). If it fails, authentication continues down the list. OPTIONAL - The authentication module is not required to succeed. If it succeeds or fails, authentication still continues to proceed down the list. These flags establish an enforcement criteria for the authentication module for which they are defined. There hierarchy for enforcement, with REQURIED being the highest, and OPTION being the lowest. For example, if an administrator defines an LDAP module with the REQUIRED flag, then the user’s credential must pass the LDAP authentication requirements to access a given resource. If you add multiple authentication modules and for each module the Flag is set to REQUIRED, the user must pass all authentication requirements before being granted access. For more information on the flag definitions, refer to the JAAS (Java Authentication and Authorization Service) located at: http://java.sun.com/security/jaas/doc/module.html
Option	Allows for additional options for the module as a key=value pair. Multiple options are separated by a space.

This attribute specifies the URL that the user will be redirected to upon successful authentication.

This attribute specifies the URL that the user will be redirected to upon unsuccessful authentication.

Authentication Post Processing Class

This attribute defines the name of the Java class used to customize the post authentication process after a login success or failure.

Conflict Resolution Level

This attribute applies to roles only. Conflict Resolution level sets a priority level for the Authentication Configuration attributes for roles that may contain the same user. For example, if User1 is assigned to both Role1 and Role2, you can define a higher priority level for Role1 so when the user attempts authentication Role1 will have the highest priority for success or failure redirects and for post authentication processes.