Customizing Authentication

This section contains tasks describing how you can reconfigure the default authentication method in certain situations. For example, you can enable your organization to get user authentication data from an LDAPv3 directory as opposed to the default flat file. The procedures include:

• Configuring an Authentication Module for an Organization

• Changing the Default Authentication Module from Flat File to LDAP

• Changing the Default Authentication Module from Flat File to Active Directory

• Changing the Default Administrator Authentication Module from a Flat File to LDAP

Configuring an Authentication Module for an Organization

This procedure describes how to configure an authentication module for the organization using the Federation Manager Console.

To Configure an Authentication Module for an Organization

1. In the Federation Manager Console, select the Organization tab.

2. Under Organization, select the Authentication tab.

3. Click Add.

   A list of Authentication Modules is displayed.

   • Active Directory

   • Anonymous

   • Certificate

   • HTTP Basic

   • JDBC

   • LDAP

   • Membership

   • MSISDN

   • Password Playback

   • RADIUS

   • SafeWord

   • SecurID

   • Windows Desktop SSO

   • Windows NT

4. Select a module from the list and click Next.

5. Configure the attributes for the authentication module.

6. Click Assign.

Changing the Default Authentication Module from Flat File to LDAP

By default, users are authenticated by Federation Manager using the flat file with which it is deployed. The authentication component can be reconfigured to retrieve data from most LDAPv3–compliant directory (including Sun Java System Directory Server) rather than the default flat file.

Although Microsoft Active Directory is an LDAPv3–compliant directory, the procedure has some differences. For more information, see Changing the Default Authentication Module from Flat File to Active Directory.

This section includes the following procedures:

• To Set LDAP as the Default Authentication Module for an Organization

• To Enable an Organization to Use the LDAP Authentication Module

To Set LDAP as the Default Authentication Module for an Organization

1. Use the following template, modify ROOT SUFFIX to reflect that of the organization.

   <?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd" <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="ROOT SUFFIX"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> <Attribute name="iplanet-am-auth-org-config" /> <Value>&lt;AttributeValuePair&gt;&lt;Value&gt;com.sun.identity. authentication.modules.ldap.LDAP REQUIRED&lt;/Value&gt;&lt; /AttributeValuePair&gt;</Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests>

2. Modify the following template to change the administrator's default authentication module to LDAP.

   <?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="ROOT SUFFIX"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> <Attribute name="iplanet-am-auth-admin-auth-module" /> <Value> &lt;AttributeValuePair&gt;&lt;Value&gt;com.sun.identity. authentication.modules.ldap.LDAP REQUIRED&lt;/Value&gt;&lt; /AttributeValuePair&gt; </Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests>

3. Load the modified XML files using amadmin and the format /FederationManager-base/fm/bin/amadmin —u amadmin —w password —i war—staging—directory -t name-of-XML-file.

To Enable an Organization to Use the LDAP Authentication Module

1. In the Federation Manager Console, select the Organization tab.

2. Under Organization, select the Authentication tab.

3. Click Add.

   A list of Authentication Modules is displayed.

4. Select LDAP from the list and click Next.

5. Configure the attributes for the LDAP authentication module and click Assign.

6. Under Organization, select the Authentication tab.

7. Click the Edit button next to the Core authentication service.

   The Core attributes are displayed.

8. Add LDAP to the Organization Authentication Modules attribute by holding down the Control key and selecting LDAP.

9. Click Save.

   LDAP is now enabled as an authentication module for the organization. To authenticate to Federation Manager through the LDAP module, use a URL in the format protocol://host:port/deploy_URI/something?module=LDAP.

Changing the Default Authentication Module from Flat File to Active Directory

Although Microsoft Active Directory is an LDAPv3–compliant directory, the procedure to change the default authentication module from Flat File to Active Directory is different from the procedure described in Changing the Default Authentication Module from Flat File to LDAP. The following sections describe the procedures:

• To Set Active Directory as the Default Authentication Module for an Organization

• To Enable an Organization to Use the Active Directory Authentication Module

To Set Active Directory as the Default Authentication Module for an Organization

1. Use ldapsearch in the following format to find values that begin with iplanet-am-auth-org-config.

   /usr/bin/ldapsearch -b OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX -D admin-dn -w admin-password -s base -h AD-host -p AD-port "(objectclass=*)" sunkeyvalue

   The search result would look like this:

   sunkeyvalue=iplanet-am-auth-org-config=<AttributeValuePair> <Value>com.sun.identity.authentication.modules.flatfile. FlatFileREQUIRED</Value></AttributeValuePair>

   Save the search result as it will be used in the following step as the value for the Delete entry.

2. Save the following text as an Lightweight Directory Interchange Format (LDIF) file.

   dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX changetype:modify delete:sunkeyvalue sunkeyvalue: iplanet-am-auth-org-config=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. flatfile.FlatFileREQUIRED</Value> </AttributeValuePair> dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX changetype:modify add:sunkeyvalue sunkeyvalue: iplanet-am-auth-org-config=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. ldap.LDAPREQUIRED</Value></AttributeValuePair>

3. Type the found values from the previous step into the Delete section of the saved LDIF file.

4. Type the new values into the Add section of the saved LDIF file.

5. Run ldapmodify using the LDIF file as input.

   /usr/bin/ldapmodify -h AD-host -p AD-port -D adminDN -w admin-password -f name-of-LDIF-file

To Enable an Organization to Use the Active Directory Authentication Module

1. In the Federation Manager Console, select the Organization tab.

2. Under Organization, select the Authentication tab.

3. Click Add.

   A list of Authentication Modules is displayed.

4. Select Active Directory from the list and click Next.

5. Configure the attributes for the Active Directory authentication module and click Assign.

6. Under Organization, select the Authentication tab.

7. Click the Edit button next to the Core authentication service.

   The Core attributes are displayed.

8. Add Active Directory to the Organization Authentication Modules attribute by holding down the Control key and selecting Active Directory.

9. Click Save.

   Active Directory is now enabled as an authentication module for the organization. To authenticate to Federation Manager through the Active Directory module, use a URL in the format protocol://host:port/deploy_URI/something?module=AD.

Changing the Default Administrator Authentication Module from a Flat File to LDAP

After you have configured and enabled Federation Manager to retrieve data from an LDAPv3–compliant data store, you must also change the default method of authentication for the Federation Manager administrator from the flat file to the LDAPv3–compliant directory. This section contains the following procedures:

• To Change the Default Administrator Authentication Module from Flat File to Sun Java System Directory Server

• To Change the Default Administrator Authentication Module from Flat File to Microsoft Active Directory

Make sure the super user (by default, amadmin) has read, write and search permission to the ou=services branch of the directory information tree (DIT).

To Change the Default Administrator Authentication Module from Flat File to Sun Java System Directory Server

1. Use the following template, modify ROOT SUFFIX to reflect that of the organization.

   <?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd" <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="ROOT SUFFIX"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> <Attribute name="iplanet-am-auth-admin-auth-module" /> <Value>&lt;AttributeValuePair&gt;&lt;Value&gt;com.sun. identity.authentication.modules.ldap.LDAPREQUIRED&lt; Value&gt;&lt;AttributeValuePair&gt;</Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests>

2. Load the modified XML file using amadmin and the format FederationManager-base/fm/bin/amadmin —u amadmin —w password —i war—staging—directory -t name-of-XML-file.

3. Make the following changes in the AMConfig.properties file.

   AMConfig.properties is located in /FederationManager-base/web-src/WEB-INF/. Multiple entries are pipe-separated.

   1. Add the distinguished name (DN) of the administrator to the com.sun.identity.authentication.special.users property.

   2. (Optional) Change the DN of the administrator in the com.sun.identity.authentication.super.user property.

      This step is included if you want to use an administrator who already exists in your directory and not the default Federation Manager administrator amadmin. To use the default amadmin, create the user in Directory Server and make sure the user is given read, write and search permissions to the ou=services branch of the directory information tree (DIT).

   3. Change the value of the admin.auth.classname property to com.sun.identity.authentication.internal.server.LocalLdapAuthModule.

4. In the serverconfig.xml file, change the value of the server group internalauthentication property to reflect the administrator DN, password and correct base DN.

   serverconfig.xml is located in /FederationManager-base/web-src/WEB-INF/.

5. Regenerate and redeploy the WAR.

6. Restart the web container, if applicable.

To Change the Default Administrator Authentication Module from Flat File to Microsoft Active Directory

1. Use ldapsearch in the following format to find values in Active Directory that begin with iplanet-am-auth-admin-auth-module.

   /usr/bin/ldapsearch -b OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX -D admin-dn -w admin-password -s base -h AD-host -p AD-port "(objectclass=*)" sunkeyvalue

   The search result would look like this:

   sunkeyvalue=iplanet-am-auth-admin-auth-module= <AttributeValuePair><Value>com.sun.identity.authentication. modules.flatfile.FlatFileREQUIRED</Value></AttributeValuePair>

   Save the search result as it will be used in the following step as the value for the Delete entry.

2. Save the following text as a Lightweight Directory Interchange Format (LDIF) file.

   dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,<ROOTSUFFIX> changetype:modify delete:sunkeyvalue sunkeyvalue: iplanet-am-auth-admin-auth-module=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. flatfile.FlatFileREQUIRED</Value> </AttributeValuePair> dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,<ROOTSUFFIX> changetype:modify add:sunkeyvalue sunkeyvalue: iplanet-am-auth-admin-auth-module=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. ldap.LDAPREQUIRED</Value></AttributeValuePair>

3. Type the found values from the previous step into the Delete section of the saved LDIF file.

4. Type the new values into the Add section of the saved LDIF file.

5. Run ldapmodify using the LDIF file as input.

   /usr/bin/ldapmodify -h AD-host -p AD-port -D adminDN -w admin-password -f name-of-LDIF-file

6. Make the following changes in the AMConfig.properties file.

   AMConfig.properties is located in /FederationManager-base/web-src/WEB-INF/. Multiple entries are pipe-separated.

   1. Add the distinguished name (DN) of the administrator to the com.sun.identity.authentication.special.users property.

   2. (Optional) Change the DN of the administrator in the com.sun.identity.authentication.super.user property.

      This step is included if you want to use an administrator who already exists in your directory and not the default Federation Manager administrator amadmin. To use the default amadmin, create the user in Directory Server and make sure the user is given read, write and search permissions to the ou=services branch of the directory information tree (DIT).

   3. Change the value of the admin.auth.classname property to com.sun.identity.authentication.internal.server.LocalLdapAuthModule.

7. In the serverconfig.xml file, change the value of the server group internalauthentication property to reflect the administrator DN, password and correct baseDN.

   serverconfig.xml is located in /FederationManager-base/web-src/WEB-INF/.

8. Regenerate and redeploy the WAR.

9. Restart the web container, if applicable.