Sun Java System Federation Manager 7.0 User's Guide

Default Authentication Services

Default services are configured during installation of Federation Manager. They include:

Access Control

Access Control properties define whether a particular user has read or write permission for the service configuration. The Access Control attributes are:

Users with Write Permission

Specifies a list of user IDs who have write permission on the service configuration. Write permission implies read permission. Typing * as a value means all users have write permission. amadmin has write permission, by default.

Users with Read Permission

Specifies a list of user IDs who have read permission on the service configuration. Typing * as a value means all users have write permission.

Core

This module is the general configuration base for the Federation Manager authentication services. It must be registered and configured to use any of the specific authentication module instances. It enables the administrator to define default values that will be picked up for the values that are not specifically set in the Federation Manager default authentication modules. The attributes are:

Pluggable Authentication Module Classes

Specifies the Java classes of the authentication modules available to the organization configured within the Federation Manager platform. You can write custom authentication modules by implementing the AMLoginModule SPI or the JAAS LoginModule SPI. To define new services, this field must take a text string specifying the full class name (including package name) of each new authentication service.

Supported Authentication Module for Clients

Specifies a list of supported authentication modules for a specific client. Use the format clientType | module1,module2,module3. This attribute is in effect when Client Detection is enabled.

Note –

This attribute is not currently supported.

LDAP Connection Pool Size

Specifies the minimum and maximum connection pool to be used on a specific LDAP server and port. This attribute is for LDAP and Membership authentication services only. Use the format host:port:min:max.

Note –

This connection pool is different from the SDK connection pool configured in serverconfig.xml.

Default LDAP Connection Pool Size

Sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. If an entry for the host and port exists in the LDAP Connection Pool Size attribute, the minimum and maximum settings will not be used from LDAP Connection Default Pool Size.

Administrator Authentication Configuration

Defines the authentication service for administrators only. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The modules configured in this attribute are picked up when the Federation Manager console is accessed. For example, http://host.port/console_deploy_uri.

User Profile Dynamic Creation Default Roles

This field specifies the roles assigned to a new user whose profiles are created if Dynamic Creation is selected through User Profile. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user. The role specified must be under the organization for which authentication is being configured. It cannot be a filtered role. Also, if you wish to automatically assign specific services to a user, you have to configure a Required Services type attribute in the user's profile.

Note –

This attribute is not currently supported.

Enable Persistent Cookie Mode

This option determines whether users can restart the browser and still return to their authenticated session. User sessions can be retained by enabling Enable Persistent Cookie Mode. When Enable Persistent Cookie Mode is enabled, a user session does not expire until its persistent cookie expires, or the user explicitly logs out. The expiration time is specified in Persistent Cookie Maximum Time. The default value is that Persistent Cookie Mode is not enabled and the authentication service uses only memory cookies.

Note –

A persistent cookie must be explicitly requested by the client using the iPSPCookie=yes parameter in the login URL.

Persistent Cookie Maximum Time

Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The default value is 2147483 (time in seconds). The field will accept any integer value less than the default.

Alias Search Attribute Name

After successful authentication by a user, the user's profile is retrieved. This field specifies a second LDAP attribute to search from if a search on the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field will take any valid LDAP attribute (for example, cn).

Note –

This attribute is not currently supported.

Default Authentication Locale

Specifies the default language subtype to be used by the authentication service. The default value is en_US. The following table contains a listing of the supported language locales.

Table 6–1 Supported Language Locales


Language Tag	Language Name
af	Afrikaans
be	Byelorussian
bg	Bulgarian
ca	Catalan
cs	Czechoslovakian
da	Danish
de	German
el	Greek
en	English
es	Spanish
eu	Basque
fl	Finnish
fo	Faroese
fr	French
ga	Irish
gl	Galician
hr	Croatian
hu	Hungarian
id	Indonesian
is	Icelandic
it	Italian
ja	Japanese
ko	Korean
nl	Dutch
no	Norwegian
pl	Polish
pt	Portuguese
ro	Romanian
ru	Russian
sk	Slovakian
sl	Slovenian
sq	Albanian
sr	Serbian
sv	Swedish
tr	Turkish
uk	Ukranian
zh	Chinese

In order to use a different locale, all authentication templates for that locale must first be created. A new directory must then be created for these templates.

Organization Authentication Configuration

Sets the authentication module for the organization. The default authentication module is LDAP.

Enable Login Failure Lockout Mode

Specifies whether a user can attempt a second authentication if the first attempt failed. Selecting this attribute enables a lockout and the user will have only one chance at authentication. By default, the lockout feature is not enabled. This attribute works in conjunction with Lockout-related and notification attributes.

Login Failure Lockout Count

Defines the number of attempts that a user may try to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.

Login Failure Lockout Interval

Defines (in minutes) the time between two failed login attempts. If a login fails and is followed by another failed login that occurs within the lockout interval, then the lockout count is incremented. Otherwise, the lockout count is reset.

Email Address to Send Lockout Notification

Specifies an email address that will receive notification if a user lockout occurs. To send email notification to multiple addresses, separate each email address with a space. For non-English locales, the format is email_address|locale|charset.

Warn User After N Failures

Specifies the number of authentication failures that can occur before a warning message is sent that the user will be locked out.

Login Failure Lockout Duration

Enables memory locking. By default, the lockout mechanism will inactivate the User Profile (after a login failure) defined in Lockout Attribute Name. If the value of Login Failure Lockout Duration is greater than 0, then its memory locking and the user account will be locked for the number of minutes specified.

Lockout Attribute Name

Designates any LDAP attribute that is to be set for lockout. The value in Lockout Attribute Value must also be changed to enable lockout for this attribute name. By default, Lockout Attribute Name is empty. The default implementation values are inetuserstatus (LDAP attribute) and inactive when the user is locked out and Login Failure Lockout Duration is set to 0.

Lockout Attribute Value

This attribute specifies whether lockout is enabled or disabled for the attribute defined in Lockout Attribute Name. By default, the value is set to inactive for inetuserstatus.

Default Success URL

This field accepts a list of multiple values that specify the URL to which users are redirected after successful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML. The default value is /amserver/console.

Default Failure Login URL

This field accepts a list of multiple values that specify the URL to which users are redirected after an unsuccessful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML.

Authentication Post Processing Class

Specifies the name of the Java class used to customize post authentication processes for successful or unsuccessful logins. The Java class must implement the com.sun.identity.authentication.spi.AMPostAuthProcessInterface interface.

Note –

Additionally, you must add the path to the class in your web server's Java classpath attribute.

Enable Generate UserID Mode

This attribute is used by the Membership authentication module. If this attribute field is enabled, the Membership module is able to generate user IDs, during the Self Registration process, for a specific user if the user ID already exists. The user IDs are generated from the Java class specified in Pluggable User Name Generator Class.

Pluggable User Name Generator Class

Specifies the name of the Java class is used to generate User IDs when Enable Generate UserID Mode is used.

Default Authentication Level

The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level.

The authentication level should be set within the organization's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific organization's authentication template. The Default Authentication Level default value is 0. (The value in this attribute is not used by Federation Manager but by any external application that may chose to use it.)

Flat File

The Flat File authentication module enables authentication against a flat file. The default flat file repository stores user profile attributes as a properties file with using the format attributename=attributevalue. The attributes are:

Caution –

The comma (,) is used as the delimiter for multiple values of the same attribute. When used for another purpose, commas must be encoded as %2C to avoid the flat file implementation to interpret the value as two.

Directory Location

Specifies the absolute path to the directory where all flat file users are located. The directory is used as a database of user IDs and passwords against which users can authenticate.

Authentication Level

The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.

Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.

SAML

The Security Assertion Markup Language (SAML) authentication module receives and validates SAML Assertions on a target server.

Authentication Level

Note –

If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.