Previous     Contents     Index     Next     
iPlanet Portal Server: Mobile Access Pack Administration Guide



Chapter 3   Configuring Authentication


The iPlanet Portal Server: Mobile Access Pack authentication service verifies the user's identity. A specific authentication module controls the authentication process.

This chapter describes the authentication service and explains the following administrative tasks for setting up and maintaining authentication:



Understanding the Authentication Service

The Mobile Access Pack authentication service:

  • Invokes a client detection module, which identifies the client type of the user's mobile device

  • Saves the client type information in the Portal Server session

  • Determines the appropriate authentication module to invoke for that client type

The authentication service uses the client type information stored in the session to generate the appropriate content for the user's mobile device.

Depending upon the client type, the end user sees a login page with:

  • A menu of authentication modules available for the client type of the user's mobile device

  • A specific login module



Enabling Client Detection

The Mobile Access Pack client detection module determines the client type and makes it accessible to other Portal Server software.

To set up client detection, complete the following steps:

  1. As root, log in to the Administration Console and select the Manage Platform Settings link from the left frame to display the Portal Server Platform Settings page.

  2. Select the Authentication link to display the component profile page.

  3. Select Show Advanced Options to display the component attributes.

  4. Select the Client Detection Enabled check box.


    Tip

    By default, this attribute is enabled so that the authentication service can attempt to detect client type values for mobile devices.


  5. In the Client Detector Class text field, specify the client detector class.

  6. Select Submit and then Continue.


    Note

    For more information about the client detection module, see the "Client Detection Module Attributes" section in Chapter 8, "Attributes and Schemas," of the iPlanet Portal Server: Mobile Access Pack Programmer's Guide.




Adding an Authentication Module

The Mobile Access Pack software is configured to support LDAP authentication. You can add other authentication modules, such as RADIUS and UNIX, that Portal Server supports.

The authentication service identifies which authentication modules are configured for the client type of the user's mobile device, and it presents to the user a menu of those authentication modules.


Note

If you support only one authentication module, the menu is bypassed. The user is sent directly to the authentication page.


To permit the use of an authentication module with a particular device, complete the following steps:

  1. As root, log in to the Administration Console and select the Manage Platform Settings link from the left frame to display the Portal Server Platform Settings page.

  2. Select the Authentication link to display the component profile page.

  3. Select Show Advanced Options.

  4. From the Supported Auth Modules for Clients list, select the client you want to add an authentication module to.

    The selected entry appears in the Supported Auth Modules for Clients text field.

  5. In the Supported Auth Modules for Clients text field, add the authentication module to the desired entry.


    Tip

    To add NoPassword to a WML client, for example, complete these steps:

    1. From the Supported AuthModules for Clients list, select the entry that begins with WML|.

    2. Add NoPassword to the authentication methods listed.

    For example:

    WML|Ldap;NoPassword


  6. Select Add to include the modified entry in the Supported Auth Modules for Clients list.

  7. Select Delete to remove the original version of the method from the Supported Auth Modules for Clients list.

  8. Scroll to the bottom of the page and select Submit and then Continue.

  9. Restart Portal Server by entering the following command in a terminal window:

    /opt/SUNWips/bin/ipsserver start

  10. Create a template file to display the appropriate menu to the mobile device.


    Note

    See Chapter 2, "Authentication Template Files," in the iPlanet Portal Server: Mobile Access Pack Programmer's Guide for information.




Configuring NoPassword Authentication

If your site specifications require it, you can allow the user to log in without being prompted for userID and password.


Note

If you bypass authentication, the login page is not displayed. The user is sent directly to the home page.


To allow users to establish a Portal Server session without supplying a userID and password, complete the following steps:

  1. As root, log in to the Administration Console and select the Manage Domains link from the left frame.

  2. Select the link for your server's domain name.

  3. Select the Authentication link to display the domain profile.

  4. From the authentication menu, select the NoPassword option.

  5. Scroll to the bottom of the page and select Submit and then Continue.

NoPassword authentication is most useful in conjunction with non-interactive authentication. Use this URL to make the authentication service non-interactive:

http://server:port/login/NoPassword?domain=/domain&page=1&TOKEN0=us erid


Tip

Replace server with the name of your Mobile Access Pack server, port with this server's port number, domain with the name of the user's domain, and userid with the user's user ID.




Configuring Authentication Pages


You can deliver a login page that is specific to each mobile device you have configured for the user. The WirelessLoginWorker class uses properties files and template files to produce login pages.


Tip

For information about these files, see Chapter 2, "Authentication Template Files" in the iPlanet Portal Server: Mobile Access Pack Programmer's Guide.


To set up an authentication page for a client, complete the following steps:

  1. From the left frame, select Manage Platform Settings link to display the Portal Server platform settings.

  2. Select Authentication to display the authentication profile.

  3. Select the Show Advanced Options button to display the attributes for configuring authentication.

  4. In the Pluggable Authentication page generator classes for clients text field, specify the pluggable authentication page generator class.

  5. In the Pluggable Authentication page generator classes for clients text field, specify the client type and the class.

  6. Select Add.

  7. Select Submit and Continue.



Configuring Single Sign-on

By default, the Mobile Access Pack software allows you to set up single sign-on for these providers:

  • Mail

  • Calendar

  • Address book

To access backend services, these applications access the Portal Server profile service for required credentials. To accomplish backend authentication, the Portal Server profile service uses information such as passwords and server names, which you provide when you set up single sign-on for these applications.

The user must provide a user ID and a password for these applications.

Single sign-on is most useful in conjunction with an external LDAP server. The following Mail Provider attributes can be mapped in a Mobile Access Pack installation:

  • iwtMailProvider-IMAPServerName

  • iwtMailProvider-IMAPPassword

  • iwtMailProvider-IMAPUserId

These Address Book Provider attributes can be mapped in a Mobile Access Pack installation:

  • iwtAddressBookProvider-IMAPServerName

  • iwtAddressBookProvider-IMAPUserId

  • iwtAddressBookProvider-IMAPPassword

These Calendar Provider attributes can be mapped in a Mobile Access Pack installation:

  • iwtCalendar-calendarServerName

  • iwtCalendar-calendarUserName

  • iwtCalendar-calendarUserPassword


    Tip

    See the iPlanet Portal Server 3.0 Release Notes for information about external LDAP server configuration.



Setting Up Single Sign-on for Mail

To set up single sign-on for mail, complete the following steps:

  1. As root, log in to the Administration Console and select Manage Domains from the left frame.

  2. Select the link for your server's domain.

  3. Select the icon next to the Applications heading to display the applications list.

  4. Select the Desktop link to display the domain attributes.

  5. From the Available Channels list, select iwtMailProvider.

  6. Select Edit Channel to display the mail provider attribute values.

  7. Select Show Advanced Options to display additional attributes.

  8. In the Client URL text field, type in the URL of the mail server.


    Tip

    This field is optional. If you do not specify a client URL, Mobile Access Pack creates one from the IMAP Server name and Client Port number that you provide.

    To specify the URL, use this format:

    genericHTML|server:port

    Replace server with the complete URL of your mail server and port with the port number of your mail server.

    For example:

    genericHTML|http://siroe.iplanet.com:80

    Include all of the parameters in the URL.


  9. Select Add to include the URL in the Client URL list.

  10. In the Client Port text field, type in the port number of the mail server.


    Tip

    This field is optional if you specify a URL in the Client URL text field.


  11. Select Submit and then select Continue.

  12. Select the Manage Domains link from the left frame.

  13. Select the link for your server's domain.

  14. Under the Profiles heading, select the User link to display the user's profile.

  15. In the IMAP Server text field, type in the name of the user's IMAP server.

  16. In the SMTP Server text field, type in the name of the user's SMTP server.

  17. Select Submit and then Continue.

  18. Instruct the user to specify a user name and password for the mail server in the Edit Mail page from the desktop's Mail channel.


Setting Up Single Sign-on for the Address Book

To set up single sign-on for the address book, complete the following steps:

  1. As root, log into the Administration Console and select Manage Domains from the left frame.

  2. Select the link for your server's domain.

  3. Select the icon next to the Applications heading to display the Applications list.

  4. Select the Desktop link to display the profile for the desktop with all the attributes.

  5. From the Available Channels list, select the iwtAddressBookProvider.

  6. Select Edit Channel to display the address book provider attributes.

  7. In the IMAP ServerName To Authenticate Against text field, specify the name of the IMAP server that is to be used to authenticate the user.

  8. In the Address Book LDAP Server text field, specify the name of the address book's LDAP server.

  9. In the Address Book LDAP Server Port text field, specify the port number of the address book's LDAP server.

  10. In the Client URL text field, type in the URL of the address book server.


    Tip

    This field is optional. If you do not specify a client URL, Mobile Access Pack creates one from the IMAP Server Name To Authenticate Against that you specify and from the mail channel's Client Port attribute.

    To specify the URL, use this format:

    genericHTML|server:port

    Replace server with the complete URL of your address book server and port with the port number of your address book server.

    For example:

    genericHTML|http://siroe.iplanet.com:80

    Include all of the parameters in the URL.


  11. Select Add to include the URL in the Client URL list.

  12. In the Address Book Admin User DN field, specify the address book administrator's name.

    This user name is used to bind to the server.

  13. In the Address Book Admin User Password text field, specify the address book administrator's password.

    This password is used to bind to the server.

  14. Select Add.

  15. Select Submit and then select Continue.

  16. Instruct the user to specify one of the following:

    1. An IMAP user name and password for the address book in the Edit Address Book page from the desktop's address book channel, if the address book is set up to share the server with the mail server.

    2. An address book user name and password for the address book in the Edit Address Book page from the desktop's address book channel, if the address book is set up as a separate server.


Setting Up Single Sign-on for the Calendar

To set up single sign-on for the calendar:

  1. As root, log in to the Administration Console and select Manage Domains from the left frame.

  2. Select the link for your server's domain.

  3. Select the icon next to the Applications heading to display the Applications list.

  4. Select the Desktop link to display the desktop attributes.

  5. From the Available Channels list, select the iwtCalendarProvider.

  6. Select the Edit Channel button to display the calendar provider attributes.

  7. In the Calendar Server Name text field, specify the name of the calendar server.

  8. In the Calendar Server Port text field, specify the port number of the calendar server.

  9. Select Show Advanced Options to display additional attributes.

  10. Select Submit and then select Continue.

  11. Instruct the user to specify a user name and password for the calendar server in the Edit Calendar page from the desktop's calendar channel.



Disabling an Authentication Module

You can remove an authentication module for a mobile device by disabling it.

To disable an authentication module, complete the following steps:

  1. As root, log in to the Administration Console and select the Manage Platforms link from the left frame.

  2. Select the Authentication link to display the component profile page.

  3. Select Show Advanced Options to display the component attributes.

  4. From the Authentication Modules list, select the client type you want to change.

  5. Remove the authentication method from the definition.


    Tip

    For example, to disable NoPassword authentication in this definition:

    nokia_7110|Ldap;NoPassword;Radius

    Revise the definition by removing NoPassword:

    nokia_7110|Ldap;Radius


  6. Select Add to include the revised definition in the Authentication Modules list.

  7. From the Authentication Modules list, select the original item.

  8. Select Delete to remove it from the Authentication Modules list.

  9. Select Submit and then select Continue.


Previous     Contents     Index     Next     
Copyright © 2001 Sun Microsystems, Inc. All rights reserved.

Last Updated November 20, 2001