Previous Contents Index Next |
iPlanet Portal Server: Mobile Access Pack Administration Guide |
Chapter 3 Configuring Authentication
The iPlanet Portal Server: Mobile Access Pack authentication service verifies the user's identity. A specific authentication module controls the authentication process.This chapter describes the authentication service and explains the following administrative tasks for setting up and maintaining authentication:
Enabling Client Detection
Adding an Authentication Module
Configuring NoPassword Authentication
Understanding the Authentication Service
The Mobile Access Pack authentication service:
Invokes a client detection module, which identifies the client type of the user's mobile device
The authentication service uses the client type information stored in the session to generate the appropriate content for the user's mobile device.Saves the client type information in the Portal Server session
Determines the appropriate authentication module to invoke for that client type
Depending upon the client type, the end user sees a login page with:
A menu of authentication modules available for the client type of the user's mobile device
Enabling Client Detection
The Mobile Access Pack client detection module determines the client type and makes it accessible to other Portal Server software.To set up client detection, complete the following steps:
As root, log in to the Administration Console and select the Manage Platform Settings link from the left frame to display the Portal Server Platform Settings page.
Select the Authentication link to display the component profile page.
Select Show Advanced Options to display the component attributes.
Select the Client Detection Enabled check box.
Tip By default, this attribute is enabled so that the authentication service can attempt to detect client type values for mobile devices.
In the Client Detector Class text field, specify the client detector class.
Select Submit and then Continue.
Adding an Authentication Module
The Mobile Access Pack software is configured to support LDAP authentication. You can add other authentication modules, such as RADIUS and UNIX, that Portal Server supports.The authentication service identifies which authentication modules are configured for the client type of the user's mobile device, and it presents to the user a menu of those authentication modules.
Note If you support only one authentication module, the menu is bypassed. The user is sent directly to the authentication page.
To permit the use of an authentication module with a particular device, complete the following steps:
As root, log in to the Administration Console and select the Manage Platform Settings link from the left frame to display the Portal Server Platform Settings page.
Select the Authentication link to display the component profile page.
From the Supported Auth Modules for Clients list, select the client you want to add an authentication module to.
In the Supported Auth Modules for Clients text field, add the authentication module to the desired entry.
- The selected entry appears in the Supported Auth Modules for Clients text field.
Tip To add NoPassword to a WML client, for example, complete these steps:
Select Add to include the modified entry in the Supported Auth Modules for Clients list.
Select Delete to remove the original version of the method from the Supported Auth Modules for Clients list.
Scroll to the bottom of the page and select Submit and then Continue.
Restart Portal Server by entering the following command in a terminal window:
Create a template file to display the appropriate menu to the mobile device.
- /opt/SUNWips/bin/ipsserver start
Note See Chapter 2, "Authentication Template Files," in the iPlanet Portal Server: Mobile Access Pack Programmer's Guide for information.
Configuring NoPassword Authentication
If your site specifications require it, you can allow the user to log in without being prompted for userID and password.
Note If you bypass authentication, the login page is not displayed. The user is sent directly to the home page.
To allow users to establish a Portal Server session without supplying a userID and password, complete the following steps:
As root, log in to the Administration Console and select the Manage Domains link from the left frame.
NoPassword authentication is most useful in conjunction with non-interactive authentication. Use this URL to make the authentication service non-interactive:Select the link for your server's domain name.
Select the Authentication link to display the domain profile.
From the authentication menu, select the NoPassword option.
Scroll to the bottom of the page and select Submit and then Continue.
http://server:port/login/NoPassword?domain=/domain&page=1&TOKEN0=us erid
Tip Replace server with the name of your Mobile Access Pack server, port with this server's port number, domain with the name of the user's domain, and userid with the user's user ID.
Configuring Authentication Pages
You can deliver a login page that is specific to each mobile device you have configured for the user. The WirelessLoginWorker class uses properties files and template files to produce login pages.
Tip For information about these files, see Chapter 2, "Authentication Template Files" in the iPlanet Portal Server: Mobile Access Pack Programmer's Guide.
To set up an authentication page for a client, complete the following steps:
From the left frame, select Manage Platform Settings link to display the Portal Server platform settings.
Select Authentication to display the authentication profile.
Select the Show Advanced Options button to display the attributes for configuring authentication.
In the Pluggable Authentication page generator classes for clients text field, specify the pluggable authentication page generator class.
In the Pluggable Authentication page generator classes for clients text field, specify the client type and the class.
Configuring Single Sign-on
By default, the Mobile Access Pack software allows you to set up single sign-on for these providers:To access backend services, these applications access the Portal Server profile service for required credentials. To accomplish backend authentication, the Portal Server profile service uses information such as passwords and server names, which you provide when you set up single sign-on for these applications.
The user must provide a user ID and a password for these applications.
Single sign-on is most useful in conjunction with an external LDAP server. The following Mail Provider attributes can be mapped in a Mobile Access Pack installation:
These Address Book Provider attributes can be mapped in a Mobile Access Pack installation:
These Calendar Provider attributes can be mapped in a Mobile Access Pack installation:
iwtCalendar-calendarServerName
iwtCalendar-calendarUserPassword
Tip See the iPlanet Portal Server 3.0 Release Notes for information about external LDAP server configuration.
Setting Up Single Sign-on for Mail
To set up single sign-on for mail, complete the following steps:
As root, log in to the Administration Console and select Manage Domains from the left frame.
Select the link for your server's domain.
Select the icon next to the Applications heading to display the applications list.
Select the Desktop link to display the domain attributes.
From the Available Channels list, select iwtMailProvider.
Select Edit Channel to display the mail provider attribute values.
Select Show Advanced Options to display additional attributes.
In the Client URL text field, type in the URL of the mail server.
Select Add to include the URL in the Client URL list.
In the Client Port text field, type in the port number of the mail server.
Tip This field is optional if you specify a URL in the Client URL text field.
Select Submit and then select Continue.
Select the Manage Domains link from the left frame.
Select the link for your server's domain.
Under the Profiles heading, select the User link to display the user's profile.
In the IMAP Server text field, type in the name of the user's IMAP server.
In the SMTP Server text field, type in the name of the user's SMTP server.
Select Submit and then Continue.
Instruct the user to specify a user name and password for the mail server in the Edit Mail page from the desktop's Mail channel.
Setting Up Single Sign-on for the Address Book
To set up single sign-on for the address book, complete the following steps:
As root, log into the Administration Console and select Manage Domains from the left frame.
Select the link for your server's domain.
Select the icon next to the Applications heading to display the Applications list.
Select the Desktop link to display the profile for the desktop with all the attributes.
From the Available Channels list, select the iwtAddressBookProvider.
Select Edit Channel to display the address book provider attributes.
In the IMAP ServerName To Authenticate Against text field, specify the name of the IMAP server that is to be used to authenticate the user.
In the Address Book LDAP Server text field, specify the name of the address book's LDAP server.
In the Address Book LDAP Server Port text field, specify the port number of the address book's LDAP server.
In the Client URL text field, type in the URL of the address book server.
Select Add to include the URL in the Client URL list.
In the Address Book Admin User DN field, specify the address book administrator's name.
In the Address Book Admin User Password text field, specify the address book administrator's password.
- This user name is used to bind to the server.
Select Add.
- This password is used to bind to the server.
Select Submit and then select Continue.
Instruct the user to specify one of the following:
An IMAP user name and password for the address book in the Edit Address Book page from the desktop's address book channel, if the address book is set up to share the server with the mail server.
An address book user name and password for the address book in the Edit Address Book page from the desktop's address book channel, if the address book is set up as a separate server.
Setting Up Single Sign-on for the Calendar
To set up single sign-on for the calendar:
As root, log in to the Administration Console and select Manage Domains from the left frame.
Select the link for your server's domain.
Select the icon next to the Applications heading to display the Applications list.
Select the Desktop link to display the desktop attributes.
From the Available Channels list, select the iwtCalendarProvider.
Select the Edit Channel button to display the calendar provider attributes.
In the Calendar Server Name text field, specify the name of the calendar server.
In the Calendar Server Port text field, specify the port number of the calendar server.
Select Show Advanced Options to display additional attributes.
Select Submit and then select Continue.
Instruct the user to specify a user name and password for the calendar server in the Edit Calendar page from the desktop's calendar channel.
Disabling an Authentication Module
You can remove an authentication module for a mobile device by disabling it.To disable an authentication module, complete the following steps:
As root, log in to the Administration Console and select the Manage Platforms link from the left frame.
Select the Authentication link to display the component profile page.
Select Show Advanced Options to display the component attributes.
From the Authentication Modules list, select the client type you want to change.
Remove the authentication method from the definition.
Tip For example, to disable NoPassword authentication in this definition:
nokia_7110|Ldap;NoPassword;Radius
Select Add to include the revised definition in the Authentication Modules list.
From the Authentication Modules list, select the original item.
Select Delete to remove it from the Authentication Modules list.
Previous Contents Index Next
Copyright © 2001 Sun Microsystems, Inc. All rights reserved.
Last Updated November 20, 2001