Oracle® OpenSSO STS Administrator's Guide Release 11gR1. Version 11.1.1.3.0 Part Number E17844-01 |
|
|
View PDF |
When you first install the Oracle OpenSSO Security Token Service (OpenSSO STS) server, by default the server is configured to secure all communication between the web service client and the OpenSSO STS. No entity can access the Security Token Service or the server itself until you configure the OpenSSO STS system properties. OpenSSO STS system properties define user access criteria, and also specify the various security mechanisms and other processes OpenSSO STS uses. The following topics are contained in this chapter:
Whenever you install an OpenSSO STS server, you must edit the default server settings to suit your enterprise needs. When you install multiple servers, you must configure the servers to communicate with each other and to function as a single site or cluster.
On the Configuration tab, click the Servers and Sites Subtab.
Click the Default Server Settings.
On the Edit server-default page, the Advanced Properties section lists all properties and default values that apply to the default OpenSSO STS server.
To add a new property, click Add.
A new row is added to the bottom of the list. In the appropriate columns, type a Property Name and Property Value.
To delete a property from the Advanced Properties list, click to check the box corresponding to the property, and then click Delete.
Click Save.
Click "Back to Servers and Sites."
On the Configuration tab, click the Servers and Sites subtab.
Click New.
Configure the OpenSSO STS server. See Section 5.1.3, "To Configure an OpenSSO STS Server."
On the Configuration tab, click the Servers and Sites subtab.
The Servers list displays the Server Name and Site Name of
Click the name URL of the server you want to configure.
Click the General tab to configure centralized server management properties.
See Section 5.1.3.1, "To Configure OpenSSO STS Server General Properties."
Click the Security tab to configure encryption, validation, and cookie properties that control the level of security for the OpenSSO STS server.
See Section 5.1.3.2, "To Configure OpenSSO STS Server Security Properties."
Click the Session tab to configure OpenSSO STS server sessions.
See Section 5.1.3.3, "To Configure OpenSSO STS Server Session Properties."
Click the SDK tab to configure the back-end data store settings.
See Section 5.1.3.4, "To Configure OpenSSO STS Server SDK Properties."
Click the Directory Configuration tab to edit the embedded Directory Server settings.
See Section 5.1.3.5, "To Configure OpenSSO STS Server Directory Configuration Properties."
Click the Advanced tab to select and add values to server properties that are not present in the OpenSSO STS Console.
See Section 5.1.3.6, "To Configure OpenSSO STS Server Advanced Properties."
Click "Back to Servers and Sites."
On the Configuration tab, click the Servers and Sites tab.
In the Servers section, click the URL of the OpenSSO STS server you want to configure.
Click the General tab.
Provide values for Site, System, Debugging, and Mail Server properties.
The following table provides a listing and descriptions of the properties you can configure.
Table 5-1 OpenSSO STS Server General Properties
Property | Description |
---|---|
Site |
|
Parent Site |
Choose the load balancer Site Name (site ID) that maps to the OpenSSO STS server. The site must already exist before you can add the site. |
Base installation directory |
Specify the base directory where product data resides. This information is specified in the property |
Default Locale |
Specify the default language subtype that OpenSSO STS was installed with. The default is en_us and is specified in the property c |
Notification URL |
Specify the location of the Notification service end point. This value is usually the product deployment and uses the form URI/notificationservice. This information is specified in the property c |
XML Validation |
When enabled, this property is set to On, and validation is required when parsing XML documents. This information is set in the property |
Debug Level |
Specify a debug level for all components in the product. Choose one of the following levels: Off - No debug information is recorded. Error - Used for production. During production, there should be no errors in the debug files. Warning - Enables Error and Warning debug messages to be written. Message - Enables detailed code tracing. Note: Warning and Message levels should not be used in production. They cause severe performance degradation and an abundance of debug messages. This value is set in the property |
Merge Debug Files |
When enabled, this property is set to On, and all debug data is directed to a single file named debug.out. When disabled, this property is set to Off, and OpenSSO STS creates a separate component debug file per component. This value is set in the property |
Debug Directory |
Specify the directory where debug files reside. Use the form BASE_DIR/SERVER_URI/ This value is set in the property |
Mail Server Host Name |
Specify the mail server h ost name to use for sending email notifications. Example: This value is set in the property |
Mail Server Port Number |
Specify the mail server port number. The default is 25. This value is set in the property |
Click Save.
(Optional) Click Inheritance Settings.
The Inheritance Settings section lists server properties containing default values. A checked box indicates a property that can inherit default server properties. Checked properties will be overwritten for each server instance.
To select a property to be overwritten with default values, click its corresponding box until a check appears in the box.
To deselect a property and retain any custom configuration, click the property's corresponding box until the box contains no check mark.
(Optional) Click Export Configuration.
The OpenSSO STS console displays your settings so that you can inspect the settings for accuracy.
Click Save.
Click "Back to Server Profile."
Click "Back to Servers and Sites."
On the Configuration tab, click the Servers and Sites tab.
In the Servers section, click the URL of the OpenSSO STS server you want to configure.
Click the Security tab.
Provide values for Encryption, Validation, Cookie, Key Store, Certificate Revocation List Caching, Online Certificate Status Protocol Check, and Federal Information Processing Standards properties.
The following table provides a listing and descriptions of the properties you can configure.
Table 5-2 OpenSSO STS Server Security Properties
Property | Description |
---|---|
Encryption |
|
Password Encryption Key |
Specify the key to be used to encrypt and decrypt passwords. This key is stored in the Service Management System configuration and its value is set during installation. Example: This value is set in the property |
Authentication Service Shared Secret |
Specify the shared secret for the application authentication module. Value is set during installation. Example: This value is set in the property |
Encryption class |
Specifies the encrypting class implementation. Available classes are: The default value is |
Secure Random Factory Class |
Specifies the factory class name for Available implementation classes are: This value is set in the property |
Platform Low Level Comm. Max. Content Length |
Specifies the maximum number of bytes allowable for content in an The default value is 1638. This value is set in the property |
Client IP Address Check |
When enabled, the property is set to Yes, and the IP address of the client is checkmarked in all single sign-on token creations or validations. The default value is No. This value is set in the property |
Cookie Name |
Specifies the Cookie name to be used by the Authentication service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information. The default value is iPlanetDirectoryPro. This value is set in the property |
Secure Cookie |
When enabled, this property is set to Yes, and the cookie is set in a secure mode. In secure mode, when a secure protocol such as HTTPS is used, the browser will return only the cookie. The default is No. This value is set in the property |
Encode Cookie Value |
When enabled, this property is set to Yes, and OpenSSO STS URL-encodes the cookie value which converts characters so they are understandable by HTTP. The default value is No. This value is set in the |
Keystore File |
Specifies the path to the SAML XML keystore password file. Example: OpenSSO-deploy-base/URI/ This value is set during installation in the property propertycom.sun.identity.saml.xmlsig.keystore. Example: OpenSSO-deploy-base/URI/ |
Keystore Password File |
Specifies the path to the SAML XML key storepass file. Example: OpenSSO-deply-base/URI/. This value is set during installation in the property |
Private Key Password File |
Specifies the path to the SAML XML key password file. Example: OpenSSO-deploy-base/URI/ The key password file contains the password that protects the private key of a generated key pair. This value is set during installation in the property |
Certificate Alias |
This is the private key alias that is used to sign SOAP responses. Default value is test. This value is set in the property |
LDAP server port number: |
Specifies the port number of the LDAP server where the certificates are stored. The default value is the port specified when OpenSSO STS was installed. You can use port number of any LDAP Server where the certificates are stored. |
SSL/TLS Enabled |
When enabled, the value is set to Yes, and the Certificate authentication service uses SSL to access the LDAP server. The default value is No. |
LDAP server bind user name |
Specifies the bind DN in the LDAP server. |
LDAP server bind password |
Specifies the password for the bind DN. By default, the amldapuser password that was specified during installation is used as the bind user. |
LDAP search base DN |
Specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, the value is the top-level realm of the OpenSSO STS installation base. |
Search Attributes |
Specifies any DN component of the issuer's subjectDN to be used to retrieve a CRL from a local LDAP server. All Root CAs must use the same search attribute. |
Check Enabled |
When enabled, the value is set at Yes, and OCSP checking occurs. The default value is No. |
Responder URL: |
Specifies a URL that identifies the location of the OCSP responder. Example: By default, the location of the OCSP responder is determined implicitly from the certificate being validated. This property is used when the Authority Information Access extension defined in RFC 3280 is absent from the certificate, or when the Authority Information Access extension must be overridden. |
Certificate Nickname |
Specifies the CA certificate nick name for the OCSP responder. Example: Certificate Manager - MyCompany.
|
FIPS Mode: |
When enabled, this value is set to True, and all cryptography operations will run in FIPS-compliant mode. Federal Information Processing Standards Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions. |
Click Save.
(Optional) Click Inheritance Settings.
The Inheritance Settings section lists server properties containing default values. A checked box indicates a property that can inherit default server properties. Unchecked properties can be overwritten for each server instance.
To select a property to be overwritten with default values, click its corresponding box until a check appears in the box.
To deselect a property and retain any custom configuration, click the property's corresponding box until the box contains no checkmark.
(Optional) Click Export Configuration.
The OpenSSO STS console displays your settings so that you can inspect the settings for accuracy.
Click Save.
Click "Back to Server Profile."
Click "Back to Servers and Sites."
On the Configuration tab, click the Servers and Sites tab.
In the Servers section, click the URL of the OpenSSO STS server you want to configure.
Click the Session tab.
Provide values for Session Limits, Statistics, Notification, and Validation properties.
The following table provides a listing and descriptions of the properties you can configure.
Table 5-3 OpenSSO STS Server Session Properties
Property | Description |
---|---|
Session Limits |
|
Maximum Sessions |
Specifies the maximum number of concurrent sessions allowed. This value is set in the property |
Invalidate Session Max Time |
Specifies the number of minutes after which an invalid session will be removed from the session table when a session created but the user does not login. Use a value greater than the timeout value set in the Authentication module properties file. The Invalidate Session Max Time value is set in the property |
Sessions Purge Delay |
Specifies the number of minutes to delay to purge sessions. This value is set in the property |
Logging Interval |
Specifies the number of seconds to elapse between statistics logging. The interval should be at least 5 seconds to avoid CPU saturation. An interval value less than 5 seconds will be interpreted as 5 seconds. This value is set in the property |
State |
Specifies the location of the statistics log. The following are possible settings:
This value is set in the property |
Directory |
Specifies the directory where the statistic files will be created. Example: OpenSSO STS-base/server-URI/ Uses forward slashes "/" to separate directories. Spaces in the file name are allowed on only the Windows platform. This value is set in the property |
Enable Host Lookup |
When enabled, this value is set to Yes, and host lookup occurs during session logging. This value is set in the property |
Notification Pool Size |
Specifies the total number of threads allowed in the notification thread pool. This value is set in the property |
Notification Thread Pool Threshold |
Specifies the maximum task queue length for serving notification threads. This value is set in the property |
Case Insensitive client DN comparison |
Yes When enabled, the value is set to Yes, and the client distinguished name comparison is case-insensitive. This value is set in the property |
Click Save.
(Optional) Click Inheritance Settings.
The Inheritance Settings section lists server properties containing default values. A checked box indicates a property that can inherit default server properties. Unchecked properties can be overwritten for each server instance.
To select a property to be overwritten with default values, click its corresponding box until a check appears in the box.
To deselect a property and retain any custom configuration, click the property's corresponding box until the box contains no checkmark.
(Optional) Click Export Configuration.
The OpenSSO STS console displays your settings so that you can inspect the settings for accuracy.
Click Save.
Click "Back to Server Profile."
Click "Back to Servers and Sites."
On the Configuration tab, click the Servers and Sites tab.
In the Servers section, click the URL of the OpenSSO STS server you want to configure.
Click the SDK tab.
Provide values for Data Store, Event Service, LDAP Connection, Caching and Replica, and Time to Live Configuration properties.
The following table provides a listing and descriptions of the properties you can configure.
Table 5-4 OpenSSO STS Server SDK Properties
Property | Description |
---|---|
Data Store |
|
Enable Datastore Notification |
When enabled, the value is set to Yes, and backend datastore notification occurs. If this value is set to No, then in-memory notification is enabled. This value is set in the property |
Enable Directory Proxy |
When enabled, this value is set to Yes, and the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used. This value is set in the property |
Notification Pool Size |
Specifies the size of the sm notification thread pool (total number of threads). This value is set in the property |
Number of retries for Event Service connections |
Specifies the number of attempts to be made to successfully re-establish the Event Service connections. This value is set in the property |
Delay between Event Service connection retries |
Specifies the number of milliseconds to delay between retries at re-establishing Event Service connections. This value i set in the property |
Error codes for Event Service connection retries |
Specifies the LDAP exception error codes to be triggered by retries at re-establishing Event Service connections. This value is set in the property |
Idle Time Out |
Specifies the number of minutes after which persistent searches will be restarted. This value is set in the property |
Disabled Event Service Connection |
Specify which event connection (persistent search) is to be disabled. There are three valid values. Entries are case-sensitive:
Multiple values are comma-separated. This value is set in the property |
Number of retries for LDAP Connection |
Specifies the number of attempts to be made to successfully re-establish LDAP Connection. This value is set in the property |
Delay between LDAP connection retries |
Specifies the number of milliseconds to delay between retries at re-establishing LDAP connections. This value is set in the property |
Error codes for LDAP connection retries |
Specify the LDAP exception error codes to be triggered by retries at re-establishing LDAP connections. This value is set in the property |
SDK Caching Max. Size |
Specifies the maximum size of the cache when SDK caching is enabled. The size should be an integer greater than 0, or default size (10000) will be used. This value is set in the property |
SDK Replica Retries |
Specifies the number of times to retry when an Entry Not Found error is returned to the SDK. This value is set in the property |
Delay between SDK Replica Retries |
Specifies the number of milliseconds to delay between the retries. This value is set in the property |
Cache Entry Expiration Enabled |
When enabled, this value is set to Yes, and the cache entries expire based on the time specified in User Entry Expiration Time property. The default value is No. This value is set in the property |
User Entry Expiration Time |
Specifies the number of minutes entries remain valid in the cache after their last modification. After the time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant, new requests for data for these user entries will be read from the Directory. This value is set in the property |
Default Entry Expiration Time |
Specifies the number of minutes that non-user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant, new requests for data for these non-user entries will be read from the Directory. This value is set in the property |
Click Save.
(Optional) Click Inheritance Settings.
The Inheritance Settings section lists server properties containing default values. A checked box indicates a property that can inherit default server properties. Unchecked properties can be overwritten for each server instance.
To select a property to be overwritten with default values, click its corresponding box until a check appears in the box.
To deselect a property and retain any custom configuration, click the property's corresponding box until the box contains no checkmark.
(Optional) Click Export Configuration.
The OpenSSO STS console displays your settings so that you can inspect the settings for accuracy.
Click Save.
Click "Back to Server Profile."
Click "Back to Servers and Sites."
On the Configuration tab, click the Servers and Sites tab.
In the Servers section, click the URL of the OpenSSO STS server you want to configure.
Click the Directory Configuration tab.
Provide values for the OpenSSO STS Server Directory Configuration properties. The following table provides a listing and descriptions of the properties you can configure.
Table 5-5 OpenSSO STS Server Directory Configuration Properties
Property | Description |
---|---|
Minimum Connection Pool |
Specify the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is value is 1. |
Maximum Connection Pool |
Specify the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default value is 10. |
Bind DN |
Specify the bind DN in the LDAP server. |
Bind Password |
Specify the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user. |
To add a configuration directory server to the Server list, click Add.
In the New Server page, provide the values for the New Directory Server properties, and then click OK. The following table provides a listing and descriptions of the properties you can configure.
Table 5-6 New Directory Server Properties
Property | Description |
---|---|
Name |
Specify an identifier for this server. |
Host Name |
Specify the fully-qualified host name of the Directory Server. Example: DirectoryServerHost.domainName.com |
Port Number |
Specify the Directory Server port number. |
Connection Type |
Choose one of the following the connection type for the Directory Server: Simple SSL/TLS The default value is Simple. |
To delete a Directory Server from the Server list, click to check the box corresponding to the Directory Server name, then click Delete.
Click Save.
Click "Back to Servers and Sites."
On the Configuration tab, click the Servers and Sites tab.
In the Servers section, click the URL of the OpenSSO STS server you want to configure.
Click the Advanced tab.
The Advanced Properties section lists server properties containing default values.
To add a custom property to the list, click Add.
A new row is added at the bottom of the list. In the appropriate columns, type a Property Name and Property Value.
To remove a property from the list, click to check the box corresponding to the property and then click Delete.
Click Save.
Click "Back to Servers and Sites."
On the Configuration tab, click the Servers and Sites subtab.
Click to mark the box corresponding to the server you want to clone.
Click Clone
In the New Server page, in the Server URL field type the URL for the cloned server, and then click OK.
Configure the OpenSSO STS server. See Section 5.1.3, "To Configure an OpenSSO STS Server."
The Servers and Sites configuration enables and administrator to manage multiple OpenSSO STS site and server configurations from a single console.
Multiple OpenSSO STS instances can be deployed on at least two different host servers. For example, you might deploy two instances on one server and a third instance on another server. Or you might deploy all instances on different servers. You can also configure the OpenSSO STS instances in session failover mode if required for your deployment.
One or more load balancers route client requests to the various OpenSSO STS instances in the environment. You configure each load balancer according to your deployment requirements. For example, you could use round-robin or load average load-balancing to distribute the load between the OpenSSO STS instances. A load balancer simplifies the deployment, as well as resolves issues caused by having a firewall between the client and the back-end OpenSSO STS servers. You can use a hardware or software load balancer with your OpenSSO STS deployment. All OpenSSO STS instances access the same Directory Server.
Important:
If you make any changes to the configuration attributes for Servers and Sites, either through the console or the command line interface, you must restart the web container on which OpenSSO STS is deployed for the changes to take effect.On the Configuration tab, click the Servers and Sites subtab.
In the Sites section, click New.
In the New Site page, in the Name field type a name for the new site.
In the Primary URL field, specify the Primary URL for the site instance, including the site URI.
Use the form protocol://hostname.domain:port/URI.
Configure the new OpenSSO STS Site.
On the Configuration tab, click the Servers and Sites subtab.
In the Sites section, click the name of the site you want to configure.
Provide values for the OpenSSO STS Site properties. The following table provides a listing and descriptions of the properties you can configure.
Table 5-7 OpenSSO STS Site Properties
Property | Description |
---|---|
Primary URL |
Specify the primary URL used to access the site. |
Secondary URLs |
The Current Values list displays session repositories used for the session failover in an OpenSSO STS deployment. Use the URL of the load balancer as the identifier for this secondary configuration. If the secondary configuration is defined in this case, session failover is automatically enabled and becomes effective after the server restart.
|
Assigned Server |
Servers assigned to the site. |
Click Save.
Click "Back to Servers and Sites."
A user data store, also called an identity repository, is a database where OpenSSO STS stores user attributes and user configuration data. Example: a user data store might contain a user's identifier and password, email address, application preferences and other forms of identity data. The OpenSSO STS interface enables a realm administrator to plug in one or more user data stores into the OpenSSO STS realm. OpenSSO STS provides identity repository plug-ins that in turn connect to a single LDAPv3 identity repository framework. The user data store plug-ins enable you to view and retrieve OpenSSO STS user information without having to make changes in your existing user database.
OpenSSO STS integrates data from the identity repository plug-in with data from other OpenSSO STS plug-ins to form a virtual identity for each user in the repository. OpenSSO STS can then use the universal identity in authentication and authorization processes among more than one identity repository. The virtual user identity is destroyed when the user's session ends.
All OpenSSO STS user data stores share the same underlying plug-in. Although most of the configuration attributes are the same for each of user data stores, the default attribute values vary depending upon the user data store type.
OpenSSO STS supports the following types of user data stores.
An Active Directory user data store uses the LDAP version 3 specification to write identity data to an instance of Microsoft Active Directory.
A generic LDAPv3 user data store allows identity data to be written to any LDAPv3–compliant database. Note - If the LDAPv3 database you are using does not support Persistent Search, then you cannot use the OpenSSO STS caching feature.
A Sun Directory Server containing OpenSSO STS Schema resides in a Sun Directory Server instance itself and holds the OpenSSO STS information tree. It is different from the OpenSSO STS Repository Plug-in. A Directory Server with OpenSSO STS Schema contains more configuration attributes and enables you to better customize the user data store.
On the Access Control tab, click the Data Stores subtab.
In the Data Stores section, click New.
In the Name field, type the new Data Store name.
The Data Store name cannot contain spaces.
Choose one of the following:
Active Directory
Generic LDAPv3
Sun DS with OpenSSO schema
Click Next.
Provide values for the User Data Store properties. The following table provides a listing and descriptions of the properties you can configure.
Table 5-8 User Data Store Properties
Property | Description |
---|---|
LDAP Server |
The Current Values list displays the name of the LDAP server or servers to which OpenSSO STS will be connected. If more than one LDAP server is listed, OpenSSO STS attempts to connect to the first host in the list. If a connection cannot be made to the first host in the list, then OpenSSO STS tries to access the next host in the list.
|
LDAP Bind DN |
Specify the DN that OpenSSO STS will use to authenticate to the LDAP server to which you are currently connected. The user with the DN used to bind to the LDAP server must have the appropriate privileges for adding, modifying, and deleting operations. These privileges are configured in the LDAPv3 Plugin Supported Types and Operations properties. |
LDAP Bind Password |
Specify the DN password that OpenSSO STS will use to authenticate to the LDAP server to which you are currently connected. |
LDAP Bind Password (confirm) |
Type the password again to confirm it. |
LDAP Organization DN |
Specify the DN to which this data store repository will map. This will be the base DN of all operations performed in this data store. |
LDAP SSL |
When enabled, OpenSSO STS will connect to the primary server using the HTTPS protocol. |
LDAP Connection Pool Minimum Size |
Specify the initial number of connections in the connection pool. Using a connection pool avoids having to create a new connection each time. |
LDAP Connection Pool Maximum Size |
Specify the maximum number of connections to allow. |
Maximum Results Returned from Search |
Specify the maximum number of entries returned from a search operation. If this limit is reached, Active Directory returns any entries that match the search request. |
Search Timeout |
Specify the maximum number of seconds allocated for a search request. If this limit is reached, Active Directory returns any search entries that match the search request. |
LDAP Follows Referral |
When enabled, referrals to other LDAP servers are followed automatically. |
LDAPv3 Repository Plugin Class Name |
Specify the location of the class file which implements the LDAPv3 repository. |
Attribute Name Mapping |
The Current Values list displays common attributes known to the OpenSSO STS framework to be mapped to the native data store. Example: if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive. The defaults are: e mployeeNumber=distinguishedName portalAddress=sAMAccountName uid=sAMAccountName mail=userPrincipalName telephonenumber=displayName iplanet-am-user-alias-list=objectGUID userPassword=unicodePwd
|
LDAPv3 Plug-in Supported Types and Operations |
The Current Values list displays operations that are permitted or can be performed on this LDAP server. The default operations are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin: a gent: read, create, edit, delete role: read, create, edit, delete group: read, create, edit, delete realm: read, create, edit, delete, service user: read, create, edit, delete, service
You can remove permissions from all operations except for role operations based on your LDAP server settings and the tasks. You cannot add more permissions to any operation. If the configured LDAPv3 Repository plug-in is pointing to an instance of Sun Directory Server, permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles. If a user is of supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The The user is also allowed to manage user attributes for any assigned service. If the user has service as the operation (user=service), then the following service-related operations are supported: assignService unassignService getAssignedServices getServiceAttributes removeServiceAttributes modifyService |
LDAPv3 Plug-in Search Scope |
Choose the scope to be used to find LDAPv3 plug-in entries.
|
LDAP Users Search Attribute |
Specify the attribute type to use to a search for a user. Example: if the user DN is |
LDAP Users Search Filter |
Specify the search filter to be used to find user entries. |
LDAP User Object Class |
The Current Values list displays the object classes for a user. When a user is created, this list of user object classes is added to the user's attributes list.
|
LDAP User Attributes |
The Current Values list displays the attributes associated with a user. You cannot read or write user attributes not on this list. The attributes are case-sensitive. The object classes and attribute schema must already be defined before you define the object classes and attribute schema here.
|
Create User Attribute Mapping |
The Current Values list displays the attributes that are required when a user is created. Attributes uses the following syntax:
|
Attribute Name of User Status |
Specify an attribute name that indicates if the user is active or inactive. |
User Status Active Value |
This field is not displayed for the OpenSSO with Schema Data Store. This attribute value is assigned to the user when the user is created. LDAPv3 uses Active. Note used by Schema.
|
User Status Inactive Value |
This field is not displayed for the OpenSSO with Schema Data Store. For Active Directory, this field is not used. LDAPv2 uses Inactive. |
LDAP Groups Search Attribute |
The Current Values list displays the attribute types to use for conducting a search on a group. The default is cn.
|
LDAP Group Search Filter |
Specify the search filter to be used to find group entries. The default is ( |
LDAP Groups Container Naming Attribute |
Specify the naming attribute for a group container, if groups reside in a container. Otherwise, this attribute is left empty. Example: if a group DN of |
LDAP Groups Container Value |
Specify the value for the group container. Example: if a group DN of |
LDAP Groups Object Classes |
The Current Values list displays object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list.
|
LDAP Groups Attributes |
The Current Values list displays attributes associated with a group. You cannot read or write group attributes that are not on this list. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here. |
Attribute Name for Group Membership |
Specify the name of the attribute whose values are the names of all the groups to which DN belongs. The default is |
Attribute Name of Unique Member |
Specify the attribute name whose values is a DN belonging to this group. The default is |
Attribute Name of Group Member URL |
Specify the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is |
Default Group Member's User DN |
This field is not displayed for the OpenSSO with Schema Data Store. |
LDAP Roles Search Attribute |
This field is not displayed for Active Directory or LDAPv3 Data Stores. This field defines the attribute type for which to conduct a search on a role. The default is |
LDAP Roles Search Filter |
This field is not displayed for Active Directory or LDAPv3 Data Stores. Specify the filter used to search for a role. The LDAP Role Search attribute is prepended to this value to form the actual role search filter. Exampe: if the LDAP Role Search Attribute is
|
LDAP Roles Object Class |
This field is not displayed for Active Directory or LDAPv3 Data Stores. Specify the object classes for roles. When a role is created, the list of user object classes will be added to the role's attributes list |
LDAP Roles Attributes |
This field is not displayed for Active Directory or LDAPv3 Data Stores. The Current Values list displays attributes associated with a role. Reading or writing agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here. |
LDAP Filter Roles Search Attribute |
This field is not displayed for Active Directory or LDAPv3 Data Stores. Specify the attribute type for which to conduct a search on a filter role. The default is |
LDAP Filter Roles Search Filter |
This field is not displayed for Active Directory or LDAPv3 Data Stores. The Current Values list displays the filter used to search for a filtered role. The LDAP Filter Role Search attribute is prepended to this field to form the actual filtered role search filter.Exampe: if the LDAP Filter Role Search Attribute is CN and LDAP Filter Role Search Filter is |
LDAP Filter Roles Object Class |
This field is not displayed for Active Directory or LDAPv3 Data Stores. The Current Values list displays the object classes for filtered roles. When a filtered role is created, the list of user object classes will be added to the filtered role's attributes list |
LDAP Filter Roles Attributes |
This field is not displayed for Active Directory or LDAPv3 Data Stores. The Current Values list displays attributes associated with a filtered role. Reading or writing agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here. |
Attribute Name for Filtered Role Membership |
This field is not displayed for Active Directory or LDAPv3 Data Stores. |
Attribute Name of Role Membership |
This field is not displayed for Active Directory or LDAPv3 Data Stores. |
Attribute Name of Filtered Role Filter |
This field is not displayed for Active Directory or LDAPv3 Data Stores. |
LDAP People Container Naming Attribute |
|
LDAP People Container Value |
Specify the value of the people container. The default is people. Caution – The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty). |
Identity Types That Can be Authenticated |
Specify that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store. |
Authentication Naming Attribute |
This value is currently not used. |
Persistent Search Base DN |
Specify the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level. |
Persistent Search Filter |
Specify the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter. |
Persistent Search Scope |
Specify the scope to be used in a persistent search. The scope must be one of the following:
|
Persistent Search Maximum Idle Time Before Restart |
Specify the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search regardless of the idle time of the connection. If OpenSSO STS is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer. |
Maximum Number of Retries After Error Code |
Specify the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAP Exception Error Codes to Retry On. |
The Delay Time Between Retries |
Specify the time to wait before each retry. This only applies to persistent search connection. |
LDAP Exception Error Codes to Retry |
Specify the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations. |
Caching |
When enabled, OpenSSO STS caches data retrieved from the data store. |
Maximum Age of Cached Items |
Specify the maximum number of seconds data is stored in the cache before it is removed. |
Maximum Size of the Cache |
Specify in number of bytes the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory. |
Click Finish.
On the Configuration tab, click the System subtab.
On the System Configuration page, in the System Attributes list, click Platform.
Provide values for the Global Platform Attributes. The following table provides a listing and descriptions of the properties you can configure.
Table 5-9 Global Platform Attributes
Attribute | Description |
---|---|
Platform Locale |
Specify the default language subtype that OpenSSO STS was installed with. The Authentication, Logging and administration services are administered in the language of this value. The default is |
Cookie domains |
The Current Values list displays domains that will be returned in the cookie header when setting a cookie to the user's browser during authentication.
|
Hex Encode Cookie |
When set to Yes, hex encoding for cookies is enabled. The default is No. |
(Optional) To add a new character set, in the Client Character Sets list, click New.
To delete a character set, in the Client Character Sets section click to mark the box corresponding to the character set you want to remove, and then click Delete.
Click OK.