Sun logo      Previous      Contents      Index      Next     

Sun ONE Identity Server 6.1 Administration Guide

Chapter 19  
Core Authentication Attributes

The Core Authentication service is the basic service for all of the default authentication services as well as any custom authentication service created with the Authentication SPI. Core authentication must be configured as a service for each organization that wishes to use any form of authentication. The Core Authentication attributes consist of global and organization attributes.The values applied to the global attributes are applied across the Sun ONE Identity Server configuration and are inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Identity Server application.) The values applied to the organization attributes under Service Configuration become the default values for the Core Authentication template. The service template needs to be created after registering the service for the organization. The default values can be changed after registration by the organization’s administrator. Organization attributes are not inherited by entries in the organization. The Core Authentication attributes are separated into:

Global Attributes

The global attributes in the Core Authentication service are:

Pluggable Auth Module Classes

This field specifies the Java classes of the authentication modules available to any organization configured within the Identity Server platform. By default, this includes LDAP, SafeWord, SecurID, Application, Anonymous, HTTP Basic, Membership, Unix, Certificate, NT and RADIUS. Identity Server also includes a public SPI that can be used to add other authentication services. To define new services, this field must take a text string specifying the full class name (including package name) of each new authentication service.

Supported Auth Modules for Clients

This attribute specifies a list of supported authentication modules for a specific client. The format is as follows:

clientType | module1,module2,module3

This attribute is in effect when Client Detection is enabled.

LDAP Connection Pool Size

This attribute specifies the minimum and maximum connection pool to be used on a specific server and port. This attribute is for LDAP and Membership authentication services only. The format is as follows:



This connection pool is different than the SDK connection pool configured in serverconfig.xml.

LDAP Connection Default Pool Size

This attribute sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. If an entry for the host and port exists in the LDAP Connection Pool Size attribute, the minimum and maximum settings will not be used from LDAP Connection Default Pool Size.

Organization Attributes

The organization attributes in the Core Authentication service are:

Organization Authentication Modules

This list specifies the authentication modules available to the organization. Each administrator can choose the type of authentication for each specific organization. Multiple authentication modules provide flexibility, but users must be sure that their login setting is appropriate for the selected authentication module. The default authentication is LDAP. The authentication services included with Identity Server are:

User Profile

This option allows you to specify options for a user profile.

Admin Authenticator

Clicking the edit link will allow you to define the authentication service for administrators only. An administrator is a user who needs access to the Identity Server console. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The modules configured in this attribute are picked up when the Identity Server console is accessed.

User Profile Dynamic Creation Default Roles

This field specifies the roles assigned to a new user whose profiles are created if Dynamic Creation is selected through the feature "User Profile". There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.


The role specified must be under the organization for which authentication is being configured.

Persistent Cookie Mode

This option determines whether users can restart the browser and still return to their authenticated session. User sessions can be retained by enabling Persistent Cookie Mode. When Persistent Cookie Mode is enabled, a user session does not expire until its persistent cookie expires, or the user explicitly logs out. The expiration time is specified in Persistent Cookie Max Time (seconds). The default value is that Persistent Cookie Mode is not enabled and the authentication service uses only memory cookies.


A persistent cookie must be explicitly requested by the client using the iPSPCookie=yes parameter in the login URL.

Persistent Cookie Max Time (seconds)

This field specifies the interval after which a persistent cookie expires. (Persistent Cookie Mode must be enabled by selecting its checkbox.) The interval begins when the user’s session has been successfully authenticated. The default value is 2147483 (time in seconds). The field will take any integer value between 0 and 2147483.

People Container For All Users

After successful authentication by a user, the user’s profile is retrieved. The value in this field specifies where to search for the profile. Generally, this value will be the DN of the default People Container. All user entries added to an organization are automatically added to the organization’s default People Container. The default value is ou=People, and generally, this is completed with the organization name(s) and root suffix. The field will take a valid DN for any organizational unit.


Authentication searches for a user profile by:

  • Searching under the default People Container, then
  • Searching under the default organization, then
  • Searching for the user in the default organization using the Alias Search Attribute Name attribute.

The final search is for SSO cases where the user name used to authenticate may not be the naming attribute in the profile. For example, a user may authenticate using Safeword ID of jn10191, but the profile is uid=jamie.

Alias Search Attribute Name

After successful authentication by a user, the user’s profile is retrieved. This field specifies a second LDAP attribute to search from if a search on the first LDAP attribute, specified in "User Naming Attribute", fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field will take any valid LDAP attribute (for example, cn).

User Naming Attribute

After successful authentication by a user, the user’s profile is retrieved. The value of this attribute specifies the LDAP attribute to use for the search. By default, Identity Server assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.

Default Auth Locale

This field specifies the default language subtype to be used by the authentication service. The default value is en_US. A listing of valid language subtypes can be found in Table 19-1.


In order to use a different locale, all authentication templates for that locale must first be created. A new directory must then be created for these templates. See the “Chapter 3: Authentication Service” in the Sun ONE Identity Server Customization and API Guide for more information.

Table 19-1  Supported Language Locales 

Language Tag












































































Organization Authentication Configuration

This attribute sets the authentication module for the organization. The default authentication module is LDAP. One or more authentication modules can be selected by clicking the Edit link. If more than one module is selected, then the user will have to pass through the chain of all selected modules.

The modules configured in this attribute are used for authentication when users access the authentication module using the /server_deploy_uri/UL/Login format. See the Sun ONE Identity Server Customization and API Guide for more information.

Login Failure Lockout Mode

This feature specifies whether a user can attempt a second authentication if the first attempt failed. Selecting this attribute enables a lockout and the user will have only one chance at authentication. By default, the lockout feature is not enabled. This attribute works in conjunction with Lockout-related and notification attributes.

Login Failure Lockout Count

This attribute defines the number of attempts that a user may try to authenticate, within the time interval defined in Login Failure Lockout Interval (minutes), before being locked out.

Login Failure Lockout Interval (minutes)

This attribute defines (in minutes) the time between two failed login attempts. If a login fails and is followed by another failed login that occurs within the lockout interval, then the lockout count is incremented. Otherwise, the lockout count is reset.

Email Address to Send Lockout Notification

This attribute specifies an email address that will receive notification if a user lockout occurs. To send email notification to multiple addresses, separate each email address with a space.

Warn User After N Failure

This attribute specifies the number of authentication failures that can occur before Identity Server sends a warning message that the user will be locked out.

Login Failure Lockout Duration (minutes)

This attribute enables memory locking. By default, the lockout mechanism will inactivate the User Profile (after a login failure) defined in Lockout Attribute Name. If the value of Login Failure Lockout Duration is greater than 0, then its memory locking and the user account will be locked for the number of minutes specified.

Lockout Attribute Name

This attribute designates any LDAP attribute that is to be set for lockout. The value in Lockout Attribute Value must also be changed to enable lockout for this attribute name. By default, Lockout Attribute Name is empty in the Identity Server Console. The default implementation values are inetuserstatus (LDAP attribute) and inactive when the user is locked out and Login Failure Lockout Duration is set to 0.

Lockout Attribute Value

This attribute specifies whether lockout is enabled or disabled for the attribute defined in Lockout Attribute Name. By default, the value is set to 0 for inetuserstatus.

Default Success Login URL

This field specifies the URL to which users are redirected after successful authentication. The field will take any valid URL. The Success Login URL is set in the LoginStatus element in the remote-auth.dtd. See the Sun ONE Identity Server Customization and API Guide for more information.

Default Failure Login URL

This field specifies the URL to which users are redirected if authentication is unsuccessful. The field will take any valid URL. The Failure Login URL is set in the LoginStatus element in the remote-auth.dtd. See the Sun ONE Identity Server Customization and API Guide for more information.

Authentication PostProcessing Class

This field specifies the name of the Java class used to customize post authentication processes for successful or unsuccessful logins. Example:

The Java class must implement the following Java interface:


Additionally, you must add the path to where the class is located to the Web Server's Java Classpath attribute.

User Name Generator Mode

This attribute is used by the Membership authentication module. If this attribute field is enabled, the Membership module is able to generate user IDs, during the Self Registration process, for a specific user if the user ID already exists. The user IDs are generated from the Java class specified in Pluggable User Name Generator Class.

Pluggable User Name Generator Class

The field specifies the name of the Java class that will be used to generate user IDs when User Name Generator Mode is enabled.

Default Auth Level

The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level.

The authentication level should be set within the organization’s specific authentication template. The Default Auth Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific organization’s authentication template. The Default Auth Level default value is 0. (The value in this attribute is not used by Identity Server but by any external application that may chose to use it.)

Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.