OpenSSO is installed with a set of default authentication module types. An authentication module instance is a plug-in that collects user information such as a user ID and password, checks the information against entries in a database, and allows or denies access to the user. Multiple instances of the same type can be created and configured separately.
This section provides attribute descriptions that configure the default authentication module types.
See Chapter 3, Configuring Authentication, in Sun OpenSSO Enterprise 8.0 Administration Guide for more information on the authentication modules and configuring an authentication process.
This module type works similarly to the LDAP authentication module type, but uses the Microsoft Active Directory instead of an LDAP directory. Using this module type makes it possible to have both LDAP and Active Directory coexist under the same realm. The Active Directory authentication attributes are realm attributes. The attributes are:
Specifies the host name and port number of the primary Active Directory server specified during OpenSSO Enterprise installation. This is the first server contacted for Active Directory authentication. The format ishostname:port. If there is no port number, assume 389.
If you have OpenSSO Enterprise deployed with multiple domains, you can specify the communication link between specific instances of OpenSSO Enterprise and Directory Server in the following format (multiple entries must be prefixed by the local server name):
local_servername|server:port local_servername2|server2:port2 ...
For example, if you have two OpenSSO Enterprise instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the host name and port number of a secondary Active Directory server available to the OpenSSO Enterprise platform. If the primary Active Directory server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, OpenSSO Enterprise will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.
When authenticating users from a Directory Server that is remote from the OpenSSO Enterprise, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one Directory Server location can be used for both fields.
Specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search dn.
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.
Specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized.
Make sure that password is correct before you logout. If it is incorrect, you will be locked out. If this should occur, you can login with the super user DN. By default, this the amAdmin account with which you would normally log in, although you will use the full DN. For example:
uid_amAdmin,ou=People,OpenSSO-deploy-base
Carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid Active Directory password is recognized.
Confirm the password.
Specifies the attribute used for the naming convention of user entries. By default, OpenSSO Enterprise assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.
Lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber , and mail, the user could authenticate with any of these names.
Specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.
Indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in DN to Start User Search. The default value is SUBTREE. One of the following choices can be selected from the list:
Searches only the specified node.
Searches at the level of the specified node and one level down.
Search all entries at and below the specified node.
Enables SSL access to the Directory Server specified in the Primary and Secondary Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.
If the Active Directory server is running with SSL enabled (LDAPS), you must make sure that OpenSSO Enterprise is configured with proper SSL trusted certificates so that AM could connect to Directory server over LDAPS protocol
When the OpenSSO Enterprise directory is the same as the directory configured for Active Directory, this option may be enabled. If enabled, this option allows the Active Directory authentication module instance to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module instance returns only the User ID, and the authentication service searches for the user in the local OpenSSO Enterprise instance. If an external Active Directory is used, this option is typically not enabled.
This attribute is used for Active Directory Server failback. It defines the number of minutes in which a thread will “sleep” before verifying that the primary Active Directory server is running.
This attribute is used by the Active Directory authentication module instance when the Active Directory server is configured as an external Active Directory server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format:
attr1|externalattr1
attr2|externalattr2
When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profileattribute (in the Core Authentication module type) is set to Dynamically Created and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module type allows a user to log in without specifying credentials. You can create an Anonymous user so that anyone can log in as Anonymous without having to provide a password. Anonymous connections are usually customized by the OpenSSO Enterprise administrator so that Anonymous users have limited access to the server. The Anonymous authentication attributes are realm attributes. The attributes are:
Contains a list of user IDs that have permission to login without providing credentials. If a user's login name matches a user ID in this list, access is granted and the session is assigned to the specified user ID.
If this list is empty, accessing the following default module instance login URL will be authenticated as the Default Anonymous User Name:
protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name
If this list is not empty, accessing Default module instance login URL (same as above) will prompt the user to enter any valid Anonymous user name. If this list is not empty, the user can log in without seeing the login page by accessing the following URL:
protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name&IDToken1=<valid Anonymous username>
Defines the user ID that a session is assigned to if Valid Anonymous User List is empty and the following default module instance login URL is accessed:
protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name
The default value is anonymous. An Anonymous user must also be created in the realm.
If Valid Anonymous User List is not empty, you can login without accessing the login page by using the user defined in Default Anonymous User Name. This can be done by accessing the following URL:
protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name&IDToken1= DefaultAnonymous User Name
If enabled, this option allows for case-sensitivity for user IDs. By default, this attribute is not enabled.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
Once an authentication module instance is defined, the instance can be configured for authentication module chaining, to supply redirect URLs, and a post-processing Java class specification based on a successful or failed authentication process. Before an authentication module instance can be configured, the Core authentication attribute Organization Authentication Configuration must be modified to include the specific authentication module instance name.
This module enables a user to log in through a personal digital certificate (PDC). The module instance can require the use of the Online Certificate Status Protocol (OCSP) to determine the state of a certificate. Use of the OCSP is optional. The user is granted or denied access to a resource based on whether or not the certificate is valid. The Certificate authentication attributes are realm attributes. The attributes are:
Specifies whether to check if the user certificate presented at login is stored in the LDAP Server. If no match is found, the user is denied access. If a match is found and no other validation is required, the user is granted access. The default is that the Certificate Authentication service does not check for the user certificate.
A certificate stored in the Directory Server is not necessarily valid; it may be on the certificate revocation list. See Match Certificate to CRL. However, the web container may check the validity of the user certificate presented at login.
Specifies the attribute of the certificate's SubjectDN value that will be used to search LDAP for certificates. This attribute must uniquely identify a user entry. The actual value will be used for the search. The default is cn.
Specifies whether to compare the user certificate against the Certificate Revocation List (CRL) in the LDAP Server. The CRL is located by one of the attribute names in the issuer's SubjectDN. If the certificate is on the CRL, the user is denied access; if not, the user is allowed to proceed. This attribute is, by default, not enabled.
Certificates should be revoked when the owner of the certificate has changed status and no longer has the right to use the certificate or when the private key of a certificate owner has been compromised.
Specifies the attribute of the received certificate's issuer subjectDN value that will be used to search LDAP for CRLs. This field is used only when the Match Certificate to CRL attribute is enabled. The actual value will be used for the search. The default is cn.
Specifies the HTTP parameters for obtaining a CRL from a servlet for a CRL update. Contact the administrator of your CA for these parameters.
Enables OCSP validation to be performed by contacting the corresponding OCSP responder. The OCSP responder is decided as follows during runtime. The attributes mentioned are located in the console at Configuration > Servers and Sites > Security:
If this value is set to true and the OCSP responder is set in the Responder URL attribute, the value of the attribute will be used as the OCSP responder.
If Online Certificate Status Protocol Check is enabled and if the value of this attribute is not set, the OCSP responder presented in your client certificate is used as the OCSP responder.
If Online Certificate Status Protocol Checkis not enabled or if Online Certificate Status Protocol Checkis enabled and if an OCSP responder can not be found, no OCSP validation will be performed.
Before enabling OCSP Validation, make sure that the time of the OpenSSO Enterprise machine and the OCSP responder machine are in sync as close as possible. Also, the time on the OpenSSO Enterprise machine must not be behind the time on the OCSP responder. For example:
OCSP responder machine - 12:00:00 pm
OpenSSO Enterprise machine - 12:00:30 pm
Specifies the name and port number of the LDAP server where the certificates are stored. The default value is the host name and port specified when OpenSSO Enterprise was installed. The host name and port of any LDAP Server where the certificates are stored can be used. The format is hostname:port.
Specifies the DN of the node where the search for the user's certificate should start. There is no default value. The field will recognize any valid DN.
Multiple entries must be prefixed by the local server name. The format is as follows:
servername|search dn
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.
This field accepts the DN of the principal user for the LDAP server where the certificates are stored. There is no default value for this field which will recognize any valid DN. The principal user must be authorized to read, and search certificate information stored in the Directory Server.
This field carries the LDAP password associated with the user specified in the LDAP Server Principal User field. There is no default value for this field which will recognize the valid LDAP password for the specified principal user. This value is stored as readable text in the directory.
Confirm the password.
Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.
Specifies which field in the certificate's Subject DN should be used to search for a matching user profile. For example, if you choose email address, the certificate authentication service will search for the user profile that matches the attribute emailAddr in the user certificate. The user logging in then uses the matched profile. The default field is subject CN. The list contains:
email address
subject CN
subject DN
subject UID
other
If the value of the Certificate Field Used to Access User Profile attribute is set to other, then this field specifies the attribute that will be selected from the received certificate's subjectDN value. The authentication service will then search the user profile that matches the value of that attribute.
If any value type other than none is selected, this attribute has precedence over Certificate Field Used to Access User Profile or Other Certificate Field Used to Access User Profileattribute.
RFC822Name
UPN
Defines a list of trusted hosts that can be trusted to send certificates to OpenSSO Enterprise. OpenSSO Enterprise must verify whether the certificate emanated from one of these hosts. This attribute is used for the Portal Server gateway, for a load balancer with SSL termination and for Distributed Authentication.
Disables the attribute. This is set by default.
Accepts Portal Server Gateway-style certificate authentication from any client IP address.
Lists the IP addresses from which to accept Portal Server Gateway-style certificate authentication requests (the IP Address of the Gateway(s)). The attribute is configurable on an realm basis.
Specifies the port number for the secure socket layer. Currently, this attribute is only used by the Gateway servlet. Before you add or change an SSL Port Number, see the "Policy-Based Resource Management" section in the OpenSSO Enterprise Administration Guide.
This attribute is used only when the Trusted Remote Hosts attribute is set to all or has a specific host name defined. The administrator must specify the http header name for the client certificate that is inserted by the load balancer or SRA.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core authentication attribute Default Authentication Level
This module is the general configuration base for the OpenSSO Enterprise authentication services. It must be registered and configured to use any of the specific authentication module instances. It enables the administrator to define default values that will be picked up for the values that are not specifically set in the OpenSSO Enterprise default authentication modules. The Core attributes are global and realm. The attributes are:
Specifies the Java classes of the available authentication modules. Takes a text string specifying the full class name (including package) of each authentication module. After writing a custom authentication module (by implementing the OpenSSO Enterprise AMLoginModule or the Java Authentication and Authorization Service [JAAS] LoginModule service provider interfaces), the new class value must be added to this property.
Specifies a list of authentication modules supported for a specific client. Formatted as:
clientType | module1,module2,module3 |
This attribute is read by the Client Detection Service when it is enabled.
Specifies the minimum and maximum connection pool to be used on a specific LDAP server and port. Formatted as:
host:port:min:max |
This attribute is for LDAP and Membership authentication services only.
This connection pool is different than the SDK connection pool configured in serverconfig.xml.
Sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. Formatted as:
min:max |
This value is superseded by a value defined for a specific host and port in the LDAP Connection Pool Size property.
This option determines the profile status of a successfully authenticated user.
Specifies that on successful authentication the Authentication Service will create a user profile if one does not already exist. The SSOToken will then be issued. The user profile is created in the realm's configured user data store.
Specifies that on successful authentication the Authentication Service will create a user profile that contains the User Alias List attribute which defines one or more aliases that for mapping a user's multiple profiles.
Specifies that a user profile is not required for the Authentication Service to issue an SSOToken after a successful authentication.
Specifies that on successful authentication the user must have a user profile in the realm's configured user data store in order for the Authentication Service to issue an SSOToken.
Requires that OpenSSO Enterprise validate the identity of the calling application; thus all remote authentication requests require the calling application's SSOToken. This allows the Authentication Service to obtain the username and password associated with the application.
Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list.
Specifies the Distinguished Name (DN) of a role to be assigned to a new user whose profile is created when either of the Dynamic options is selected under the User Profile attribute. There are no default values. The role specified must be within the realm for which the authentication process is configured.
This role can be either an OpenSSO Enterprise or LDAP role, but it cannot be a filtered role. If you wish to automatically assign specific services to the user, you have to configure the Required Services attribute in the User Profile.
Determines whether users can return to their authenticated session after restarting the browser. When enabled, a user session will not expire until its persistent cookie expires (as specified by the value of the Persistent Cookie Maximum Time attribute), or the user explicitly logs out. By default, the Authentication Service uses only memory cookies (expires when the browser is closed).
A persistent cookie must be explicitly requested by the client by appending the iPSPCookie=yes parameter to the login URL.
Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The maximum value is 2147483647 (time in seconds). The field will accept any integer value less than the maximum.
After a user is successfully authenticated, the user's profile is retrieved. This field specifies a second LDAP attribute to use in a search for the profile if a search using the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field takes any valid LDAP attribute.
Specifies the default language subtype to be used by the Authentication Service. The default value is en_US. See Supported Language Locales for a listing of valid language subtypes. To use a different locale, authentication templates for that locale must first be created. A new directory must then be created for these templates. See Supported Language Locales for a listing of valid language subtypes.
Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list.
Selecting this attribute enables a physical lockout. Physical lockout will inactivate an LDAP attribute (defined in the Lockout Attribute Name property) in the user's profile. This attribute works in conjunction with several other lockout and notification attributes.
Defines the number of attempts that a user has to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.
Defines (in minutes) the time in which failed login attempts are counted. If one failed login attempt is followed by a second failed attempt, within this defined lockout interval time, the lockout count is begun and the user will be locked out if the number of attempts reaches the number defined in Login Failure Lockout Count. If an attempt within the defined lockout interval time proves successful before the number of attempts reaches the number defined in Login Failure Lockout Count, the lockout count is reset.
Specify one (or more) email address(es) to which notification will be sent if a user lockout occurs. If sending:
To multiple addresses, separate each address with a space.
To non-English locales, format the address as email_address|locale|charset.
Specifies the number of authentication failures that can occur before OpenSSO Enterprise displays a warning message that the user will be locked out.
Defines (in minutes) how long a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0, enables memory lockout and disables physical lockout. Memory lockout is when the user's account is locked in memory for the number of minutes specified. The account is unlocked after the time period has passed.
Defines a value with which to multiply the value of the Login Failure Lockout Duration attribute for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user will be locked out of the account for 6 minutes. Once the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration would then be 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.
Defines the LDAP attribute used for physical lockout. The default value is inetuserstatus (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Value field must also contain an appropriate value.
Specifies the action to take on the attribute defined in Lockout Attribute Name. The default value is inactive (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Name field must also contain an appropriate value.
Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /opensso/console. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.
Accepts a list of values that specifies where users are directed after an attempted authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.
Specifies one or more Java classes used to customize post authentication processes for successful or unsuccessful logins. The Java class must implement the com.sun.identity.authentication.spi.AMPostAuthProcessInterface OpenSSO Enterprise interface. Additionally, add a JAR containing the post processing class to the classpath of the web container instance on which OpenSSO Enterprise is configured. If the web container on which OpenSSO Enterprise is configured explodes the WAR follow this procedure.
Stop the web container instance.
Change to the WEB-INF/lib directory in the exploded OpenSSO Enterprise WAR directory.
For example, if using Sun Application Server, AS=Deploy=BaseAS=Domain-Dir/AS-Domain/applications/j2ee-modules/opensso/WEB-INF/lib.
Copy the JAR that contains the post processing class to the lib directory.
Restart the web container instance.
When enabled, the Membership module will generate a list of alternate user identifiers if the one entered by a user during the self-registration process is not valid or already exists. The user identifiers are generated by the class specified in the Pluggable User Name Generator Class property.
Specifies the name of the class used to generate alternate user identifiers when Generate UserID Mode is enabled. The default value is com.sun.identity.authentication.spi.DefaultUserIDGenerator.
Lists the type or types of identities for which OpenSSO Enterprise will search. Options include:
Agent
agentgroup
agentonly
Group
User
Specifies one or more Java classes used to provide a callback mechanism for user status changes during the authentication process. The Java class must implement the com.sun.identity.authentication.spi.AMAuthCallBack OpenSSO Enterprise interface. Account lockout and password changes are supported — the latter through the LDAP authentication module as the feature is only available for the module.
Enables the storage of information regarding failed authentication attempts as the value of the sunAMAuthInvalidAttemptsData attribute in the user data store. In order to store data in this attribute, the OpenSSO Enterprise schema has to be loaded. Information stored includes number of invalid attempts, time of last failed attempt, lockout time and lockout duration. Storing this information in the identity repository allows it to be shared among multiple instances of OpenSSO Enterprise.
Enables users to authenticate using module-based authentication. Otherwise, all attempts at authentication using the module=module-instance-name login parameter will result in failure.
Enables the authenticating user's identity attributes (stored in the identity repository) to be set as session properties in the user's SSOToken. The value takes the format User-Profile-Attribute|Session-Attribute-Name. If Session-Attribute-Name is not specified, the value of User-Profile-Attribute is used. All session attributes contain the am.protected prefix to ensure that they cannot be edited by the Client SDK.
For example, if you define the user profile attribute as mail and the user's email address (available in the user session) as user.mail, the entry for this attribute would be mail|user.mail. After a successful authentication, the SSOToken.getProperty(String) method is used to retrieve the user profile attribute set in the session. The user's email address is retrieved from the user's session using the SSOToken.getProperty("am.protected.user.mail") method call.
Properties that are set in the user session using User Attribute Mapping to Session Attributes can not be modified (for example, SSOToken.setProperty(String, String)). This will result in an SSOException. Multi-value attributes, such as memberOf, are listed as a single session variable separated by the pipe symbol. For example, Value1|Value2|Value3
The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the user's SSOToken. When the SSOToken is presented to an application, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level does not meet the minimum value required by the application, it can prompt the user to authenticate again in order to attain a higher authentication level. The authentication level should be set within a realm's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific realm's authentication template. The Default Authentication Level default value is 0. The value of this attribute is not used by OpenSSO Enterprise but by any external application that may chose to use it.
The Data Store authentication module allows a login using the Identity Repository of the realm to authenticate users. Using the Data Store module removes the requirement to write an authentication plug- in module, load, and then configure the authentication module if you need to authenticate against the same data store repository. Additionally, you do not need to write a custom authentication module where flat-file authentication is needed for the corresponding repository in that realm.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Federation authentication module is used by a service provider to create a user session after validating single sign-on protocol messages. This authentication module is used by the SAML, SAMLv2, ID-FF, and WS-Federation protocols.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The HTTP authentication module allows a login using the HTTP basic authentication with no data encryption. A user name and password are requested through the use of a web browser. Credentials are validated internally using any LDAP or Data Store authentication module to verify the user's credentials.
Specifies the authentication module used to validate the credentials.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Java Database Connectivity (JDBC) authentication module allows OpenSSO Enterprise to authenticate users through any Structured Query Language (SQL) databases that provide JDBC-enabled drivers. The connection to the SQL database can be either directly through a JDBC driver or through a JNDI connection pool. The JDBC attributes are realm attributes. The attributes are:
Specifies the connection type to the SQL database, using either a JNDI (Java Naming and Directory Interface) connection pool or JDBC driver. The options are:
Connection pool is retrieved via JNDI
Non-persistent JDBC connection
The JNDI connection pool utilizes the configuration from the underlying web container.
If JNDI is selected in Connection Type, this field specifies the connection pool name. Because JDBC authentication uses the JNDI connection pool provided by the web container, the setup of JNDI connection pool may not be consistent among other web containers. See the OpenSSO Enterprise Administration Guide for examples
If JDBC is selected in Connection Type, this field specifies the JDBC driver provided by the SQL database. For example, com.mysql.jdbc.Driver. The class specified by JDBC Driver must be accessible to the web container instance on which OpenSSO has been deployed and configured. Include the .jar file that contains the JDBC driver class in the OpenSSO-deploy-base/WEB-INF/lib directory.
Specifies the database URL if JDBC is select in Connection Type. For example, the URL for mySQL is jdbc.mysql://hostname:port/databaseName.
Specifies the user name from whom the database connection is made for the JDBC connection.
Defines the password for the user specified in User to Connect to Database.
Confirm the password.
Specifies the password column name in the SQL database.
Specifies the SQL statement that retrieves the password of the user that is logging in. For example:
select Password from Employees where USERNAME = ? |
Specifies the class name that transforms the password retrieved from the database, to the format of the user input, for password comparison. This class must implement the JDBCPasswordSyntaxTransform interface.
By default, the value of this attribute is com.sun.identity.authentication.modules.jdbc.ClearTextTransform which expects the password to be in clear text.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The following example shows how to set up a connection pool for Web Server and MySQL 4.0:
In the Web Server console, create a JDBC connection pool with the following attributes:
samplePool
com.mysql.jdbc.jdbc2.optional.MysqlDatacSource
Server name of the mySQL server.
Port number on which mySQL server is running.
User name of the database password.
The password of the user.
The name of the database.
The jar file which contain the DataSource class and the JDBC Driver class mentioned in the following steps should be added to the application class path
Configure the JDBC Resources. In the Web Server console, create a JDBC resource with the following attributes:
jdbc/samplePool
samplePool
on
Add the following lines to the sun-web.xml file of the application:
<resource-ref> <res-ref-name>jdbc/mySQL</res-ref-name> <jndi-name>jdbc/samplePool</jndi-name> </resource-ref>
Add the following lines to the web.xml file of the application:
<resource-ref> <description>mySQL Database</description> <res-ref-name>jdbc/mySQL</res-ref-name> <res-type>javax.sql.DataSource</res-type> <res-auth>Container</res-auth> </resource-ref>
Once you have completed the settings the value for this attribute is becomes java:comp/env/jdbc/mySQL.
This module enables authentication using LDAP bind, a Directory Server operation which associates a user ID password with a particular LDAP entry. You can define multiple LDAP authentication configurations for a realm. The LDAP authentication attributes are realm attributes. The attributes are:
Specifies the host name and port number of the primary LDAP server specified during OpenSSO Enterprise installation. This is the first server contacted for authentication. The format ishostname:port. If there is no port number, assume 389.
If you have OpenSSO Enterprise deployed with multiple domains, you can specify the communication link between specific instances of OpenSSO Enterprise and Directory Server in the following format (multiple entries must be prefixed by the local server name):
local_servername|server:port local_servername2|server2:port2 ...
For example, if you have two OpenSSO Enterprise instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the host name and port number of a secondary LDAP server available to the OpenSSO Enterprise platform. If the primary LDAP server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, OpenSSO Enterprise will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.
When authenticating users from a Directory Server that is remote from the OpenSSO Enterprise, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one Directory Server location can be used for both fields.
Specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search dn.
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.
Specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized.
Carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid LDAP password will be recognized.
Confirm the password.
Specifies the attribute used for the naming convention of user entries. By default, OpenSSO Enterprise assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.
Lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber , and mail, the user could authenticate with any of these names. These attributes must be set separately.
Specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.
Indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in the DN to Start User Search attribute. The default value is SUBTREE. One of the following choices can be selected from the list:
Searches only the specified node.
Searches at the level of the specified node and one level down.
Search all entries at and below the specified node.
Enables SSL access to the Directory Server specified in the Primary and Secondary LDAP Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.
If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that OpenSSO Enterprise is configured with proper SSL trusted certificates so that AM could connect to Directory server over LDAPS protocol
When the OpenSSO Enterprise directory is the same as the directory configured for LDAP, this option may be enabled. If enabled, this option allows the LDAP authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local OpenSSO Enterprise LDAP. If an external LDAP directory is used, this option is typically not enabled.
This attribute is used for LDAP Server failback. It defines the number of minutes in which a thread will “sleep” before verifying that the LDAP primary server is running.
This attribute is used by the LDAP authentication module when the LDAP server is configured as an external LDAP server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format:
attr1|externalattr1
attr2|externalattr2
When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profileattribute (in the Core Authentication module) is set to Dynamically Created and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Membership Authentication module is implemented for personalized sites that allow a user to self-register. This means the user can create an account, personalize it, and access it as a registered user without the help of an administrator. The attributes are realm attributes. The attributes are:
Specifies the minimum number of characters required for a password set during self-registration. The default value is 8.
Specifies the roles assigned to new users whose profiles are created through self-registration. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.
The role specified must be under the realm for which authentication is being configured. Only the roles that can be assigned to the user will be added during self-registration. All other DNs will be ignored. The role can be either an OpenSSO Enterprise role or an LDAP role, but filtered roles are not accepted.
Specifies whether services are immediately made available to a user who has self-registered. The default value is Active and services are available to the new user. By selecting Inactive, the administrator chooses to make no services available to a new user.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Mobile Station Integrated Services Digital Network (MSISDN) authentication module enables authentication using a mobile subscriber ISDN associated with a device such as a cellular telephone. It is a non-interactive module. The module retrieves the subscriber ISDN and validates it against the Directory Server to find a user that matches the number. The MSISDN Authentication attributes are realm attributes. The MSISDN Authentication attributes are:
Specifies a list of IP addresses of trusted clients that can access MSIDSN modules. You can set the IP addresses of all clients allows to access the MSISDN module by entering the address (for example, 123.234.123.111) in the entry field and clicking Add. By default, the list is empty. If the attribute is left empty, then all clients are allowed. If you specify none, no clients are allowed.
Specifies a list of parameter names that identify which parameters to search in the request header or cookie header for the MSISDN number. For example, if you define x-Cookie-Param, AM_NUMBER, and COOKIE-ID, the MSISDN authentication services will search those parameters for the MSISDN number.
Specifies the host name and port number of the Directory Server in which the search will occur for the users with MSISDN numbers. The format ishostname:port. If there is no port number, assume 389.
If you have OpenSSO Enterprise deployed with multiple domains, you can specify the communication link between specific instances of OpenSSO Enterprise and Directory Server in the following format (multiple entries must be prefixed by the local server name):
local_servername|server:port local_servername2|server2:port2 ...
For example, if you have two OpenSSO Enterprise instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the DN of the node where the search for the user's MSISDN number should start. There is no default value. The field will recognize any valid DN. Multiple entries must be prefixed by the local server name. The format is servername|search dn.
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID.
Specifies the name of the attribute in the user's profile that contains the MSISDN number to search for a particular user. The default value is sunIdentityMSISDNNumber. This value should not be changed, unless you are certain that another attribute in the user's profile contains the same MSISDN number.
Specifies the LDAP bind DN to allow MSISDN searches in the Directory Server. The default bind DN is cn=amldapuser,ou=DSAME Users,dc=sun,dc=com .
Specifies the LDAP bind password for the bind DN, as defined in LDAP Server Principal User.
Confirm the password.
Enables SSL access to the Directory Server specified in the LDAP Server and Port attribute. By default, this is not enabled and the SSL protocol will not be used to access the Directory Server. However, if this attribute is enabled, you can bind to a non-SSL server.
Specifies the headers to use for searching the request for the MSISDN number. The supported values are as follows:
Performs the search in the cookie.
Performs the search in the request header.
Performs the search in the request parameter. By default, all options are selected.
Specifies the LDAP attribute that is used during a search to return the user profile for MSISDN authentication service. The default is uid.
When the OpenSSO Enterprise directory is the same as the directory configured for MSISDN, this option may be enabled. If enabled, this option allows the authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local OpenSSO Enterprise. If an external directory is used, this option is typically not enabled.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for authentication using an external Remote Authentication Dial-In User Service (RADIUS) server. The RADIUS Authentication attributes are realm attributes. The attributes are:
Displays the IP address or fully qualified host name of the primary RADIUS server. The default IP address is 127.0.0.1. The field will recognize any valid IP address or host name. Multiple entries must be prefixed by the local server name as in the following syntax:
local_servername|ip_address local_servername2|ip_address ...
Displays the IP address or fully qualified domain name (FQDN) of the secondary RADIUS server. It is a failover server which will be contacted if the primary server could not be contacted. The default IP address is 127.0.0.1. Multiple entries must be prefixed by the local server name as in the following syntax:
local_servername|ip_address local_servername2|ip_address ...
Carries the shared secret for RADIUS authentication. The shared secret should have the same qualifications as a well-chosen password. There is no default value for this field.
Confirmation of the shared secret for RADIUS authentication.
Specifies the port on which the RADIUS server is listening. The default value is 1645.
Specifies the time interval in seconds to wait for the RADIUS server to respond before a timeout. The default value is 3 seconds. It will recognize any number specifying the timeout in seconds.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Secure Attribute Exchange (SAE) authentication module is used when a external entity (such as an existing application ) has already authenticated the user and wishes to securely inform a local OpenSSO Enterprise instance about the authentication to trigger the creation of a OpenSSO Enterprise session for the user. The SAE authentication module is also used by the Virtual Federation functionality where the existing entity instructs the local OpenSSO Enterprise instance to use federation protocols to transfer authentication and attribute information to a partner application. The SAE attribute is a realm attribute.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for users to authenticate using Secure Computing's SafeWord or SafeWord PremierAccess authentication servers. The SafeWord Authentication Attributes are realm attributes. The attributes are:
Specifies the SafeWord or SafeWord PremiereAccess server name and port. Port 7482 is set as the default for a SafeWord server. The default port number for a SafeWord PremierAccess server is 5030.
Specifies the directory into which the SafeWord client library places its verification files. The default is as follows:
ConfigurationDirectory/uri/auth/safeword/serverVerification
If a different directory is specified in this field, the directory must exist before attempting SafeWord authentication.
Enables SafeWord logging. By default, SafeWord logging is enabled.
Specifies the SafeWord logging level. Select a level in the Drop-down menu. The levels are DEBUG, ERROR, INFO and NONE .
Specifies the directory path and log file name for SafeWord client logging. The default path isConfigurationDirectory/uri/auth/safeword/safe.log .
If a different path or filename is specified, it must exist before attempting SafeWord authentication. If more than one realm is configured for SafeWord authentication, and different SafeWord servers are used, then different paths must be specified or only the first realm where SafeWord authentication occurs will work. Likewise, if a realm changes SafeWord servers, the swec.dat file in the specified directory must be deleted before authentications to the newly configured SafeWord server will work.
Defines the timeout period (in seconds) between the SafeWord client (OpenSSO Enterprise) and the SafeWord server. The default is 120 seconds.
Defines the Client Type that the SafeWord server uses to communicate with different clients, such as Mobile Client, VPN, Fixed Password, Challenge/Response, and so forth.
This attribute specifies the Extended Authentication and Single Sign-on Protocol (EASSP) version. This field accepts either the standard (101), SSL-encrypted premier access (200), or premier access (201) protocol versions.
Defines the minimum authenticator strength for the client/SafeWord server authentication. Each client type has a different authenticator value, and the higher the value, the higher the authenticator strength. 20 is the highest value possible. 0 is the lowest value possible.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for authentication using RSA (a division of EMC) ACE/Server software and RSA SecurID authenticators. For this release of OpenSSO Enterprise, the SecurID Authentication module is available for Solaris/SPARC, Solaris/x86, Linux, and Windows platforms supported by OpenSSO Enterprise. The SecurID authentication attributes are realm attributes. The attributes are:
Specifies the directory in which the SecurID ACE/Server sdconf.rec file is located, by default in ConfiugrationDirectory/uri/auth/ace/data If you specify a different directory in this field, the directory must exist before attempting SecurID authentication.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for authentication using
a user's Unix identification and password. If any of the Unix authentication
attributes are modified, both OpenSSO Enterprise and the amunixd
helper must be restarted. For more information on
starting the amunixid helper, see Running the Unix Authentication Helper (amunixd Daemon) in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide. This authentication module is supported
on Solaris and Linux. The Unix authentication attributes are:
This attribute specifies the port to which the Unix Helper `listens' upon startup for the configuration information contained in the UNIX Helper Authentication Port, Unix Helper Timeout, and Unix Helper Threads attributes. The default is 58946.
This attribute specifies the port to which the Unix Helper `listens' for authentication requests after configuration. The default port is 57946.
This attribute specifies the number of minutes that users have to complete authentication. If users surpass the allotted time, authentication automatically fails. The default time is set to 3 minutes.
This attribute specifies the maximum number of permitted simultaneous Unix authentication sessions. If the maximum is reached at a given moment, subsequent authentication attempts are not allowed until a session is freed up. The default is set to 5.
This is a realm attribute. The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This is a realm attribute. It defines the PAM (Pluggable Authentication Module) configuration or stack that is shipped for you operating system and is used for Unix authentication. For Solaris, the name is defaulted toother and for Linux, the name is password.
For more information on PAM, please consult the documentation for your system. For Solaris, see pam.conf(4) and for Linux, see the PAM files in /etc/pam.d.
This module is specific to Windows and is also known as Kerberos authentication. The user presents a Kerberos token to OpenSSO Enterprise through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication plug-in module provides a client (user) with desktop single sign-on. This means that a user who has already authenticated with a key distribution center can be authenticated with OpenSSO Enterprise without having to provide the login information again. The Windows Desktop SSO attributes are global attributes. The attributes are:
Specifies the Kerberos principal that is used for authentication. Use the following format:
HTTP/hostname.domainname@dc_domain_name
hostname and domainame represent the hostname and domain name of the OpenSSO Enterprise instance. dc_domain_name is the Kerberos domain in which the Windows Kerberos server (domain controller) resides. It is possibly different from the domain name of the OpenSSO Enterprise.
This attribute specifies the Kerberos keytab file that is used for authentication and takes the absolute path to the keytab file.
This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the OpenSSO Enterprise domain name.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
If enabled, this attributes allows OpenSSO Enterprise to automatically return the Kerberos principal with the domain controller's domain name during authentication.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Windows NT Authentication module allows for authentication against a Microsoft Windows NT server. The attributes are realm attributes. The values applied to them under Service Configuration become the default values for the Windows NT Authentication template. The service template needs to be created after registering the service for the realm. The default values can be changed after registration by the realm's administrator. Realm attributes are not inherited by entries in the subtrees of the realm.
In order to activate the Widows NT Authentication module, Samba Client 2.2.2 or 3.x must be downloaded and installed to the following directory:
ConfigurationDirectory/uri/bin
The Samba Client is a file and print server for blending Windows and UNIX machines without requiring a separate Windows NT/2000 Server.
Red Hat Linux ships with a Samba client, located in the/usr/bin directory.
In order to authenticate using the Windows NT Authentication service for Linux, copy the client binary to/bin.
The Windows NT attributes are:
Defines the Domain name to which the user belongs.
Defines the Windows NT authentication hostname. The hostname should be the netBIOS name, as opposed to the fully qualified domain name (FQDN). By default, the first part of the FQDN is the netBIOS name.
If the DHCP (Dynamic Host Configuration Protocol) is used, you would put a suitable entry in the HOSTS file on the Windows 2000 machine.
Name resolution will be performed based on the netBIOS name. If you do not have any server on your subnet supplying netBIOS name resolution, the mappings should be hardcoded. For example, the hostname should be example1 not example1.company1.com.
Defines the Samba configuration filename and supports the -s option in the smbclient command. The value must be the full directory path where the Samba configuration file is located.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.