|
| |
| Sun Java System Access Manager 6 2005Q1 Administration Guide | |
Chapter 26
MSISDN Authentication AttributesThe MSISDN Authentication attributes are organization attributes. The values applied to them under Service Configuration become the default values for the MSISDN Authentication template. The service template needs to be created after registering the service for the organization. The default values can be changed after registration by the organization’s administrator. Organization attributes are not inherited by entries in the organization. The MSISDN Authentication attributes are:
Trusted Gateway IP Address
This attribute specifies a list of IP addresses of trusted clients that can access MSIDSN modules. You can set the IP addresses of all clients allows to access the MSISDN module by entering the address (for example, 123.456.123.111) in the entry field and clicking Add. By default, the list is empty. If the attribute is left empty, then all clients are allowed. If you specify none, no clients are allowed.
MSISDN Number Argument
This field specifies a list of parameter names that identify which parameters to search in the request header or cookie header for the MSISDN number. For example, if you define x-Cookie-Param, AM_NUMBER and COOKIE-ID, the MSISDN authentication services will search those parameters for the MSISDN number.
LDAP Server and Port
This field specifies the host name and port number of the Directory Server in which the search will occur for the users with MSISDN numbers. The format is hostname:port. (If there is no port number, assume 389.).
If you have Access Manager deployed with multiple domains, you can specify the communication link between specific instances of Access Manager and Directory Server in the following format (multiple entries must be prefixed by the local server name):
local_servername|server:port local_servername2|server2:port2 ...
For example, if you have two Access Manager instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389 L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
LDAP Start Search DN
This field specifies the DN of the node where the search for the user’s MSISDN number should start. There is no default value. The field will recognize any valid DN. Multiple entries must be prefixed by the local server name. The format is as follows:
servername|search dn
For multiple entries
servername1|search dn servername2|search dn servername3|search dn...
If multiple users are found for the same search, authentication will fail.
Attribute To Use To Search LDAP
This field specifies the name of the attribute in the user’s profile that contains MSISDN number to search for a particular user. The default value is sunIdentityMSISDNNumber. This value should not be changed, unless you are certain that another attribute in the user’s profile contains the same MSISDN number.
LDAP Server Principal User
This attribute specifies the LDAP bind DN to allow MSISDN searches in the Directory Server. The default bind DN is cn=amldapuser,ou=DSAME Users,dc=sun,dc=com.
LDAP Server Principal Password
This attribute specifies the LDAP bind password for the bind DN, as defined in LDAP Server Principal User.
LDAP Server Principal Password (confirm)
Confirm the password.
SSL On For LDAP Access
This option enables SSL access to the Directory Server specified in the LDAP Server and Port attribute. By default, this is not enabled and the SSL protocol will not be used to access the Directory Server. However, if this attribute is enabled, you can bind to a non-SSL server.
MSISDN Header Search Attribute
This attribute specifies the headers to use for searching the request for the MSISDN number. The supported values are as follows:
By default, all options are selected.
Authentication Level
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
Note
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Auth Level. See “Default Authentication Level” on page 306 for details.