Configuring the Core Authentication Service

Core Authentication contains general Authentication Service properties that can be defined globally for the OpenSSO Enterprise deployment (under the Configuration tab) or specifically for a configured realm (under the Access Control tab). The Core authentication module is added and enabled for the top level realm during installation. As new realms are created under the top level realm, these properties (and the values defined globally for them) are dynamically added to each new realm. Once added, new values can be defined and configured values can be modified by the realm's administrator. The values are then used if no overriding value is defined in the specified authentication module instance or authentication chain. The Authentication Service finds the general operating data it needs in the following order of precedence.

1. Authentication process property values (specified authentication module instance, authentication chain or both) in the configured realm.

2. Realm property values defined for the realm's users, roles, services, and so forth.

3. Global property values if no overriding value is defined in the configured realm or authentication process.

The following procedures illustrate the levels at which the Core Authentication module can be modified after installation.

• To Modify Core Authentication Properties Globally

• To Modify Core Authentication Properties By Realm

To Modify Core Authentication Properties Globally

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator.

1. Click the Configuration tab.

2. Click Core under the Authentication tab.

3. Modify the Global attributes by adding or changing the values.

   These properties contain operating values that are applied to the Authentication Service throughout the OpenSSO Enterprise deployment.

   Pluggable Authentication Module Classes

   Specifies the Java classes of the available authentication modules. Takes a text string specifying the full class name (including package) of each authentication module. After writing a custom authentication module (by implementing the OpenSSO Enterprise AMLoginModule or the Java Authentication and Authorization Service [JAAS] LoginModule service provider interfaces), the new class value must be added to this property.

   Supported Authentication Modules for Clients

   Specifies a list of authentication modules supported for a specific client. Formatted as:

   clientType | module1,module2,module3

   This attribute is read by the Client Detection Service when it is enabled.

   LDAP Connection Pool Size

   Specifies the minimum and maximum connection pool to be used on a specific LDAP server and port. Formatted as:

   host:port:min:max

   This attribute is for LDAP and Membership authentication services only.

   Default LDAP Connection Pool Size

   Sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. Formatted as:

   min:max

   This value is superseded by a value defined for a specific host and port in the LDAP Connection Pool Size property.

   Remote Auth Security

   Requires that OpenSSO Enterprise validate the identity of the calling application; thus all remote authentication requests require the calling application's SSOToken. This allows the Authentication Service to obtain the username and password associated with the application.

   Keep Post Process Objects for Logout Processing

   Requires that the user session hold the instances of any post processing authentication classes used during the log in process after authentication is complete. When user log out is later invoked, the onLogout() method of these instances is called. If this attribute is not enabled, the post processing instances are not preserved and new instances are created when logout is invoked.

   Keep Authentication Module Objects for Logout Processing

   Requires that the user session hold the instances of authentication modules used during the log in process after authentication is complete. When user log out is later invoked, the destroyModuleState() method of these instances is called. If this attribute is not enabled, the authentication module instances are not preserved and no method on the authentication modules is called upon log out.

4. Modify the top level Realm attributes by adding or changing the values.

   These realm properties (as defined globally under the Configuration tab) are specific to the top level realm. Top level realm properties can also be modified by navigating to the top level realm itself. See To Modify Core Authentication Properties By Realm for instructions and definitions of the attributes.

5. Click Save.

6. Click Back to Service Configuration.

7. Logout of the OpenSSO Enterprise console.

To Modify Core Authentication Properties By Realm

Realm attributes are applied to the realm under which they are configured.

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator.

1. Click the Access Control tab.

2. Click the name of the realm that contains the properties to be modified.

3. Click the Authentication tab.

   The Core authentication module's General properties for the realm are displayed.

4. Modify the values of the realm's General properties.

   The General properties are defined in the Core authentication module and are configurable by realm. Those documented in this step are the ones most likely to be modified.

   Default Authentication Chain

   Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in the drop down list. For more information see To Create an Authentication Chain.

   Administrator Authentication Chain

   Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in the drop down list. For more information see To Create an Authentication Chain.

   Default Success Login URL

   Specifies a URL that the user will be redirected to upon successful authentication to the realm.

5. Click Advanced Properties.

   The Core authentication module's General Advanced Properties for the realm are displayed.

6. Modify the attributes.

   The General Advanced Properties are defined in the Core authentication module and are configurable by realm. Those documented in this step are the ones less likely to be modified.

   User Profile

   This option determines the profile status of a successfully authenticated user.

   Dynamic

   Specifies that on successful authentication the Authentication Service will create a user profile if one does not already exist. The SSOToken will then be issued. The user profile is created in the realm's configured user data store.

   Dynamic With User Alias

   Specifies that on successful authentication the Authentication Service will create a user profile that contains the User Alias List attribute which defines one or more aliases that for mapping a user's multiple profiles.

   Ignore

   Specifies that a user profile is not required for the Authentication Service to issue an SSOToken after a successful authentication.

   Required

   Specifies that on successful authentication the user must have a user profile in the realm's configured user data store in order for the Authentication Service to issue an SSOToken.

   Administrator Authentication Configuration

   Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in the drop down list. For more information see To Create an Authentication Chain.

   User Profile Dynamic Creation Default Roles

   Specifies the DN of a role to be assigned to a new user whose profile is created when either of the Dynamic options is selected under the User Profile attribute. There are no default values. The role specified must be within the realm for which the authentication process is configured.

   ---

   Tip –

   This role can be either an OpenSSO Enterprise or LDAP role, but it cannot be a filtered role.

   ---

   Persistent Cookie Mode

   Determines whether users can return to their authenticated session after restarting the browser. When enabled, a user session will not expire until its persistent cookie expires (as specified by the value of the Persistent Cookie Maximum Time attribute), or the user explicitly logs out. By default, the Authentication Service uses only memory cookies (expires when the browser is closed).

   ---

   Tip –

   A persistent cookie must be explicitly requested by the client by appending the iPSPCookie=yes parameter to the login URL. For more information see iPSPCookie Parameter.

   ---

   Persistent Cookie Maximum Time

   Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The maximum value is 2147483647 (time in seconds). The field will accept any integer value less than the maximum.

   Alias Search Attribute Name

   After a user is successfully authenticated, the user's profile is retrieved. This field specifies a second LDAP attribute to use in a search for the profile if a search using the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field takes any valid LDAP attribute.

   Default Authentication Locale

   Specifies the default language subtype to be used by the Authentication Service. The default value is en_US. See Supported Language Locales in Sun OpenSSO Enterprise 8.0 Administration Reference for a list of supported language subtypes. To use a different locale, authentication templates for that locale must first be created. A new directory must then be created for these templates. For more information see locale Parameter.

   Organization Authentication Configuration

   Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list. For more information see To Create an Authentication Chain.

   Account Lockout Attributes

   These attributes are relevant to account lockout in which a user will be locked out from authenticating after a defined number of log in attempts has failed. For more information on the account lockout options, see Enabling Account Lockout.

   Login Failure Lockout Mode

   Selecting this attribute enables a physical lockout. Physical lockout will inactivate an LDAP attribute (defined in the Lockout Attribute Name property) in the user's profile. This attribute works in conjunction with several other lockout and notification attributes.

   Login Failure Lockout Count

   Defines the number of attempts that a user has to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.

   Login Failure Lockout Interval

   Defines (in minutes) the time in which failed login attempts are counted. If one failed login attempt is followed by a second failed attempt, within this defined lockout interval time, the lockout count is begun and the user will be locked out if the number of attempts reaches the number defined in Login Failure Lockout Count. If an attempt within the defined lockout interval time proves successful before the number of attempts reaches the number defined in Login Failure Lockout Count, the lockout count is reset.

   Email Address to Send Lockout Notification

   Specify one (or more) email address(es) to which notification will be sent if a user lockout occurs. If sending:

   • To multiple addresses, separate each address with a space.

   • To non-English locales, format the address as email_address|locale|charset where locale is the language locale and charset is the character set.

   Warn User After N Failures

   Specifies the number of authentication failures that can occur before OpenSSO Enterprise displays a warning message that the user will be locked out.

   Login Failure Lockout Duration

   Defines (in minutes) how long a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0, enables memory lockout and disables physical lockout. Memory lockout is when the user's account is locked in memory for the number of minutes specified. The account is unlocked after the time period has passed.

   Lockout Duration Multiplier

   Defines a value with which to multiply the value of the Login Failure Lockout Duration for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user will be locked out of the account for 6 minutes. Once the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration would then be 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.

   Lockout Attribute Name

   Defines the LDAP attribute to be marked as inactive for physical lockout. The default value is inetuserstatus (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Value field must also contain an appropriate value.

   Lockout Attribute Value

   Specifies the action to take on the attribute defined in Lockout Attribute Name. The default value is inactive (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Name field must also contain an appropriate value.

   Invalid Attempts Data Attribute Name

   Defines the attribute to which information regarding failed authentication attempts will be stored when the Store Invalid Attempts in Data Store attribute is enabled. The value of this attribute is used if the OpenSSO Enterprise schema is not loaded.

   ---

   Tip –

   The specified attribute needs to be defined in the LDAP User Attributes property of the data store configuration if the data store type is either Active Directory, Generic LDAPv3 or Sun DS with OpenSSO schema.

   ---

   Default Success Login URL

   Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /opensso/console. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.

   Default Failure Login URL

   Accepts a list of values that specifies where users are directed after an attempted authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.

   Authentication Post Processing Classes

   Specifies one or more Java classes used to customize post authentication processes for successful or unsuccessful logins. The Java class must implement the com.sun.identity.authentication.spi.AMPostAuthProcessInterface OpenSSO Enterprise interface. Additionally, add a JAR containing the post processing class to the classpath of the web container instance on which OpenSSO Enterprise is configured. If the web container on which OpenSSO Enterprise is configured explodes the WAR follow this procedure.

   1. Stop the web container instance.

   2. Change to the WEB-INF/lib directory in the exploded OpenSSO Enterprise WAR directory.

      For example, if using Sun Application Server, AS=Deploy=BaseAS=Domain-Dir/AS-Domain/applications/j2ee-modules/opensso/WEB-INF/lib.

   3. Copy the JAR that contains the post processing class to the lib directory.

   4. Restart the web container instance.

   Generate UserID Mode

   When enabled, the Membership module will generate a list of alternate user identifiers if the one entered by a user during the self-registration process is not valid or already exists. The user identifiers are generated by the class specified in the Pluggable User Name Generator Class property.

   Pluggable User Name Generator Class

   Specifies the name of the class used to generate alternate user identifiers when Generate UserID Mode is enabled. The default value is com.sun.identity.authentication.spi.DefaultUserIDGenerator.

   Identity Types

   Lists the type or types of identities for which OpenSSO Enterprise will search. Options include:

   • Agent

   • agentgroup

   • agentonly

   • Group

   • User

   Pluggable User Status Event Classes

   Specifies one or more Java classes used to provide a callback mechanism for user status changes during the authentication process. The Java class must implement the com.sun.identity.authentication.spi.AMAuthCallBack OpenSSO Enterprise interface. Account lockout and password changes are supported — the latter through the LDAP authentication module as the feature is only available for the module.

   Store Invalid Attempts in Data Store

   Enables the storage of information regarding failed authentication attempts to a user data store, allowing the information to be shared among multiple instances of OpenSSO Enterprise. (If this attribute is not enabled, the information would be local to the instance where the lockout occurred.) This function requires the use of a data store enabled with the OpenSSO Enterprise schema and its sunAMAuthInvalidAttemptsData attribute. You can remove the dependency on the OpenSSO Enterprise schema by defining a disparate attribute in which to store the information. To store data in an attribute not defined by the OpenSSO Enterprise schema, define a value for the Invalid Attempts Data Attribute Name attribute. This is enabled by default.

   Module-based Authentication

   Enables users to authenticate using module-based authentication. Otherwise, all attempts with the module=module_instance_name login parameter will result in failure. See Module Authentication for more information.

   User Attribute Mapping to Session Attribute

   Enables the authenticating user's identity attributes (stored in the identity repository) to be set as session properties in the user's SSOToken. The value takes the format User-Profile-Attribute|Session-Attribute-Name. If Session-Attribute-Name is not specified, the value of User-Profile-Attribute is used. All session attributes contain the am.protected prefix to ensure that they cannot be edited by the Client SDK.

   Default Authentication Level

   The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the user's SSOToken. When the SSOToken is presented to an application, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level does not meet the minimum value required by the application, it can prompt the user to authenticate again in order to attain a higher authentication level. The authentication level should be set within a realm's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific realm's authentication template. The Default Authentication Level default value is 0. The value of this attribute is not used by OpenSSO Enterprise but by any external application that may chose to use it. See Authentication Level-based Authentication for more information.

7. Click Save.

8. Click Back to Service Configuration.

9. Logout of the OpenSSO Enterprise console.