Realm attributes are applied to the realm under which they are configured.
This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator.
Click the Access Control tab.
Click the name of the realm that contains the properties to be modified.
Click the Authentication tab.
The Core authentication module's General properties for the realm are displayed.
Modify the values of the realm's General properties.
The General properties are defined in the Core authentication module and are configurable by realm. Those documented in this step are the ones most likely to be modified.
Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in the drop down list. For more information see To Create an Authentication Chain.
Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in the drop down list. For more information see To Create an Authentication Chain.
Specifies a URL that the user will be redirected to upon successful authentication to the realm.
Click Advanced Properties.
The Core authentication module's General Advanced Properties for the realm are displayed.
Modify the attributes.
The General Advanced Properties are defined in the Core authentication module and are configurable by realm. Those documented in this step are the ones less likely to be modified.
This option determines the profile status of a successfully authenticated user.
Specifies that on successful authentication the Authentication Service will create a user profile if one does not already exist. The SSOToken will then be issued. The user profile is created in the realm's configured user data store.
Specifies that on successful authentication the Authentication Service will create a user profile that contains the User Alias List attribute which defines one or more aliases that for mapping a user's multiple profiles.
Specifies that a user profile is not required for the Authentication Service to issue an SSOToken after a successful authentication.
Specifies that on successful authentication the user must have a user profile in the realm's configured user data store in order for the Authentication Service to issue an SSOToken.
Defines the authentication chain used by administrators when the process needs to be different from the authentication chain defined for end users. The authentication chain must first be created before it is displayed as an option in the drop down list. For more information see To Create an Authentication Chain.
Specifies the DN of a role to be assigned to a new user whose profile is created when either of the Dynamic options is selected under the User Profile attribute. There are no default values. The role specified must be within the realm for which the authentication process is configured.
This role can be either an OpenSSO Enterprise or LDAP role, but it cannot be a filtered role.
Determines whether users can return to their authenticated session after restarting the browser. When enabled, a user session will not expire until its persistent cookie expires (as specified by the value of the Persistent Cookie Maximum Time attribute), or the user explicitly logs out. By default, the Authentication Service uses only memory cookies (expires when the browser is closed).
A persistent cookie must be explicitly requested by the client by appending the iPSPCookie=yes parameter to the login URL. For more information see iPSPCookie Parameter.
Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The maximum value is 2147483647 (time in seconds). The field will accept any integer value less than the maximum.
After a user is successfully authenticated, the user's profile is retrieved. This field specifies a second LDAP attribute to use in a search for the profile if a search using the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field takes any valid LDAP attribute.
Specifies the default language subtype to be used by the Authentication Service. The default value is en_US. See Supported Language Locales in Sun OpenSSO Enterprise 8.0 Administration Reference for a list of supported language subtypes. To use a different locale, authentication templates for that locale must first be created. A new directory must then be created for these templates. For more information see locale Parameter.
Defines the default authentication chain used by the realm's users. The authentication chain must first be created before it is displayed as an option in this attribute's drop down list. For more information see To Create an Authentication Chain.
These attributes are relevant to account lockout in which a user will be locked out from authenticating after a defined number of log in attempts has failed. For more information on the account lockout options, see Enabling Account Lockout.
Selecting this attribute enables a physical lockout. Physical lockout will inactivate an LDAP attribute (defined in the Lockout Attribute Name property) in the user's profile. This attribute works in conjunction with several other lockout and notification attributes.
Defines the number of attempts that a user has to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.
Defines (in minutes) the time in which failed login attempts are counted. If one failed login attempt is followed by a second failed attempt, within this defined lockout interval time, the lockout count is begun and the user will be locked out if the number of attempts reaches the number defined in Login Failure Lockout Count. If an attempt within the defined lockout interval time proves successful before the number of attempts reaches the number defined in Login Failure Lockout Count, the lockout count is reset.
Specify one (or more) email address(es) to which notification will be sent if a user lockout occurs. If sending:
To multiple addresses, separate each address with a space.
To non-English locales, format the address as email_address|locale|charset where locale is the language locale and charset is the character set.
Specifies the number of authentication failures that can occur before OpenSSO Enterprise displays a warning message that the user will be locked out.
Defines (in minutes) how long a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0, enables memory lockout and disables physical lockout. Memory lockout is when the user's account is locked in memory for the number of minutes specified. The account is unlocked after the time period has passed.
Defines a value with which to multiply the value of the Login Failure Lockout Duration for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user will be locked out of the account for 6 minutes. Once the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration would then be 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.
Defines the LDAP attribute to be marked as inactive for physical lockout. The default value is inetuserstatus (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Value field must also contain an appropriate value.
Specifies the action to take on the attribute defined in Lockout Attribute Name. The default value is inactive (although the field in the OpenSSO Enterprise console is empty). The Lockout Attribute Name field must also contain an appropriate value.
Defines the attribute to which information regarding failed authentication attempts will be stored when the Store Invalid Attempts in Data Store attribute is enabled. The value of this attribute is used if the OpenSSO Enterprise schema is not loaded.
The specified attribute needs to be defined in the LDAP User Attributes property of the data store configuration if the data store type is either Active Directory, Generic LDAPv3 or Sun DS with OpenSSO schema.
Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /opensso/console. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.
Accepts a list of values that specifies where users are directed after an attempted authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that don't specify HTTP or HTTP(s) will be appended to the deployment URI.
Specifies one or more Java classes used to customize post authentication processes for successful or unsuccessful logins. The Java class must implement the com.sun.identity.authentication.spi.AMPostAuthProcessInterface OpenSSO Enterprise interface. Additionally, add a JAR containing the post processing class to the classpath of the web container instance on which OpenSSO Enterprise is configured. If the web container on which OpenSSO Enterprise is configured explodes the WAR follow this procedure.
Stop the web container instance.
Change to the WEB-INF/lib directory in the exploded OpenSSO Enterprise WAR directory.
For example, if using Sun Application Server, AS=Deploy=BaseAS=Domain-Dir/AS-Domain/applications/j2ee-modules/opensso/WEB-INF/lib.
Copy the JAR that contains the post processing class to the lib directory.
Restart the web container instance.
When enabled, the Membership module will generate a list of alternate user identifiers if the one entered by a user during the self-registration process is not valid or already exists. The user identifiers are generated by the class specified in the Pluggable User Name Generator Class property.
Specifies the name of the class used to generate alternate user identifiers when Generate UserID Mode is enabled. The default value is com.sun.identity.authentication.spi.DefaultUserIDGenerator.
Lists the type or types of identities for which OpenSSO Enterprise will search. Options include:
Agent
agentgroup
agentonly
Group
User
Specifies one or more Java classes used to provide a callback mechanism for user status changes during the authentication process. The Java class must implement the com.sun.identity.authentication.spi.AMAuthCallBack OpenSSO Enterprise interface. Account lockout and password changes are supported — the latter through the LDAP authentication module as the feature is only available for the module.
Enables the storage of information regarding failed authentication attempts to a user data store, allowing the information to be shared among multiple instances of OpenSSO Enterprise. (If this attribute is not enabled, the information would be local to the instance where the lockout occurred.) This function requires the use of a data store enabled with the OpenSSO Enterprise schema and its sunAMAuthInvalidAttemptsData attribute. You can remove the dependency on the OpenSSO Enterprise schema by defining a disparate attribute in which to store the information. To store data in an attribute not defined by the OpenSSO Enterprise schema, define a value for the Invalid Attempts Data Attribute Name attribute. This is enabled by default.
Enables users to authenticate using module-based authentication. Otherwise, all attempts with the module=module_instance_name login parameter will result in failure. See Module Authentication for more information.
Enables the authenticating user's identity attributes (stored in the identity repository) to be set as session properties in the user's SSOToken. The value takes the format User-Profile-Attribute|Session-Attribute-Name. If Session-Attribute-Name is not specified, the value of User-Profile-Attribute is used. All session attributes contain the am.protected prefix to ensure that they cannot be edited by the Client SDK.
The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the user's SSOToken. When the SSOToken is presented to an application, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level does not meet the minimum value required by the application, it can prompt the user to authenticate again in order to attain a higher authentication level. The authentication level should be set within a realm's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific realm's authentication template. The Default Authentication Level default value is 0. The value of this attribute is not used by OpenSSO Enterprise but by any external application that may chose to use it. See Authentication Level-based Authentication for more information.
Click Save.
Click Back to Service Configuration.
Logout of the OpenSSO Enterprise console.