Sun ONE logo     Previous     Contents     Index     Next     
Sun ONE Identity Server Administration Guide



Chapter 17       Core Authentication Attributes


The Core Authentication service is the basic service for the Anonymous, Certificate, LDAP, Membership, Safeword, Unix and RADIUS authentication services as well as any custom authentication service created with the Authentication SPI. Core authentication must be configured as a service for each organization that wishes to use any form of authentication. The Core Authentication attributes consist of global and organization attributes.The values applied to the global attributes are applied across the Sun ONE Identity Server configuration and are inherited by every configured organization. (They can not be applied directly to roles or organizations as the goal of global attributes is to customize the Identity Server application.) The values applied to the organization attributes under Service Configuration become the default values for the Core Authentication template. The service template needs to be created after registering the service for the organization. The default values can be changed after registration by the organization's administrator. Organization attributes are not inherited by entries in the organization. The Core Authentication attributes are separated into:



Global Attributes

The organization attributes in the Core Authentication service are:


Pluggable Auth Module Classes

This field specifies the Java classes of the authentication services available to any organization configured within the Identity Server platform. By default, this includes LDAP, SafeWord, Anonymous, Application, Membership, Unix, Certification, and RADIUS. Identity Server also includes a public SPI that can be used to add other authentication services. To define new services, this field must take a text string specifying the full class name (including package name) of each new authentication service.


Supported Auth Modules for Clients

This attribute specifies a list of supported authentication modules for a specific client. The format is as follows:

clientType | module1,module2,module3

This attribute is in effect when Client Detection is enabled.


LDAP Connection Pool Size

This attribute specifies the minimum and maximum connection pool to be used on a specific server and port. This attribute is for LDAP and Membership authentication services only. The format is as follows:

host:port:min:max


Note This connection pool is different than the SDK connection pool configured in serverconfig.xml.



LDAP Connection Default Pool Size

This attribute sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. If an entry for the host and port exists in the LDAP Connection Pool Size attribute, the minimum and maximum settings will be used from LDAP Connection Default Pool Size.



Organization Attributes


The organization attributes in the Core Authentication service are:


Organization Authentication Modules

This list specifies the authentication modules available to the organization. Each administrator can choose the type of authentication for their specific organization. Multiple authentication modules provide flexibility, but users must be sure that their login setting is appropriate for the selected authentication module. The default authentication is LDAP. The authentication services included with Identity Server are:

  • LDAP

  • Cert

  • Anonymous

  • Membership

  • NT

  • SafeWord

  • RADIUS

  • Unix


    Note The Administrator must create and notify the core and authentication module templates in a created organization for that organization to function properly.



User Profile

This option allows you to specify options for a user profile.

  • Required - This specifies that on successful authentication, the user needs to have a profile in Directory Server for the authentication service to issue an SSOToken.

  • Dynamically Created - This specifies that on successful authentication, the authentication service will create the user profile if one does not already exist. The SSOToken will then be issued.

  • Ignore - This specifies that the user profile is not required by the authentication service to issue the SSOToken for a successful authentication.


Admin Authenticator

Clicking the edit link will allow you to define the authentication service for administrators only. An administrator is a user who needs access to the Identity Server console. This attribute can be used if the authentication module for administrators needs to be different from the module for end users.


User Profile Dynamic Creation Default Roles

This field specifies the roles assigned to a new user whose profiles are created if Dynamic Creation is selected through the feature "User Profile". There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.


Note The role specified must be under the organization for which authentication is being configured.



Persistent Cookie Mode

This option determines whether users can restart the browser and still return to their authenticated session. User sessions can be retained by enabling Persistent Cookie Mode. When Persistent Cookie Mode is enabled, a user session does not expire until its persistent cookie expires, or the user explicitly logs out. The expiration time is specified in Persistent Cookie Max Time (seconds). The default value is that Persistent Cookie Mode is not enabled and the authentication service uses only memory cookies.


Note A persistent cookie must be explicitly requested by the client using the iDSPCookie=yes parameter in the login URL. Once the persistent cookie has been set, the iDSPCookie parameter expires.



Persistent Cookie Max Time (seconds)

This field specifies the interval after which a persistent cookie expires. (Persistent Cookie Mode must be enabled by selecting its checkbox.) The interval begins when the user's session has been successfully authenticated. The default value is 2147483 (time in seconds). The field will take any integer value between 0 and 2147483.


People Container For All Users

After successful authentication by a user, their profile is retrieved. The value in this field specifies where to search for the profile. Generally, this value will be the DN of the default People Container. All user entries added to an organization are automatically added to the organization's default People Container. The default value is ou=People, and generally, this is completed with the organization name(s) and root suffix. The field will take a valid DN for any organizational unit.


Note Authentication searches for a user profile by:

  • Searching under the default People Container, then

  • Searching under the default organization, then

  • Searching for the user in the default organization using the Alias Search Attribute Name attribute.

The final search is for SSO cases where the user name used to authenticate may not be the naming attribute in the profile. For example, user may authenticate using Safeword ID of jn10191, but their profile is uid=jamie.



Alias Search Attribute Name

After successful authentication by a user, their profile is retrieved. This field specifies a second LDAP attribute to search from if a search on the first LDAP attribute, specified in "User Naming Attribute", fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field will take any valid LDAP attribute (for example, cn).


Default Auth Level

The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level.

The authentication level should be set within the organization's specific authentication template. The Default Auth Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific organization's authentication template. The Default Auth Level default value is 0, the lowest authentication level. (The value in this attribute is not used by Identity Server but by any external application that may chose to use it.)


User Naming Attribute

After successful authentication by a user, their profile is retrieved. The value of this attribute specifies the LDAP attribute to use for the search. By default, Identity Server assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.


Default Auth Locale

This field specifies the default language subtype to be used by the authentication service. The default value is en_US. A listing of valid language subtypes can be found in Table 17-1.


In order to use a different locale, all authentication templates for that locale must first be created. A new directory must then be created for these templates. See the Sun One Identity Server Programmer's Guide for more information.



Table 17-1    Supported Language Locales 

Language Tag

Language

af  

Afrikaans  

be  

Byelorussian  

bg  

Bulgarian  

ca  

Catalan  

cs  

Czechoslovakian  

da  

Danish  

de  

German  

el  

Greek  

en  

English  

es  

Spanish  

eu  

Basque  

fi  

Finnish  

fo  

Faroese  

fr  

French  

ga  

Irish  

gl  

Galician  

hr  

Croatian  

hu  

Hungarian  

id  

Indonesian  

is  

Icelandic  

it  

Italian  

ja  

Japanese  

ko  

Korean  

nl  

Dutch  

no  

Norwegian  

pl  

Polish  

pt  

Portuguese  

ro  

Romanian  

ru  

Russian  

sk  

Slovakian  

sl  

Slovenian  

sq  

Albanian  

sr  

Serbian  

sv  

Swedish  

tr  

Turkish  

uk  

Ukrainian  

zh  

Chinese  


Organization Authentication Configuration

This attribute sets the authentication module for the organization. The default authentication module is LDAP. One or more authentication modules can be selected by clicking the Edit link. If more than one module is selected, then the user will have to successfully authenticate to all of selected modules.


Login Failure Lockout Mode

This feature specifies whether to disallow a user to re-authenticate (lockout) if that user has initially failed to authenticate. Selecting this attribute will enable the lockout. By default, the lockout feature is not enabled.


Login Failure Lockout Count

This attribute defines the number of attempts that a user may try to authenticate, within the time interval defined in Login Failure Lockout Interval (minutes), before being locked out.

For example, if Login Failure Lockout Count is set to 5, and Login Failure Lockout Interval (minutes) is set to 5, then a user has five chances within five minutes to authenticate before being locked out.


Login Failure Lockout Interval (minutes)

This attribute defines (in minutes) the amount of time in which the number of authentication attempts (as defined in Login Failure Lockout Count) can be completed, before a user is locked out.

For example, if Login Failure Lockout Count is set to 5, and Login Failure Lockout Interval (minutes) is set to 5, then a user has five chances within five minutes to authenticate before being locked out.


Email Address to Send Lockout Notification

This attribute specifies an email address that will receive notification if a user lockout occurs.


Warn User After N Failure

This attribute specifies the number of authentication failures that can occur before Identity Server sends a warning message that the user will be locked out.


Login Failure Lockout Duration (minutes)

This attribute defines (in minutes) the duration that a user will not be allowed to attempt to re-authenticate, if a lockout has occurred.

If this attribute value is set to 0, and Login Failure Lockout Mode is enabled, the user will be locked out by setting the Lockout Attribute Name in their entry to Lockout Attribute Value.


Lockout Attribute Name

This attribute contains the inetuserstaus value that is set in the Lockout Attribute Value attribute. If a user is locked out, and the Login Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to authenticate.


Lockout Attribute Value

This attribute specifies the inetuserstatus value (contained in Lockout Attribute Name) of the user status as either active or inactive. If a user is locked out, and the Login Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to authenticate.


Default Success Login URL

This field specifies the URL to which users are redirected after successful authentication. The field will take any valid URL.


Default Failure Login URL

This field specifies the URL to which users are redirected if authentication is unsuccessful. The field will take any valid URL.


Authentication PostProcessing Class

This field specifies the name of the Java class used to customize post authentication processes for successful or unsuccessful logins. Example:

com.abc.authentication.PostProcessClass


User Name Generator Mode

This attribute is used by the Membership authentication module. If this attribute field is enabled, the Membership module is able to generate user IDs for a specific user if the user ID already exists. The user IDs are generated from the Java class specified in Pluggable User Name Generator Class.


Pluggable User Name Generator Class

The field specifies the name of the Java class that will be used to generate user IDs when User Name Generator Mode is enabled.


Previous     Contents     Index     Next     
Copyright 2002   Sun Microsystems, Inc. All rights reserved.

Last Updated December 04, 2002