Previous Contents Index Next |
Sun ONE Identity Server Administration Guide |
Chapter 7 Authentication Options
Sun ONE Identity Server provides a framework for authentication, a process which verifies the identities of users accessing applications within an enterprise. A user must pass an authentication process before accessing the Identity Server console, or any other Identity Server-protected resource. Authentication is implemented through plug-ins that validate the user's identity. (This plug-in architecture is described more fully in the Sun One Identity Server Programmer's Guide.)
The Identity Server console is used to set the default values, to register authentication services, to create an authentication template and to enable the service. This chapter provides an overview of the authentication services and instructions for registering them. It contains the following sections:
Core Authentication
Certificate-based Authentication
Core Authentication
Identity Server provides, by default, nine different authentication services, as well as a Core authentication service. The Core authentication service provides overall configuration for the authentication service. Before registering and enabling Anonymous, Certificate-based, LDAP, Membership, NT, RADIUS, SafeWord, and Unix authentication, the Core authentication must be registered and enabled. Chapter 17 "Core Authentication Attributes" contains a detailed listing of the Core attributes.
To Register and Enable the Core Service
Navigate to the navigation pane of the Organization for which the Core service is to be registered.
Choose Services from the View menu.
Click Register in the navigation pane.
A list of available services displays in the data pane.
Select the checkbox for Core Authentication and click Register.
The Core Authentication service will appear in the navigation pane assuring the administrator that it has been registered.
Click the Core Authentication Properties arrow.
The message No template available for this service appears in the Data pane.
Click Create.
The Core attributes appear in the data pane. Modify the attributes as necessary. An explanation of the Core attributes can be found in Chapter 17 "Core Authentication Attributes" or by clicking the Help link in the upper right hand corner of the console.
Anonymous Authentication
By default, when this module is enabled, a user can log in to Identity Server as an anonymous user. A list of anonymous users can also be defined for this module by configuring the Valid Anonymous User List attribute (see page 166). Granting anonymous access means that it can be accessed without providing a password. Anonymous access can be limited to specific types of access (for example, access for read or access for search) or to specific subtrees or individual entries within the directory.
To Register and Enable Anonymous Authentication
You must log in to Identity Server as the Organization Administrator or Top-Level Administrator.
Navigate to the navigation pane of the Organization for which Anonymous Authentication is to be registered.
Choose Services from the View menu.
The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the Anonymous Authentication service.
Click Register in the navigation pane.
A list of available services displays in the data pane.
Select the checkbox for Anonymous Authentication and click Register.
The Anonymous Authentication service will appear in the navigation pane assuring the administrator that it has been registered.
Click the Anonymous Authentication Properties arrow.
The message No template available for this service appears in the data pane.
Click Create.
The Anonymous Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 15 "Anonymous Authentication Attributes" or by clicking the Help link in the upper right hand corner of the console.
Click Save.
The Anonymous Authentication service has been enabled.
Logging In Using Anonymous Authentication
In order to log in using Anonymous Authentication, the Core Authentication service attribute "Organization Authentication Modules" must be modified to define Anonymous Authentication. This ensures that when the user logs in using http://<hostname>:<port>/<deploy_URI>/UI/Login?module=Anonymous the user will see the Anonymous Authentication login window. Based on the authentication type that is being used (such as service, role, user, organization), if the authentication module is configured as the default, there is no need to specify the module name in the URL.
Certificate-based Authentication
Certificate-based Authentication involves using a personal digital certificate (PDC) to identify and authenticate a user. A PDC can be configured to require a match against a PDC stored in Directory Server, and verification against a Certificate Revocation List.
There are a number of things that need to be accomplished before registering the Certificate-based Authentication service to an organization. First, the Sun ONE Web Server that is installed with the Identity Server needs to be secured and configured for Certificate-based Authentication. Before enabling the Certificate-based service, see Chapter 5, "Securing Your Web Server" in the iPlanet Web Server 6.0 Administrator's Guide for these initial Web Server configuration steps. This document can be found at the following location:
To Register and Enable Certificate-based Authentication
You must log in to Identity Server as the Organization Administrator.
Navigate to the navigation pane of the Organization for which Certificate-based Authentication is to be registered.
Choose Services from the View menu.
The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the Certificate-based Authentication service.
Click Register in the navigation pane.
A list of available services displays in the data pane.
Select the checkbox for Certificate-based Authentication and click Register.
The Certificate-based Authentication service will appear in the navigation pane assuring the administrator that it has been registered.
Click the Certificate-based Authentication Properties arrow.
The message No template available for this service appears in the data pane.
Click Create.
The Certificate-based Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 16 "Certificate Authentication Attributes" or by clicking the Help link in the upper right hand corner of the console.
Click Save.
Logging In Using Certificate-based Authentication
In order to log in using Certificate-based Authentication, the Core Authentication service attribute "Organization Authentication Modules" must be modified to define Certificate-based Authentication. This ensures that when the user logs in using http://<hostname>:<port>/<deploy_URI>/UI/Login?module=Cert, they will see the Certificate-based Authentication login window. Based on the authentication type that is being used (such as role, user, organization), if the authentication module is configured as the default, there is no need to specify the module name in the URL.
LDAP Directory Authentication
With the LDAP Authentication service, when a user logs in, he or she is required to bind to the LDAP Directory Server with a specific user DN and password. This is the default authenticating module for all organization-based authentication. If the user provides a user id and password that are in the Directory Server, the user is allowed access to, and is set up with, a valid Identity Server session. LDAP Authentication is enabled by default when Identity Server is installed. The following instructions are provided in the event that the service is disabled.
To Register and Enable LDAP Authentication
You must log in to Identity Server as the Organization Administrator or Top-Level Administrator.
Navigate to the navigation pane of the Organization for which LDAP Authentication is to be registered.
Choose Services from the View menu.
The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the LDAP Authentication service.
Click Register in the navigation pane.
A list of available services displays in the data pane.
Select the checkbox for LDAP Authentication and click Register.
The LDAP Authentication service will appear in the navigation pane assuring the administrator that it has been registered.
Click the LDAP Authentication Properties arrow.
The message No template available for this service appears in the data pane.
Click Create.
The LDAP Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 18 "LDAP Authentication Attributes" or by clicking the Help link in the upper right hand corner of the console.
Enter the password in the Password for Root User Bind attribute. By default, the amldapuser password that was entered during installation is used as the bind user.
To use a different bind user, change the DN of the user in the DN For Root User Bind attribute, and enter the password for that user in the Password for Root User Bind attribute.
Click Save.
The LDAP Authentication service has been enabled.
Logging In Using LDAP Authentication
In order to log in using LDAP Authentication, the Core Authentication service attribute "Organization Authentication Modules" must be modified to define LDAP Authentication. This ensures that when the user logs in using http://<hostname>:<port>/<deploy_URI>/UI/Login?module=LDAP, they will see the LDAP Authentication login window. Based on the authentication type that is being used (such as service, role, user, organization), if the authentication module is configured as the default, there is no need to specify the module name in the URL.
Enabling LDAP Authentication Failover
The LDAP authentication attributes include a value field for both a primary and a secondary Directory Server. Identity Server will look to the second server for authentication if the primary server becomes unavailable. For more information, see the LDAP attributes "Primary LDAP Server and Port" and "Secondary LDAP Server and Port".
Membership Authentication
Membership authentication is implemented similarly to personalized sites such as my.site.com, or mysun.sun.com. When this service is enabled, a user creates an account and personalizes it without the aid of an administrator. With this new account, the user can access it as a registered user. The user can also access the viewer interface, saved on the user profile database as authorization data and user preferences.
To Register and Enable Membership Authentication
You must log in to Identity Server as the Organization Administrator or Top-Level Administrator.
Navigate to the navigation pane of the Organization for which Membership Authentication is to be registered.
Choose Services from the View menu.
The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the Membership Authentication service.
Click Register in the navigation pane.
A list of available services displays in the data pane.
Select the checkbox for Membership Authentication and click Register.
The Membership Authentication service will appear in the navigation pane assuring the administrator that it has been registered.
Click the Membership Authentication Properties arrow.
The message No template available for this service appears in the data pane.
Click Create.
The Membership Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 19 "Membership Authentication Attributes" or by selecting the Help link in the upper right hand corner of the console.
Enter the password in the Password for Root User Bind attribute. By default, the amldapuser password that was entered during installation is used as the bind user.
To use a different bind user, change the DN of the user in the DN For Root User Bind attribute, and enter the password for that user in the Password for Root User Bind attribute.
Click Save.
The Membership Authentication service has been enabled.
Logging In Using Membership Authentication
In order to log in using Membership Authentication, the Core Authentication service attribute "Organization Authentication Modules" must be modified to define Membership Authentication. This ensures that when the user logs in using http://<hostname>:<port>/<deploy_URI>/UI/Login?module=Membership, they will see the Membership Authentication login (Self Registration) window. Based on the authentication type that is being used (such as service, role, user, organization), if the authentication module is configured as the default, there is no need to specify the module name in the URL.
NT Authentication
Identity Server can be configured to work with an NT /Windows 2000 server that is already installed. Identity Server provides the client portion of NT authentication. The NT server may exist on the system on which Identity Server is installed, or on a separate system.
Configure the NT server.
For detailed instructions, see the NT server documentation.
Before you can register and enable the NT authentication service, you must obtain and install a Samba client to communicate with Identity Server on your Solaris system. For more information, see "NT Authentication Attributes".
Add the module class to the Pluggable Auth Module Classes attribute in the Core Authentication Service. To do so:
Select Service Configuration in the Identity Server Console.
Click on the Properties arrow for the Core Authentication Service.
Add the module class for the NT authentication service in the Pluggable Auth Module attribute. For example:
com.sun.identity.authentication.modules.nt.NT
For more information on this attribute, see "Pluggable Auth Module Classes".
Register and enable the NT authentication service.
To Register and Enable NT Authentication
You must log in to Identity Server as the Organization Administrator or Top-Level Administrator.
Navigate to the navigation pane of the Organization for which NT Authentication is to be registered.
Choose Services from the View menu.
The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the NT Authentication service.
Click Register in the navigation pane.
A list of available services displays in the data pane.
Select the checkbox for NT Authentication and click Register.
The NT Authentication service will appear in the navigation pane assuring the administrator that it has been registered.
Click the NT Authentication Properties arrow.
The message No template available for this service appears in the data pane.
Click Create.
The NT Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 20 "NT Authentication Attributes" or by selecting the Help link in the upper right hand corner of the console.
Click Save.
The NT Authentication service has been enabled.
Logging In Using NT Authentication
In order to log in using NT Authentication, the Core Authentication service attribute "Organization Authentication Modules" must be modified to define NT Authentication. This ensures that when the user logs in using http://<hostname>:<port>/<deploy_URI>/UI/Login?module=NT, they will see the NT Authentication login window. Based on the authentication type that is being used (such as service, role, user, organization), if the authentication module is configured as the default, there is no need to specify the module name in the URL.
RADIUS Server Authentication
Identity Server can be configured to work with a RADIUS server that is already installed. This is useful if there is a legacy RADIUS server being used for authentication in your enterprise. Enabling the RADIUS authentication service is a two-step process.
Configure the RADIUS server.
For detailed instructions, see the RADIUS server documentation.
Register and enable the RADIUS authentication service.
To Register and Enable RADIUS Authentication
You must log in to Identity Server as the Organization Administrator.
Navigate to the navigation pane of the Organization for which RADIUS Authentication is to be registered.
Choose Services from the View menu.
The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the RADIUS Authentication service.
Click Register in the navigation pane.
A list of available services displays in the data pane.
Select the checkbox for RADIUS Authentication and click Register.
The RADIUS Authentication service will appear in the navigation pane assuring the administrator that it has been registered.
Click the RADIUS Authentication Properties arrow.
The message No template available for this service appears in the data pane.
Click Create.
The RADIUS Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 21 "RADIUS Authentication Attributes" or by selecting the Help link in the upper right hand corner of the console.
Click Save.
The RADIUS Authentication service has been enabled.
Logging In Using RADIUS Authentication
In order to log in using RADIUS Authentication, the Core Authentication service attribute "Organization Authentication Modules" must be modified to define RADIUS Authentication. This ensures that when the user logs in using http://<hostname>:<port>/<deploy_URI>/UI/Login?module=RADIUS, they will see the RADIUS Authentication login window. Based on the authentication type that is being used (such as service, role, user, organization), if the authentication module is configured as the default, there is no need to specify the module name in the URL.
SafeWord Authentication
Identity Server can be configured to handle SafeWord Authentication requests to Secure Computing's SafeWord or SafeWord PremierAccess authentication servers. Identity Server provides the client portion of SafeWord authentication. The SafeWord server may exist on the system on which Identity Server is installed, or on a separate system.
To Register and Enable SafeWord Authentication
You must log in to Identity Server as the Organization Administrator or Top-Level Administrator.
Navigate to the navigation pane of the Organization for which SafeWord Authentication is to be registered.
Choose Services from the View menu.
The Core service, if already registered, displays in the navigation pane. If it is not already registered, it can be done concurrently with the SafeWord Authentication service.
Click Register in the navigation pane.
A list of available services displays in the data pane.
Select the checkbox for SafeWord Authentication and click Register.
The SafeWord Authentication service will appear in the navigation pane, assuring the administrator that it has been registered.
Click the SafeWord Authentication Properties arrow.
The message No template available for this service appears in the data pane.
Click Create.
The SafeWord Authentication attributes appear in the data pane. Modify the attributes as necessary. An explanation of these attributes can be found in Chapter 22 "SafeWord Authentication Attributes," or by clicking the Help link on the upper right corner of the console.
Click Save.
The SafeWord Authentication service has been enabled.
Logging In Using SafeWord Authentication
In order to log in using SafeWord Authentication, the Core Authentication service attribute "Organization Authentication Modules" must be modified to define SafeWord Authentication. This ensures that when the user logs in using http://<hostname>:<port>/<deploy_URI>/UI/Login?module=SAFEWORD, they will see the SafeWord Authentication login window. Based on the authentication type that is being used (such as role, user, organization), if the authentication module is configured as the default, there is no need to specify the module name in the URL.
Unix Authentication
Identity Server can be configured to process authentication requests against Unix userids and passwords known to the Solaris system on which Identity Server is installed. While there is only one organizational attribute, and a few global attributes for Unix authentication, there are some system-oriented considerations.
In order to authenticate locally-administered userids (see admintool (1M)), root access is required. If Identity Server is installed to run as nobody, or a userid other than root, then the <install_dir>/SUNWam/bin/doUnix process must still execute as root. The passwd entry in the /etc/nsswitch.conf file determines whether the /etc/passwd and /etc/shadow files, or NIS are consulted for authentication.
Unix Authentication makes use of an authentication helper, which is a separate process from the main Identity Server process. Upon startup, this helper listens on a port for configuration information. There is only one Unix helper per Identity Server to serve all of its organizations. The Unix authentication service is not available on the Windows platform.
To Register and Enable Unix Authentication
You must log in to the Identity Server as Top-Level Administrator for the following steps.
Select the Service Configuration module.
Click on the Unix Authentication Properties arrow in the Service Name list.
Several Global and one Organization attributes are displayed. Because one Unix helper serves all of the Identity Server server's organizations, most of the Unix attributes are global. An explanation of these attributes can be found in Chapter 23 "Unix Authentication Attributes," or by clicking the Help link in the upper right corner of the console.
Click Save to save the new values for the attributes.
You may log in to Identity Server as the Organization Administrator to enable Unix Authentication for an organization.
Navigate to the navigation pane of the Organization for which Unix Authentication is to be registered.
Choose Services from the View menu.
The Core service, if already registered, displays in the Navigation pane. If it is not already registered, it can be done concurrently with the Unix Authentication service.
Click Register in the navigation pane.
A list of available services displays in the data pane.
Select the checkbox for Unix Authentication and click Register.
The Unix Authentication service will appear in the Navigation pane, assuring the administrator that it has been registered.
Click the Unix Authentication Properties arrow.
The message No template available for this service appears in the date pane.
Click Create.
The Unix Authentication organization attribute appears in the data pane. Modify the Authentication Level attribute as necessary. An explanation of this attribute can be found in Chapter 23 "Unix Authentication Attributes," or by clicking the Help link in the upper right corner of the console.
Click Save.
The Unix Authentication service has been enabled.
Logging In Using Unix Authentication
In order to log in using Unix Authentication, the Core Authentication service attribute "Organization Authentication Modules" must be modified to define Unix Authentication. This ensures that when the user logs in using http://<hostname>:<port>/<deploy_URI>/UI/Login?module=Unix, the user will see the Unix Authentication login window. Based on the authentication type that is being used (such as service, role, user, organization), if the authentication module is configured as the default, there is no need to specify the module name in the URL.
Authentication Configuration
The Authentication Configuration service is used to define authentication modules for any of the following authentication types:
Once an authentication module is defined for one of these authentication types, the module can be configured to supply redirect URLs, as well as a post-processing Java class specification, based on a successful or failed authentication process.
Before an authentication module can be configured, the Core authentication service attribute Organization Authentication Modules must be modified to include the specific authentication module name.
Authentication Configuration User Interface
The Authentication Configuration services allows you to define one or more authentication services (or modules) that a user must pass before being allowed access to the console or any secured resource within Identity Server. Organization, role, service, and user-based authentication use a common user interface to define the authentication modules. (Instructions for access the Authentication Configuration interface for specific object types are described in subsequent sections).
Click on the Edit link next to the object's Authentication Configuration attribute to display the Module List window.
This window lists the authentication modules that have been assigned to the object. If no modules exist, click Add to display the Add Module window.
The Add Module Window contains three files to define:
Figure 7-1 Add Module List Window For A User
Once the fields are selected, click OK to return to the Module List window. The authentication modules you have defined are listed in this window. Click Save.
You can add as many authentication modules to this list as you wish. Adding multiple authentication modules is called chaining. If you are chaining authentication modules, note that the order in which they are listed defines the order of hierarchy of enforcement.
To change the order of the authentication modules:
Figure 7-2 Module List Window For A User
To remove any authentication module from the list, select the checkbox next to the authentication module and click Delete.
Authentication Configuration for Organizations
Authentication modules are set for an organization by first registering the Core Authentication service to the organization.
To configure the organization's authentication attributes:
Navigate to the organization for which you will configure the authentication attributes.
Select Services from the View menu.
Click the Core Properties arrow in the service listing.
The Core authentication attributes are displayed in the data frame.
Click the edit link next to the Admin Authenticator attribute. This allows you to define the authentication services for administrators only. An administrator is a user who needs access to the Identity Server console. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The default authentication module is LDAP.
Once you have defined the authentication services, click Save to save the changes, and click Close to return to the Core Authentication attributes for organizations.
Click the Edit link next to the Organization Authentication Configuration attribute. This allows you to define authentication modules for all users within the organization. The default authentication module is LDAP.
Once you have defined the authentication services, click Save to save the changes, and click Close to return to the Core Authentication attributes for organizations.
Authentication Configuration for Roles
Authentication modules are set for roles after registering the Authentication Configuration service at the role level.
Navigate to the organization for which you will configure the authentication attributes.
Choose Roles from the View menu.
Select the role for which to set the authentication configuration and click on the Properties arrow.
The role's properties are displayed in the data frame.
Select Services from the View menu in the data frame.
Modify the Authentication Configuration attributes as necessary. An explanation of these attributes can be found in Chapter 24 "Authentication Configuration Attributes," or by clicking the Help link in the upper right corner of the console.
.
Authentication Configuration for Services
Authentication modules are set for services after registering the Authentication Configuration service. To do so:
Choose Services from the View menu in the Identity Management module.
The list of registered services are displayed. If the Authentication Configuration service is not registered, continue with the steps below. If the service is registered, skip to step Step 4.
Click Register in the Navigation Pane.
A list of available services is displayed in the data pane.
Select the checkbox for Authentication Configuration and click Register.
The Authentication Configuration service will appear in the navigation pane assuring the administrator that it has been registered.
Click the Authentication Configuration Properties arrow.
The Service Instance List is displayed in the in the data pane.
Click on the service instance for which to configure the authentication modules.
Modify the authentication configuration attributes and click Save. An explanation of these attributes can be found in Chapter 24 "Authentication Configuration Attributes," or by clicking the Help link in the upper right corner of the console.
Authentication Configuration for Users
Choose Users from the View menu in the Identity Management module.
The list of users is displayed in the navigation pane.
Select the user you wish to modify and click the Properties arrow.
The user profile is displayed in the data pane.
.
To ensure that the Authentication Configuration service is assigned to the user, Select Services from the View menu. If assigned, the Authentication Configuration service will be listed as an assigned service.
Select User from the View menu in the data pane.
Click on the Edit link next to the User Authentication Configuration attribute to define the authentication modules for the user.
Authentication By Authentication Level
Each authentication module can be associated with an integer value for its authentication level. Authentication levels can be assigned by clicking the authentication module's Properties arrow in Service Configuration, and changing the corresponding value for the module's Authentication Level attribute. Higher authentication levels define a higher level of trust for the user once that user has authenticated to one or more authentication modules.
The authentication level will be set on a user's SSO token after the user has successfully authenticated to the module. If the user is required to authenticate to multiple authentication modules, and does so successfully, the highest authentication level value will be set in user's SSO token.
If a user attempts to access a service, the service can determine if the user is allowed access by checking the authentication level in user's SSO token. It then redirects the user to the go through the authentication modules with a set authentication level.
Users can also access authentication modules with specific authentication level. For example, a user performs a login with the following syntax:
http://<hostname>:<port>/<deploy_uri>/UI/Login?authlevel=<auth_level_value>
All modules whose authentication level is larger or equal to <auth_level_value> will displayed as an authentication menu for the user to choose. If only one matching module is found, then the login page for that authentication module will be directly displayed.
Authentication By Module
Users can access a specific authentication module using the following syntax:
http://<hostname>:<port>/<deploy_uri>/UI/Login?module=<module_name>
Before the authentication module can be accessed, the Core authentication service attribute Organization Authentication Modules must be modified to include the authentication module name. If the authentication module name is not included in this attribute, the "authentication module denied" page will be displayed when the user attempts to authenticate. For more information, see "Organization Authentication Modules".
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated December 04, 2002