Federation Manager is installed with a set of default authentication and service types. An authentication type instance is a plug-in that collects user information, checks the information against entries in a database, and allows or denies access to the user based on the information given. Multiple instances of the same type can be created and configured separately. A service type contains configurable information concerning the organization. The Authentication tab contains a listing of services added to the root organization. The default services are configured during installation. Additional services can be added after installation.
This chapter contains the following topics:
This section contains tasks describing how you can reconfigure the default authentication method in certain situations. For example, you can enable your organization to get user authentication data from an LDAPv3 directory as opposed to the default flat file. The procedures include:
Changing the Default Authentication Module from Flat File to LDAP
Changing the Default Authentication Module from Flat File to Active Directory
Changing the Default Administrator Authentication Module from a Flat File to LDAP
This procedure describes how to configure an authentication module for the organization using the Federation Manager Console.
In the Federation Manager Console, select the Organization tab.
Under Organization, select the Authentication tab.
Click Add.
A list of Authentication Modules is displayed.
Active Directory
Anonymous
Certificate
HTTP Basic
JDBC
LDAP
Membership
MSISDN
Password Playback
RADIUS
SafeWord
SecurID
Windows Desktop SSO
Windows NT
Select a module from the list and click Next.
Configure the attributes for the authentication module.
Click Assign.
By default, users are authenticated by Federation Manager using the flat file with which it is deployed. The authentication component can be reconfigured to retrieve data from most LDAPv3–compliant directory (including Sun Java System Directory Server) rather than the default flat file.
Although Microsoft Active Directory is an LDAPv3–compliant directory, the procedure has some differences. For more information, see Changing the Default Authentication Module from Flat File to Active Directory.
This section includes the following procedures:
To Set LDAP as the Default Authentication Module for an Organization
To Enable an Organization to Use the LDAP Authentication Module
Use the following template, modify ROOT SUFFIX to reflect that of the organization.
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd" <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="ROOT SUFFIX"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> <Attribute name="iplanet-am-auth-org-config" /> <Value><AttributeValuePair><Value>com.sun.identity. authentication.modules.ldap.LDAP REQUIRED</Value>< /AttributeValuePair></Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests> |
Modify the following template to change the administrator's default authentication module to LDAP.
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="ROOT SUFFIX"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> <Attribute name="iplanet-am-auth-admin-auth-module" /> <Value> <AttributeValuePair><Value>com.sun.identity. authentication.modules.ldap.LDAP REQUIRED</Value>< /AttributeValuePair> </Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests> |
Load the modified XML files using amadmin and the format /FederationManager-base/fm/bin/amadmin —u amadmin —w password —i war—staging—directory -t name-of-XML-file.
In the Federation Manager Console, select the Organization tab.
Under Organization, select the Authentication tab.
Click Add.
A list of Authentication Modules is displayed.
Select LDAP from the list and click Next.
Configure the attributes for the LDAP authentication module and click Assign.
Under Organization, select the Authentication tab.
Click the Edit button next to the Core authentication service.
The Core attributes are displayed.
Add LDAP to the Organization Authentication Modules attribute by holding down the Control key and selecting LDAP.
Click Save.
LDAP is now enabled as an authentication module for the organization. To authenticate to Federation Manager through the LDAP module, use a URL in the format protocol://host:port/deploy_URI/something?module=LDAP.
Although Microsoft Active Directory is an LDAPv3–compliant directory, the procedure to change the default authentication module from Flat File to Active Directory is different from the procedure described in Changing the Default Authentication Module from Flat File to LDAP. The following sections describe the procedures:
To Set Active Directory as the Default Authentication Module for an Organization
To Enable an Organization to Use the Active Directory Authentication Module
Use ldapsearch in the following format to find values that begin with iplanet-am-auth-org-config.
/usr/bin/ldapsearch -b OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX -D admin-dn -w admin-password -s base -h AD-host -p AD-port "(objectclass=*)" sunkeyvalue |
The search result would look like this:
sunkeyvalue=iplanet-am-auth-org-config=<AttributeValuePair> <Value>com.sun.identity.authentication.modules.flatfile. FlatFileREQUIRED</Value></AttributeValuePair> |
Save the search result as it will be used in the following step as the value for the Delete entry.
Save the following text as an Lightweight Directory Interchange Format (LDIF) file.
dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX changetype:modify delete:sunkeyvalue sunkeyvalue: iplanet-am-auth-org-config=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. flatfile.FlatFileREQUIRED</Value> </AttributeValuePair> dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX changetype:modify add:sunkeyvalue sunkeyvalue: iplanet-am-auth-org-config=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. ldap.LDAPREQUIRED</Value></AttributeValuePair> |
Type the found values from the previous step into the Delete section of the saved LDIF file.
Type the new values into the Add section of the saved LDIF file.
Run ldapmodify using the LDIF file as input.
/usr/bin/ldapmodify -h AD-host -p AD-port -D adminDN -w admin-password -f name-of-LDIF-file
In the Federation Manager Console, select the Organization tab.
Under Organization, select the Authentication tab.
Click Add.
A list of Authentication Modules is displayed.
Select Active Directory from the list and click Next.
Configure the attributes for the Active Directory authentication module and click Assign.
Under Organization, select the Authentication tab.
Click the Edit button next to the Core authentication service.
The Core attributes are displayed.
Add Active Directory to the Organization Authentication Modules attribute by holding down the Control key and selecting Active Directory.
Click Save.
Active Directory is now enabled as an authentication module for the organization. To authenticate to Federation Manager through the Active Directory module, use a URL in the format protocol://host:port/deploy_URI/something?module=AD.
After you have configured and enabled Federation Manager to retrieve data from an LDAPv3–compliant data store, you must also change the default method of authentication for the Federation Manager administrator from the flat file to the LDAPv3–compliant directory. This section contains the following procedures:
Make sure the super user (by default, amadmin) has read, write and search permission to the ou=services branch of the directory information tree (DIT).
Use the following template, modify ROOT SUFFIX to reflect that of the organization.
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd" <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="ROOT SUFFIX"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> <Attribute name="iplanet-am-auth-admin-auth-module" /> <Value><AttributeValuePair><Value>com.sun. identity.authentication.modules.ldap.LDAPREQUIRED< Value><AttributeValuePair></Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests> |
Load the modified XML file using amadmin and the format FederationManager-base/fm/bin/amadmin —u amadmin —w password —i war—staging—directory -t name-of-XML-file.
Make the following changes in the AMConfig.properties file.
AMConfig.properties is located in /FederationManager-base/web-src/WEB-INF/. Multiple entries are pipe-separated.
Add the distinguished name (DN) of the administrator to the com.sun.identity.authentication.special.users property.
(Optional) Change the DN of the administrator in the com.sun.identity.authentication.super.user property.
This step is included if you want to use an administrator who already exists in your directory and not the default Federation Manager administrator amadmin. To use the default amadmin, create the user in Directory Server and make sure the user is given read, write and search permissions to the ou=services branch of the directory information tree (DIT).
Change the value of the admin.auth.classname property to com.sun.identity.authentication.internal.server.LocalLdapAuthModule.
In the serverconfig.xml file, change the value of the server group internalauthentication property to reflect the administrator DN, password and correct base DN.
serverconfig.xml is located in /FederationManager-base/web-src/WEB-INF/.
Regenerate and redeploy the WAR.
Restart the web container, if applicable.
Use ldapsearch in the following format to find values in Active Directory that begin with iplanet-am-auth-admin-auth-module.
/usr/bin/ldapsearch -b OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,ROOTSUFFIX -D admin-dn -w admin-password -s base -h AD-host -p AD-port "(objectclass=*)" sunkeyvalue |
The search result would look like this:
sunkeyvalue=iplanet-am-auth-admin-auth-module= <AttributeValuePair><Value>com.sun.identity.authentication. modules.flatfile.FlatFileREQUIRED</Value></AttributeValuePair> |
Save the search result as it will be used in the following step as the value for the Delete entry.
Save the following text as a Lightweight Directory Interchange Format (LDIF) file.
dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,<ROOTSUFFIX> changetype:modify delete:sunkeyvalue sunkeyvalue: iplanet-am-auth-admin-auth-module=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. flatfile.FlatFileREQUIRED</Value> </AttributeValuePair> dn: OU=default,OU=OrganizationConfig,OU=1.0, OU=iPlanetAMAuthService,OU=services,<ROOTSUFFIX> changetype:modify add:sunkeyvalue sunkeyvalue: iplanet-am-auth-admin-auth-module=<AttributeValuePair> <Value>com.sun.identity.authentication.modules. ldap.LDAPREQUIRED</Value></AttributeValuePair> |
Type the found values from the previous step into the Delete section of the saved LDIF file.
Type the new values into the Add section of the saved LDIF file.
Run ldapmodify using the LDIF file as input.
/usr/bin/ldapmodify -h AD-host -p AD-port -D adminDN -w admin-password -f name-of-LDIF-file
Make the following changes in the AMConfig.properties file.
AMConfig.properties is located in /FederationManager-base/web-src/WEB-INF/. Multiple entries are pipe-separated.
Add the distinguished name (DN) of the administrator to the com.sun.identity.authentication.special.users property.
(Optional) Change the DN of the administrator in the com.sun.identity.authentication.super.user property.
This step is included if you want to use an administrator who already exists in your directory and not the default Federation Manager administrator amadmin. To use the default amadmin, create the user in Directory Server and make sure the user is given read, write and search permissions to the ou=services branch of the directory information tree (DIT).
Change the value of the admin.auth.classname property to com.sun.identity.authentication.internal.server.LocalLdapAuthModule.
In the serverconfig.xml file, change the value of the server group internalauthentication property to reflect the administrator DN, password and correct baseDN.
serverconfig.xml is located in /FederationManager-base/web-src/WEB-INF/.
Regenerate and redeploy the WAR.
Restart the web container, if applicable.
Default services are configured during installation of Federation Manager. They include:
Access Control properties define whether a particular user has read or write permission for the service configuration. The Access Control attributes are:
Specifies a list of user IDs who have write permission on the service configuration. Write permission implies read permission. Typing * as a value means all users have write permission. amadmin has write permission, by default.
Specifies a list of user IDs who have read permission on the service configuration. Typing * as a value means all users have write permission.
This module is the general configuration base for the Federation Manager authentication services. It must be registered and configured to use any of the specific authentication module instances. It enables the administrator to define default values that will be picked up for the values that are not specifically set in the Federation Manager default authentication modules. The attributes are:
Specifies the Java classes of the authentication modules available to the organization configured within the Federation Manager platform. You can write custom authentication modules by implementing the AMLoginModule SPI or the JAAS LoginModule SPI. To define new services, this field must take a text string specifying the full class name (including package name) of each new authentication service.
Specifies a list of supported authentication modules for a specific client. Use the format clientType | module1,module2,module3. This attribute is in effect when Client Detection is enabled.
This attribute is not currently supported.
Specifies the minimum and maximum connection pool to be used on a specific LDAP server and port. This attribute is for LDAP and Membership authentication services only. Use the format host:port:min:max.
This connection pool is different from the SDK connection pool configured in serverconfig.xml.
Sets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. If an entry for the host and port exists in the LDAP Connection Pool Size attribute, the minimum and maximum settings will not be used from LDAP Connection Default Pool Size.
Defines the authentication service for administrators only. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The modules configured in this attribute are picked up when the Federation Manager console is accessed. For example, http://host.port/console_deploy_uri.
This field specifies the roles assigned to a new user whose profiles are created if Dynamic Creation is selected through User Profile. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user. The role specified must be under the organization for which authentication is being configured. It cannot be a filtered role. Also, if you wish to automatically assign specific services to a user, you have to configure a Required Services type attribute in the user's profile.
This attribute is not currently supported.
This option determines whether users can restart the browser and still return to their authenticated session. User sessions can be retained by enabling Enable Persistent Cookie Mode. When Enable Persistent Cookie Mode is enabled, a user session does not expire until its persistent cookie expires, or the user explicitly logs out. The expiration time is specified in Persistent Cookie Maximum Time. The default value is that Persistent Cookie Mode is not enabled and the authentication service uses only memory cookies.
A persistent cookie must be explicitly requested by the client using the iPSPCookie=yes parameter in the login URL.
Specifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The default value is 2147483 (time in seconds). The field will accept any integer value less than the default.
After successful authentication by a user, the user's profile is retrieved. This field specifies a second LDAP attribute to search from if a search on the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field will take any valid LDAP attribute (for example, cn).
This attribute is not currently supported.
Specifies the default language subtype to be used by the authentication service. The default value is en_US. The following table contains a listing of the supported language locales.
Table 6–1 Supported Language Locales
Language Tag |
Language Name |
---|---|
af |
Afrikaans |
be |
Byelorussian |
bg |
Bulgarian |
ca |
Catalan |
cs |
Czechoslovakian |
da |
Danish |
de |
German |
el |
Greek |
en |
English |
es |
Spanish |
eu |
Basque |
fl |
Finnish |
fo |
Faroese |
fr |
French |
ga |
Irish |
gl |
Galician |
hr |
Croatian |
hu |
Hungarian |
id |
Indonesian |
is |
Icelandic |
it |
Italian |
ja |
Japanese |
ko |
Korean |
nl |
Dutch |
no |
Norwegian |
pl |
Polish |
pt |
Portuguese |
ro |
Romanian |
ru |
Russian |
sk |
Slovakian |
sl |
Slovenian |
sq |
Albanian |
sr |
Serbian |
sv |
Swedish |
tr |
Turkish |
uk |
Ukranian |
zh |
Chinese |
In order to use a different locale, all authentication templates for that locale must first be created. A new directory must then be created for these templates.
Sets the authentication module for the organization. The default authentication module is LDAP.
Specifies whether a user can attempt a second authentication if the first attempt failed. Selecting this attribute enables a lockout and the user will have only one chance at authentication. By default, the lockout feature is not enabled. This attribute works in conjunction with Lockout-related and notification attributes.
Defines the number of attempts that a user may try to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out.
Defines (in minutes) the time between two failed login attempts. If a login fails and is followed by another failed login that occurs within the lockout interval, then the lockout count is incremented. Otherwise, the lockout count is reset.
Specifies an email address that will receive notification if a user lockout occurs. To send email notification to multiple addresses, separate each email address with a space. For non-English locales, the format is email_address|locale|charset.
Specifies the number of authentication failures that can occur before a warning message is sent that the user will be locked out.
Enables memory locking. By default, the lockout mechanism will inactivate the User Profile (after a login failure) defined in Lockout Attribute Name. If the value of Login Failure Lockout Duration is greater than 0, then its memory locking and the user account will be locked for the number of minutes specified.
Designates any LDAP attribute that is to be set for lockout. The value in Lockout Attribute Value must also be changed to enable lockout for this attribute name. By default, Lockout Attribute Name is empty. The default implementation values are inetuserstatus (LDAP attribute) and inactive when the user is locked out and Login Failure Lockout Duration is set to 0.
This attribute specifies whether lockout is enabled or disabled for the attribute defined in Lockout Attribute Name. By default, the value is set to inactive for inetuserstatus.
This field accepts a list of multiple values that specify the URL to which users are redirected after successful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML. The default value is /amserver/console.
This field accepts a list of multiple values that specify the URL to which users are redirected after an unsuccessful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML.
Specifies the name of the Java class used to customize post authentication processes for successful or unsuccessful logins. The Java class must implement the com.sun.identity.authentication.spi.AMPostAuthProcessInterface interface.
Additionally, you must add the path to the class in your web server's Java classpath attribute.
This attribute is used by the Membership authentication module. If this attribute field is enabled, the Membership module is able to generate user IDs, during the Self Registration process, for a specific user if the user ID already exists. The user IDs are generated from the Java class specified in Pluggable User Name Generator Class.
Specifies the name of the Java class is used to generate User IDs when Enable Generate UserID Mode is used.
The authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level.
The authentication level should be set within the organization's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific organization's authentication template. The Default Authentication Level default value is 0. (The value in this attribute is not used by Federation Manager but by any external application that may chose to use it.)
The Flat File authentication module enables authentication against a flat file. The default flat file repository stores user profile attributes as a properties file with using the format attributename=attributevalue. The attributes are:
The comma (,) is used as the delimiter for multiple values of the same attribute. When used for another purpose, commas must be encoded as %2C to avoid the flat file implementation to interpret the value as two.
Specifies the absolute path to the directory where all flat file users are located. The directory is used as a database of user IDs and passwords against which users can authenticate.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Security Assertion Markup Language (SAML) authentication module receives and validates SAML Assertions on a target server.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
Additional services can be configured after installation of Federation Manager. They include:
Active Directory authentication relies on the use of an LDAPv3–compliant server. This module type works similarly to the LDAP authentication module type, but uses the Microsoft Active Directory. Using this module type makes it possible for LDAP and Active Directory to coexist. The attributes are:
Specifies the host name and port number of the primary Active Directory server specified during Federation Manager installation. This is the first server contacted for Active Directory authentication. The format is hostname:port. If there is no port number, assume 389. Multiple entries must be prefixed by the local server name.
If you have Federation Manager deployed with multiple domains, you can specify the communication link between specific instances of Federation Manager and Active Directory in the following format:
local-servername|server:port local-servername2|server2:port2 ...
For example, if you have two instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Active Directory (L1-machine1-DS and L2-machine2-DS), it would look like the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the host name and port number of a secondary Active Directory server available to the Federation Manager platform. If the primary Active Directory server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, Federation Manager will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.
When authenticating users from a data store that is remote, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one data store location can be used for both fields.
Specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search-dn. For multiple entries:
servername1|search-dn servername2|search-dn servername3|search-dn
If multiple users are found for the same search, authentication will fail.
Specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized.
Make sure that password is correct before you logout. If it is incorrect, you will be locked out. If this should occur, you can login with the super user DN in the com.iplanet.authentication.super.user property in the AMConfig.Properties file. By default, this is the amAdmin account with which you would normally log in, although you will use the full DN. For example:
uid_amAdmin,ou=People,dc=example,dc=com
Carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid Active Directory password is recognized.
Confirm the password.
Specifies the attribute used for the naming convention of user entries. By default, Federation Manager assumes that user entries are identified by the uid attribute. If your data store uses a different attribute (such as givenname) specify the attribute name in this field.
Lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber, and mail, the user could authenticate with any of these names.
Specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.
Indicates the number of levels in the Directory Server tree that will be searched for a matching user profile. The search begins from the node specified in DN to Start User Search. The default value is SUBTREE. One of the following choices can be selected:
Searches only the specified node.
Searches at the level of the specified node and one level down.
Search all entries at and below the specified node.
Enables SSL access to the Directory Server specified in the Primary and Secondary Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.
If the Active Directory server is running with SSL enabled (LDAPS), you must make sure that Federation Manager is configured with proper SSL trusted certificates so that it may connect using LDAPS protocol.
If enabled, this option allows the Active Directory authentication module instance to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module instance returns only the User ID, and the authentication service searches for the user in the local instance. If an external Active Directory is used, this option is typically not enabled.
This attribute is used for Active Directory Server failback. It defines the number of minutes in which a thread will sleep before verifying that the primary Active Directory server is running.
This attribute is used by the Active Directory authentication module instance when the Active Directory server is configured as an external Active Directory server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format:
attr1|externalattr1
attr2|externalattr2
When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profileattribute (in the Core Authentication module type) is set to Dynamically Created and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module type allows a user to log in without specifying credentials. You can create an Anonymous user so that anyone can log in as Anonymous without having to provide a password. Anonymous connections are usually customized by the administrator so that Anonymous users have limited access to the server. The attributes are:
Contains a list of user IDs that have permission to login without providing credentials. If a user's login name matches a user ID in this list, access is granted and the session is assigned to the specified user ID. If this list is empty, a user will be authenticated as the user defined in the Default Anonymous User Name attribute when accessing the following default module instance login URL:
protocol://server-host.server-domain:server-port/deploy-uri/UI/Login?module=Anonymous&org=org_name
If this list is not empty, Federation Manager will prompt the user to enter any valid Anonymous user name when accessing default module instance login URL (as above).
If the Valid Anonymous Users list is not empty, the user can login without the login page by accessing the following URL:
protocol://server-host.server-domain:server-port/deploy-uri/UI/Login?module=Anonymous&org=org_name&IDToken1=valid-Anonymous-username
Defines the user ID to which a session is assigned if the Valid Anonymous User List is empty and the following default module instance login URL is accessed:
protocol://server-host.server-domain:server-port/deploy-uri/UI/Login?module=Anonymous&org=org_name
The default value is anonymous.
If the Valid Anonymous Users list is not empty, the user can login without the login page by using the user defined in Default Anonymous User Name. This can be done by accessing the following URL:
protocol://server-host.server-domain:server-port/deploy-uri/UI/Login?module=Anonymous&org=org_name&IDToken1=DefaultAnonymousUserName
If enabled, this option allows for case-sensitivity for user IDs. By default, this attribute is not enabled.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module enables a user to log in through a personal digital certificate (PDC). The module instance can require the use of the Online Certificate Status Protocol (OCSP) to determine the state of a certificate. Use of the OCSP is optional. The user is granted or denied access to a resource based on whether or not the certificate is valid. The attributes are:
Specifies whether to check if the user certificate presented at login is stored in the LDAP Server. If no match is found, the user is denied access. If a match is found and no other validation is required, the user is granted access. The default is that the Certificate Authentication service does not check for the user certificate.
A certificate stored in the Directory Server is not necessarily valid; it may be on the certificate revocation list. See Match Certificate to CRL. However, the web container may check the validity of the user certificate presented at login.
Specifies the attribute of the certificate's SubjectDN value that will be used to search LDAP for certificates. This attribute must uniquely identify a user entry. The actual value will be used for the search. The default is cn.
Specifies whether to compare the user certificate against the Certificate Revocation List (CRL) in the LDAP Server. The CRL is located by one of the attribute names in the issuer's SubjectDN. If the certificate is on the CRL, the user is denied access; if not, the user is allowed to proceed. This attribute is, by default, not enabled.
Certificates should be revoked when the owner of the certificate has changed status and no longer has the right to use the certificate or when the private key of a certificate owner has been compromised.
Specifies the attribute of the received certificate's issuer subjectDN value that will be used to search LDAP for CRLs. This field is used only when the Match Certificate to CRL attribute is enabled. The actual value will be used for the search. The default is cn.
Specifies the HTTP parameters for obtaining a CRL from a servlet for a CRL update. Contact the administrator of your CA for these parameters.
Enables OCSP validation to be performed by contacting the corresponding OCSP responder. The OCSP responder is decided as follows during runtime:
If com.sun.identity.authentication.ocspCheck is true and the OCSP responder is set in the com.sun.identity.authentication.ocsp.repsonder.url attribute, the value of the attribute will be used as the OCSP responder.
If com.sun.identity.authentication.ocspCheck is set to true and If the value of the attribute is not set in the AMConfig.properties file, the OCSP responder presented in your client certificate is used as the OCSP responder.
If com.sun.identity.authentication.ocspCheck is set to false or if com.sum.identity.authentication.ocspCheck is set to true and if an OCSP responder can not be found, no OCSP validation will be performed.
Before enabling OCSP Validation, make sure that the time of the Federation Manager machine and the OCSP responder machine are in sync as close as possible. Also, the time on the Federation Manager machine must not be behind the time on the OCSP responder. For example:
OCSP responder machine - 12:00:00 pm
Federation Manager machine - 12:00:30 pm
Specifies the name and port number of the LDAP server where the certificates are stored. The default value is the host name and port specified when Federation Manager was installed. The host name and port of any LDAP Server where the certificates are stored can be used. The format is hostname:port.
Specifies the DN of the node where the search for the user's certificate should start. There is no default value. The field will recognize any valid DN.
Multiple entries must be prefixed by the local server name. The format is as follows:
servername|search dn
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple users are found for the same search, authentication will fail.
This field accepts the DN of the principal user for the LDAP server where the certificates are stored. There is no default value for this field which will recognize any valid DN. The principal user must be authorized to read, and search certificate information stored in the Directory Server.
This field carries the LDAP password associated with the user specified in the LDAP Server Principal User field. There is no default value for this field which will recognize the valid LDAP password for the specified principal user. This value is stored as readable text in the directory.
Confirm the password.
Specifies the attribute in the Directory Server entry that matches the certificate whose value should be used to identify the correct user profile. There is no default value for this field which will recognize any valid attribute in a user entry (cn, sn, and so forth) that can be used as the UserID.
Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.
Specifies which field in the certificate's Subject DN should be used to search for a matching user profile. For example, if you choose email address, the certificate authentication service will search for the user profile that matches the attribute emailAddr in the user certificate. The user logging in then uses the matched profile. The default field is subject CN. The list contains:
email address
subject CN
subject DN
subject UID
other
If the value of the Certificate Field Used to Access User Profile attribute is set to other, then this field specifies the attribute that will be selected from the received certificate's subjectDN value. The authentication service will then search the user profile that matches the value of that attribute.
Defines a list of trusted hosts that can be trusted to send certificates to Federation Manager. Federation Manager must verify whether the certificate emanated from one of these hosts. This configuration only used with Sun Java System Portal Server. This attribute accepts the following values:
Disables the attribute. This is set by default.
Accepts Portal Server Gateway-style certificate authentication from any client IP address.
Lists the IP addresses from which to accept Portal Server Gateway-style certificate authentication requests (the IP Address of the Gateway(s)).
Specifies the port number for the secure socket layer. Currently, this attribute is only used by the Gateway servlet. Before you add or change an SSL Port Number, see the Sun Java System Access Manager 7 2005Q4 Administration Guide.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core authentication attribute Default Authentication Level.
The HTTP authentication module allows login using the HTTP basic authentication with no data encryption. A user name and password are requested through the use of a web browser. Credentials are validated internally using the LDAP authentication module.
HTTP Basic authentication relies on the use of an LDAPv3–compliant server.
The HTTP Basic attribute is:
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Java Database Connectivity (JDBC) authentication module allows Federation Manager to authenticate users through any Structured Query Language (SQL) databases that provide JDBC-enabled drivers. The connection to the SQL database can be either directly through a JDBC driver or through a JNDI connection pool. The attributes are:
Specifies the connection type to the SQL database, using either a JNDI (Java Naming and Directory Interface) connection pool or JDBC driver. The options are:
Connection pool is retrieved via JDNI
Non-persistent JDBC connection
The JNDI connection pool utilizes the configuration from the underlying web container.
If JNDI is selected in Connection Type, this field specifies the connection pool name. Because JDBC authentication uses the JNDI connection pool provided by the web container, the setup of JNDI connection pool may not be consistent among other web containers. See the Sun Java System Access Manager 7 2005Q4 Administration Guide for examples.
If JDBC is selected in Connection Type, this field specifies the JDBC driver provided by the SQL database. For example, com.mysql.jdbc.Driver.
Specifies the database URL if JDBC is select in Connection Type. For example, the URL for mySQL is jdbc.mysql://hostname:port/databaseName.
Specifies the user name from whom the database connection is made for the JDBC connection.
Defines the password for the user specified in User to Connect to Database.
Confirm the password.
Specifies the password column name in the SQL database.
Specifies the SQL statement that retrieves the password of the user that is logging in. For example:
select Password from Employees where USERNAME = ? |
Specifies the class name that transforms the password retrieved from the database, to the format of the user input, for password comparison. This class must implement the JDBCPasswordSyntaxTransform interface.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
LDAP authentication relies on the use of an LDAPv3–compliant server. This module enables authentication using LDAP bind, a Directory Server operation which associates a user ID password with a particular LDAP entry. You can define multiple LDAP authentication configurations for an organization. The attributes are:
Specifies the host name and port number of the primary LDAP server specified during Federation Manager installation. This is the first server contacted for authentication. The format ishostname:port. If there is no port number, assume 389. Multiple entries must be prefixed by the local server name.
If you have Federation Manager deployed with multiple domains, you can specify the communication link between specific instances of Federation Manager and Directory Server in the following format:
local-servername|server:port local-servername2|server2:port2 ...
For example, if you have two Federation Manager instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look like the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the host name and port number of a secondary LDAP server available to the Federation Manager platform. If the primary LDAP server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, Federation Manager will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.
When authenticating users from a Directory Server that is remote from the Federation Manager enterprise, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one Directory Server location can be used for both fields.
Specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search-dn. For multiple entries:
servername1|search-dn servername2|search-dn servername3|search-dn
If multiple users are found for the same search, authentication will fail.
Specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized.
Carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid LDAP password will be recognized.
Confirm the password.
Specifies the attribute used for the naming convention of user entries. By default, Federation Manager assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.
Lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber, and mail, the user could authenticate with any of these names.
Specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.
Indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in the DN to Start User Search attribute. The default value is SUBTREE. One of the following choices can be selected from the list:
Searches only the specified node.
Searches at the level of the specified node and one level down.
Search all entries at and below the specified node.
Enables SSL access to the Directory Server specified in the Primary and Secondary LDAP Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.
If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that Federation Manager is configured with proper SSL trusted certificates so that it can connect to DirectoryServer over LDAPS protocol
When the Federation Manager directory is the same as the directory configured for LDAP, this option may be enabled. If enabled, this option allows the LDAP authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local Federation Manager LDAP. If an external LDAP directory is used, this option is typically not enabled.
This attribute is used for LDAP Server failback. It defines the number of minutes in which a thread will “sleep” before verifying that the LDAP primary server is running.
This attribute is used by the LDAP authentication module when the LDAP server is configured as an external LDAP server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format:
attr1|externalattr1
attr2|externalattr2
When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profileattribute (in the Core Authentication module) is set to Dynamically Created and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Membership Authentication module is implemented for personalized sites. When membership authentication is enabled, a user can self-register. This means the user can create an account, personalize it, and access it as a registered user without the help of an administrator. The attributes are:
Specifies the minimum number of characters required for a password set during self-registration. The default value is 8.
If this value is changed, it should also be changed in the PasswdMinChars property in the amAuthMembership.properties file. amAuthMembership.properties is located in the /FederationManager-base/locale/ directory.
Specifies the roles assigned to new users whose profiles are created through self-registration. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user.
The role specified must be under the organization for which authentication is being configured. Only the roles that can be assigned to the user will be added during self-registration. All other DNs will be ignored. Filtered roles are not accepted.
Specifies whether services are immediately made available to a user who has self-registered. The default value is Active and services are available to the new user. By selecting Inactive, the administrator chooses to make no services available to a new user.
Specifies the host name and port number of the primary LDAP server specified during Federation Manager installation. This is the first server contacted for authentication. The format is hostname:port. If there is no port number, assume 389. Multiple entries must be prefixed by the local server name.
If you have Federation Manager deployed with multiple domains, you can specify the communication link between specific instances of Federation Manager and your LDAP server in the following format:
local-servername|server:port local-servername2|server2:port2 ...
For example, if you have two Federation Manager instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of your LDAP server (L1-machine1-DS and L2-machine2-DS), it would look like the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the host name and port number of a secondary LDAP server available to the Federation Manager platform. If the primary LDAP server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, Federation Manager will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.
When authenticating users from an LDAP server that is remote from the Federation Manager enterprise, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one server location can be used for both fields.
Specifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search dn.
For multiple entries:
servername1|search dn servername2|search dn servername3|search dn...
If multiple users are found for the same search, authentication will fail.
Specifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized.
Carries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid LDAP password will be recognized.
Confirmation of the password.
Specifies the attribute used for the naming convention of user entries. By default, Federation Manager assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field.
Lists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber, and mail, the user could authenticate with any of these names.
Specifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized.
Indicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in the attribute "DN to Start User Search" attribute. The default value is SUBTREE. One of the following choices can be selected from the list:
Searches only the specified node.
Searches at the level of the specified node and one level down.
Search all entries at and below the specified node.
Enables SSL access to the Directory Server specified in the Primary and Secondary LDAP Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server.
If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that Federation Manager is configured with proper SSL trusted certificates so that it can connect to Directory Server over LDAPS protocol
When the Federation Manager directory is the same as the directory configured for LDAP, this option may be enabled. If enabled, this option allows the LDAP authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local Federation Manager LDAP. If an external LDAP directory is used, this option is typically not enabled.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Mobile Station Integrated Services Digital Network (MSISDN) authentication module enables authentication using a mobile subscriber ISDN associated with a device such as a cellular telephone. It is a non-interactive module. The module retrieves the subscriber ISDN and validates it against the Directory Server to find a user that matches the number. The MSISDN Authentication attributes are:
Specifies a list of IP addresses of trusted clients that can access MSIDSN modules. You can set the IP addresses of all clients allows to access the MSISDN module by entering the address (for example, 123.456.123.111) in the entry field and clicking Add. By default, the list is empty. If the attribute is left empty, then all clients are allowed. If you specify none, no clients are allowed.
Specifies a list of parameter names that identify which parameters to search in the request header or cookie header for the MSISDN number. For example, if you define x-Cookie-Param, AM_NUMBER, and COOKIE-ID, the MSISDN authentication services will search those parameters for the MSISDN number.
Specifies the host name and port number of the Directory Server in which the search will occur for the users with MSISDN numbers. The format ishostname:port. If there is no port number, assume 389.
If you have Federation Manager deployed with multiple domains, you can specify the communication link between specific instances of Federation Manager and Directory Server in the following format (multiple entries must be prefixed by the local server name):
local_servername|server:port local_servername2|server2:port2 ...
For example, if you have two Federation Manager instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following:
L1-machine1-IS.example.com|L1-machine1-DS.example.com:389
L2-machine2-IS.example.com|L2-machine2-DS.example.com:389
Specifies the DN of the node where the search for the user's MSISDN number should start. There is no default value. The field will recognize any valid DN. Multiple entries must be prefixed by the local server name. The format is servername|search dn. For multiple entries:
servername1|search-dn servername2|search-dn servername3|search-dn
If multiple users are found for the same search, authentication will fail.
Specifies the name of the attribute in the user's profile that contains the MSISDN number to search for a particular user. The default value is sunIdentityMSISDNNumber. This value should not be changed, unless you are certain that another attribute in the user's profile contains the same MSISDN number.
Specifies the LDAP bind DN to allow MSISDN searches in the LDAP server. The default bind DN is cn=amldapuser,ou=DSAME Users,dc=sun,dc=com.
Specifies the LDAP bind password for the bind DN, as defined in LDAP Server Principal User.
Confirm the password.
Enables SSL access to the Directory Server specified in the LDAP Server and Port attribute. By default, this is not enabled and the SSL protocol will not be used to access the Directory Server. However, if this attribute is enabled, you can bind to a non-SSL server.
Specifies the headers to use for searching the request for the MSISDN number. The supported values are as follows:
Performs the search in the cookie. RequestHeader - performs the search in the request header.
Performs the search in the request header.
Performs the search in the request parameter. By default, all options are selected.
When the Federation Manager directory is the same as the directory configured for MSDISN, this option may be enabled. If enabled, this option allows the authentication module to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module returns only the User ID, and the authentication service searches for the user in the local Federation Manager. If an external directory is used, this option is typically not enabled.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for authentication using an external Remote Authentication Dial-In User Service (RADIUS) server. The attributes are:
Displays the IP address or fully qualified host name of the primary RADIUS server. The default IP address is 127.0.0.1. The field will recognize any valid IP address or host name. Multiple entries must be prefixed by the local server name as in the following syntax:
local-servername|ip-address local-servername2|ip-address2 ...
Displays the IP address or fully qualified domain name (FQDN) of the secondary RADIUS server. It is a failover server which will be contacted if the primary server could not be contacted. The default IP address is 127.0.0.1. Multiple entries must be prefixed by the local server name as in the following syntax:
local-servername|ip-address local-servername2|ip-address2 ...
Carries the shared secret for RADIUS authentication. The shared secret should have the same qualifications as a well-chosen password. There is no default value for this field.
Confirmation of the shared secret for RADIUS authentication.
Specifies the port on which the RADIUS server is listening. The default value is 1645.
Specifies the time interval in seconds to wait for the RADIUS server to respond before a timeout. The default value is 3 seconds. It will recognize any number specifying the timeout in seconds.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for users to authenticate using Secure Computing's SafeWord or SafeWord PremierAccess authentication servers. The attributes are:
Specifies the SafeWord or SafeWord PremiereAccess server name and port. Port 7482 is set as the default for a SafeWord server. The default port number for a SafeWord PremierAccess server is 5030.
Specifies the directory into which the SafeWord client library places its verification files. The default is as follows:
/var/opt/SUNWam/auth/safeword/serverVerification
If a different directory is specified in this field, the directory must exist before attempting SafeWord authentication.
Enables SafeWord logging. By default, SafeWord logging is enabled.
Select the SafeWord logging level from the drop-down menu. The levels are:
DEBUG
ERROR
INFO
NONE
Specifies the directory path and log file name for SafeWord client logging. If a path or filename different from the default is specified, it must exist before attempting SafeWord authentication. If more than one organization is configured for SafeWord authentication, and different SafeWord servers are used, different paths must be specified or only the first organization where SafeWord authentication occurs will work.
Defines the timeout period (in seconds) between the SafeWord client and the SafeWord server. The default is 120 seconds.
Defines the Client Type that the SafeWord server uses to communicate with different clients, such as Mobile Client, VPN, Fixed Password, Challenge/Response, and so forth.
This attribute specifies the Extended Authentication and Single Sign-on Protocol (EASSP) version. This field accepts either the standard (101) or premier access (201) protocol versions.
Defines the minimum authenticator strength for the client/SafeWord server authentication. Each client type has a different authenticator value, and the higher the value, the higher the authenticator strength. 20 is the highest value possible. 0 is the lowest value possible.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module allows for authentication using RSA ACE/Server software and RSA SecurID authenticators. the SecurID authentication module is not available for the Linux or Solaris x86 platforms and this should not be registered, configured, or enabled on these two platforms. It is only available for Solaris. The attributes are:
Specifies the directory in which the SecurID ACE/Server sdconf.rec file is located, by default in /opt/ace/data If you specify a different directory in this field, the directory must exist before attempting SecurID authentication.
Specifies the port on which the SecurID helper listens upon startup for the configuration information contained in the SecurID Helper Authentication Port attribute. The default is 58943.
If this attribute is changed, you must also change the securidHelper.ports property in the AMConfig.properties file, and restart Federation Manager. The entry in AMConfig.properties is a space-separated list of the ports for the instances of SecurID helpers. For each organization that communicates with a different ACE/Server (which has a different sdconf.rec file), there must be a separate SecurID helper.
Specifies the port that the organization's SecurID authentication module will configure its SecurID helper instance to 'listen' for authentication requests. This port number must be unique across all organizations using SecurID or UNIX authentication. The default port is 57943.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
This module is specific to Windows and is also known as Kerberos authentication. The user presents a Kerberos token to Federation Manager through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. The Windows Desktop SSO authentication plug-in module provides a client (user) with desktop single sign-on. This means that a user who has already authenticated with a key distribution center can be authenticated with Federation Manager without having to provide the login information again. The Windows Desktop SSO attributes are global attributes. The attributes are:
Specifies the Kerberos principal that is used for authentication. Use the following format:
HTTP/hostname.domainname@dc-domain-name
hostname and domainname represent the host name and domain name of the Federation Manager instance. dc-domain-name is the Kerberos domain in which the Windows 2000 Kerberos server (domain controller) resides. It is possibly different from the domain name of Federation Manager.
This attribute specifies the Kerberos keytab file that is used for authentication. Use the following format, although the format is not required:
hostname.HTTP.keytab
hostname is the host name of the Federation Manager instance.
This attribute specifies the Kerberos Distribution Center (domain controller) domain name. Depending up on your configuration, the domain name of the domain controller may be different than the Federation Manager domain name.
This attribute specifies the Kerberos Distribution Center (the domain controller) hostname. You must enter the fully qualified domain name (FQDN) of the domain controller.
If enabled, this attributes allows Federation Manager to automatically return the Kerberos principal with the domain controller's domain name during authentication.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
The Windows NT Authentication module allows for authentication against a Microsoft Windows NT server. The values applied to them under Service Configuration become the default values for the Windows NT Authentication template. The service template needs to be created after registering the service for the organization. The default values can be changed after registration by the administrator.
In order to activate the Windows NT Authentication module, Samba Client 2.2.2 must be downloaded and installed to the following directory:
AcessManager-base/SUNWam/bin
The Samba Client is a file and print server for blending Windows and UNIX machines without requiring a separate Windows NT/2000 Server. Red Hat Linux ships with a Samba client, located in the/usr/bin directory. In order to authenticate using the Windows NT Authentication service for Linux, copy the client binary toFederationManager-base/identity/bin.
The Windows NT attributes are:
Defines the name of the domain to which the user belongs.
Defines the name of the Windows NT authentication host. Name resolution will be performed based on the netBIOS name as opposed to the fully qualified domain name (FQDN). If you do not have a server on your subnet supplying netBIOS name resolution, the mappings should be hardcoded. By default, the first part of the FQDN is the netBIOS name. For example, the host name should be example1 not example1.company1.com.
If the DHCP (Dynamic Host Configuration Protocol) is used, put a suitable entry in the HOSTS file on the Windows 2000 machine.
Defines the Samba configuration filename and supports the -s option in the smbclient command. The value must be the full directory path where the Samba configuration file is located. For example, /etc/opt/SUNWam/config/smb.conf.
The authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0.
If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.