Each resource assigned to an Application Domain can be protected by only one authentication policy. After adding a resource definition to the Application Domain, the Administrator can begin refining a default authentication policy, adding a new policy, and assigning resources to the authentication policy.
In an automatically generated Application Domain, the following authentication policies are seeded as defaults to help streamline the Administrator's tasks:
Protected Resource
Public Resource
This section provides the following topics:
Administrators use authentication policies to protect specific resources. The authentication policy provides the sole authentication method for resources governed by the policy.
Each authentication policy defines the type of verification that must be performed to provide a sufficient level of trust for Access Manager to grant access to the user making the request.
Authentication policies are local. A single policy can be defined to protect one or more resources in the Application Domain. However, each resource can be protected by only one authentication policy.
Authentication Policy Guidelines
Authentication policies include resources, success responses, and an authentication scheme.
Authentication and Authorization policies can evaluate to Success or Failure.
Query Builder and support for LDAP filters (for retrieving matches based on an attribute of a certain display type, for example).
Define a policy for resource: /…/* which can be used within a determined scope.
Token Issuance Policies can be defined using resources and user- or partner-based conditions.
Figure 25-13 shows the Authentication Policies page of an Application Domain.
Figure 25-13 Sample Authentication Policies Page in the Application Domain
Figure 25-14 shows a specific Authentication Policy. The resources assigned to this policy are displayed on the Resources tab of the policy.
Figure 25-14 Sample Individual Authentication Policy Page
Table 25-9 describes authentication policy elements.
Table 25-9 Authentication Policy Elements and Descriptions
Element | Description |
---|---|
Name |
A unique name used as an identifier. |
Description |
Optional unique text that describes this authentication policy. |
Authentication Scheme |
A single, previously-defined authentication scheme to be used by this policy for user authentication. See Also: "Managing Authentication Schemes" for details. |
Success URL |
The redirect URL to be used upon successful authentication. |
Failure URL |
The redirect URL to be used if authentication fails. |
Resources |
The URL of a resource chosen from those listed. The listed URLs were added to this Application Domain earlier. You can add one or more resources to protect with this authentication policy. The resource definition must exist within the Application Domain before you can include it in a policy. See Also: "Resources in an Authentication Policy". |
Responses |
The obligations (post authentication actions) to be carried out by the Web agent. After a successful authentication, the application server hosting the protected application should be able to assert the User Identity based on these responses.After a failed authentication, the browser redirects the request to a pre-configured URL See Also: "Introduction to Policy Responses for SSO". |
You can choose to add one or more resources to be protected by the authentication policy.
The Resources tab on the Authentication Policy page provides a table where you can enter resource URLs. A list is also provided from which you can choose from defined resources within the Application Domain.
To add a resource, click the + button and select from the list. To delete a resource, select the name from the Resources table and click the Delete button in the table.
Users with valid Administrator credentials can add an authentication policy and resources to an Application Domain. You can use a pre-configured authentication scheme or a custom authentication scheme in the authentication policy.
See Also:
Prerequisites
Any resource to be added to a policy must be defined within the same Application Domain as the policy.
To add an authentication policy for specific resources
Users with valid Administrator credentials can search for a specific authentication policy.
To search for an authentication policy in an Application Domain
Users with valid Administrator credentials can modify an authentication policy in an Application Domain.
This includes changing the authentication scheme, adding or removing resources or responses, and altering the Success or Failure URLs.
See Also:
To view or modify an authentication policy
Users with valid Administrator credentials can delete an authentication policy from an Application Domain.
When you remove the policy, all resource definitions remain within the Application Domain. However, the policy and all responses are eliminated.
Note:
During a Delete operation, you are alerted to confirm removal of the policy. Confirmation is required to complete the operation.
The following procedure describes how to delete the entire policy. To simply alter an element in the policy, see "Viewing or Editing an Authentication Policy".
See Also:
To delete an authentication policy