25.6 Defining Authentication Policies for Specific Resources

Each resource assigned to an Application Domain can be protected by only one authentication policy. After adding a resource definition to the Application Domain, the Administrator can begin refining a default authentication policy, adding a new policy, and assigning resources to the authentication policy.

In an automatically generated Application Domain, the following authentication policies are seeded as defaults to help streamline the Administrator's tasks:

• Protected Resource

• Public Resource

See Also:

"Understanding Application Domain and Policy Management"

This section provides the following topics:

• Authentication Policy Page

• Creating an Authentication Policy for Specific Resources

• Searching for an Authentication Policy

• Viewing or Editing an Authentication Policy

• Deleting an Authentication Policy

25.6.1 Authentication Policy Page

Administrators use authentication policies to protect specific resources. The authentication policy provides the sole authentication method for resources governed by the policy.

Each authentication policy defines the type of verification that must be performed to provide a sufficient level of trust for Access Manager to grant access to the user making the request.

Authentication policies are local. A single policy can be defined to protect one or more resources in the Application Domain. However, each resource can be protected by only one authentication policy.

Authentication Policy Guidelines

1. Authentication policies include resources, success responses, and an authentication scheme.

2. Authentication and Authorization policies can evaluate to Success or Failure.

3. Query Builder and support for LDAP filters (for retrieving matches based on an attribute of a certain display type, for example).

4. Define a policy for resource: /…/* which can be used within a determined scope.

5. Token Issuance Policies can be defined using resources and user- or partner-based conditions.

Figure 25-13 shows the Authentication Policies page of an Application Domain.

Figure 25-13 Sample Authentication Policies Page in the Application Domain

Description of "Figure 25-13 Sample Authentication Policies Page in the Application Domain"

Figure 25-14 shows a specific Authentication Policy. The resources assigned to this policy are displayed on the Resources tab of the policy.

Figure 25-14 Sample Individual Authentication Policy Page

Description of "Figure 25-14 Sample Individual Authentication Policy Page "

Table 25-9 describes authentication policy elements.

Table 25-9 Authentication Policy Elements and Descriptions

Element	Description
Name	A unique name used as an identifier.
Description	Optional unique text that describes this authentication policy.
Authentication Scheme	A single, previously-defined authentication scheme to be used by this policy for user authentication. See Also: "Managing Authentication Schemes" for details.
Success URL	The redirect URL to be used upon successful authentication.
Failure URL	The redirect URL to be used if authentication fails.
Resources	The URL of a resource chosen from those listed. The listed URLs were added to this Application Domain earlier. You can add one or more resources to protect with this authentication policy. The resource definition must exist within the Application Domain before you can include it in a policy. See Also: "Resources in an Authentication Policy".
Responses	The obligations (post authentication actions) to be carried out by the Web agent. After a successful authentication, the application server hosting the protected application should be able to assert the User Identity based on these responses.After a failed authentication, the browser redirects the request to a pre-configured URL See Also: "Introduction to Policy Responses for SSO".

25.6.1.1 Resources in an Authentication Policy

You can choose to add one or more resources to be protected by the authentication policy.

The Resources tab on the Authentication Policy page provides a table where you can enter resource URLs. A list is also provided from which you can choose from defined resources within the Application Domain.

To add a resource, click the + button and select from the list. To delete a resource, select the name from the Resources table and click the Delete button in the table.

25.6.2 Creating an Authentication Policy for Specific Resources

Users with valid Administrator credentials can add an authentication policy and resources to an Application Domain. You can use a pre-configured authentication scheme or a custom authentication scheme in the authentication policy.

See Also:

• "Authentication Policy Page"

• "Managing Authentication Schemes"

Prerequisites

Any resource to be added to a policy must be defined within the same Application Domain as the policy.

To add an authentication policy for specific resources

1. Locate the desired domain as described in "Searching for an Existing Application Domain".
2. Click the Authentication Policies tab, then click the Create Authentication Policy button to open a fresh page.
3. Required Elements: Add your information for this policy.

   • Name

   • Authentication Scheme

4. Optional Elements (Table 25-9): Add as needed for your policy.

   • Description (optional)

   • Success URL

   • Failure URL

   Tip:

   See Configuring Success and Failure URLs for Authorization Policies.

5. Add Resources: A Resource must be defined within the Application Domain before you can add the resource to a specific policy.

   • Click the Resources tab on the Authentication Policy page.

   • Click the Add button on the Resources tab.

   • Click the Search button.

   • Click a URL in the Results table, then click Add Selected.

   • Repeat these steps as needed to add more resources.

6. Click Apply to save changes and close the Confirmation window.
7. Responses: Add policy Responses as described in "Adding and Managing Policy Responses for SSO".
8. Close the page when you finish.

25.6.3 Searching for an Authentication Policy

Users with valid Administrator credentials can search for a specific authentication policy.

To search for an authentication policy in an Application Domain

1. Locate the desired domain as described in "Searching for an Existing Application Domain".
2. Click the Authorization Policies tab and:

   • Edit: See "Viewing or Editing an Authentication Policy".

   • Delete: "Deleting an Authentication Policy".

   • Detach Table: Click Detach in the tool bar to expand the table to a full page.

   • View Menu: Select a menu item to alter the appearance of the results table.

25.6.4 Viewing or Editing an Authentication Policy

Users with valid Administrator credentials can modify an authentication policy in an Application Domain.

This includes changing the authentication scheme, adding or removing resources or responses, and altering the Success or Failure URLs.

See Also:

"Authentication Policy Page"

To view or modify an authentication policy

1. Locate the desired policy as described in "Searching for an Authentication Policy".
2. Click the desired policy name to display its configuration.
3. Edit Policy Elements (Table 25-9):
4. Resource: Click the Resources tab and:

   • Add: Click the Add button on the Resources table, click a URL in the list, click Apply.

   • Delete: Click a URL in the Resources table, click the Delete button on the table.

5. Click Apply to submit changes and close the Confirmation window (or close the page without applying changes)
6. Responses: View or edit responses as described in "Adding and Managing Policy Responses for SSO".
7. Close the page when you finish.

25.6.5 Deleting an Authentication Policy

Users with valid Administrator credentials can delete an authentication policy from an Application Domain.

When you remove the policy, all resource definitions remain within the Application Domain. However, the policy and all responses are eliminated.

Note:

During a Delete operation, you are alerted to confirm removal of the policy. Confirmation is required to complete the operation.

The following procedure describes how to delete the entire policy. To simply alter an element in the policy, see "Viewing or Editing an Authentication Policy".

See Also:

"Authentication Policy Page"

To delete an authentication policy

1. Locate the desired policy as described in "Searching for an Authentication Policy".
2. Click the desired policy name to display and confirm this configuration.
3. Ensure that resources governed by this policy are added to a different policy.
4. Delete all responses, as described in "Adding and Managing Policy Responses for SSO".
5. On the Authentication Policies tab, click the Serial Number beside the policy, then click the Delete button in the tool bar.
6. In the Confirmation window, click Delete to confirm (or click Cancel to dismiss the window).