5.1.3 Configuring Authentication Methods

Authentication methods let you associate authentication classes with user stores. A particular authentication class is used to obtain credentials about an entity, and then credentials are validated against a list of user stores.

After the entity is located in a particular user store, no further checking occurs even if credentials fail to validate the entity. Typically, this entity is a user, and the definition of an authentication method specifies whether this is the case. You can alter the behavior of an authentication class by specifying properties (name/value pairs) that override those of the authentication class.

To configure a method for an authentication class:

  1. Click Devices > Identity Servers > Edit > Local > Methods > New.

  2. Specify the following details:

    Field

    Description

    Display name

    The name of the method.

    Class

    The authentication class that will use this method. See Creating Authentication Classes.

    Advanced Authentication Chains

    (Conditional) Select a chain. If you do not specify any chain, the user is prompted to select the chain when the user authenticates.

    This option is available when the Advanced Authentication server is configured and you select AAGenericClass in Class. For more information, see Configuring Advanced Authentication.

    Identifies User

    Specifies whether this authentication method must be used to identify the user. While configuring multiple methods for a contract, you might need to disable this option for some methods.

    If you enable this option on two or more methods in a contract, these methods need to identify the same user in the same user store.

    If you enable this option on just one method in the contract, that method identifies the user when the authentication method succeeds. The other methods in the contract must succeed, but might not authenticate the user. For example, the method that identifies the user could require a name and a password for authentication, and the other method in the contract could prompt for a certificate that identifies the user’s computer.

    To achieve SSO to backend web applications when the passwordfetch class is enabled, see TID.

    Overwrite Temporary User

    If you select this option, the temporary user credentials profile got from the previous method in the same session is overwritten with real user credentials profile got from this authentication method.

    Overwrite Real User

    If you select this option, the real user credentials profile got from the previous method in the same session is overwritten with real user credentials profile got from this authentication method.

  3. Add user stores to search.

    If you have several user stores, the system searches through them based on the order specified here. If a user store is not moved to User stores, users in that user store cannot use this method for authentication.

    <Default User Store>: The default user store in your system. See Specifying Authentication Defaults.

  4. (Optional) Under Properties, click New and specify the following details:

    Field

    Description

    Advanced Authentication Property

    Select a property from the list. For more information about each property, see Optional Properties (KEY/Value) for Authentication Methods.

    Property Name

    The name of the property is case-sensitive and specific to an authentication class. You can set the same properties to an authentication class and to a method.

    You can use method properties to override the property settings specified in an authentication class. For example, you want to use an authentication class for multiple companies, but use a slightly different login page that is customized with the company’s logo. You can use the same authentication class, create a different method for each company, and use the JSP property to specify the appropriate login page for each company. For information about available properties for basic and form classes, see Specifying Common Class Properties.

    If this method is part of multi-factor authentication, you can set the following additional property:

    PRINCIPAL_MISMATCH_ERR: Specifies the error message to be displayed if this method identifies a different principal than other methods in the multi-factor authentication. Specify the value in the Property Name field.

    RADIUS classes have the following additional properties:

    • RADIUS_LOOKUP_ATTR: Defines an LDAP attribute whose value is read and used as the ID is passed to the RADIUS server. If not specified, the user name entered is used.

    • NAS_IP_ADDRESS: Specifies an IP address used as a RADIUS attribute. You might use this property for situations in which service providers are using a cluster of small network access servers (NASs). The value you enter is sent to the RADIUS server.

    • RADIUS_AUTHN_FIRST: Set this property to true if you want RADIUS authentication to be performed first preceded by LDAP authentication. By default, this property is set to false. This property is applicable for Access Manager 5.0 Service Pack 1 and later.

    • MessageAuthenticatorAttribute: Set this property to true in the method configuration to send the Message-Authenticator (80) as part of RADIUS authentication request. By default, this property is set to false. This property is applicable for Access Manager 5.0 Service Pack 4 Patch 1 and later.

      NOTE:This property is required only when the Message Authenticator is enabled on the Radius Server.

  5. Click Finish.

  6. Continue with Section 5.1.4, Configuring Authentication Contracts. To use a method for authenticating a user, each method must have an associated contract.