Configuring Identity Server Global Options

Global options are applicable for all Identity Servers in a cluster.

Perform the following steps to configure Identity Server global options:

  1. Click Devices > Identity Servers > Edit > Options > New.

  2. Set the following properties based on your requirement:

    Property

    Value

    ALLOW AUTH POLICY EXECUTION

    Select false to disable Identity Server to execute authorization policies. The default value is true.

    For example, see Executing an Authorization-based Role Policy During SAML 2.0 Service Provider Initiated Request.

    ALLOW GRACE LOGIN FOR EXPIRING PASSWORD

    (Access Manager 5.0 Service Pack 1 and later)

    When the value is set to true, users get grace logins when their password is about to expire. By default, the property is set to true on all Identity Server clusters.

    Select false if you do not want users to get a grace login for an expiring password.

    In case of Active Directory, this option works when the pwdlastset attribute has a zero value (pwdlastset=0) in the user store. This means users must change their password at the next login.

    If you set this option to false, the user will not be redirected to Password Management Servlet (if configured).

    CHECK ACTIVE CLUSTER MEMBERS FOR PROXY

    (Access Manager 5.0 Service Pack 1 and later)

    Select true to enable verifying whether the incoming cluster cookie for Identity Server refers to an active node of the cluster. By default, this option is set to false.

    CLUSTER COOKIE DOMAIN

    Set this property to change the domain attribute of Identity Server cluster cookie.

    For example, see Configuring X.509 Authentication to Display the Access Manager Error Message.

    CLUSTER COOKIE PATH

    Set this property to change the Path attribute for Identity Server cluster cookie. The default value is /nidp.

    For example, see Configuring X.509 Authentication to Display the Access Manager Error Message.

    CRL REFRESH INTERVAL DAYS

    (Access Manager 5.0 Service Pack 1 and later)

    Access Manager caches the Certificate Revocation Lists (CRL) used in X.509 Authentication.

    Specify the duration in days after that you want the CRL to be refreshed in the CRL cache.

    DECODE RELAY STATE PARAM

    Select true to enable the relay state URL decoding. The default value is false.

    DELETE OLD SESSIONS OF USER

    Select true to enable Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. The default value is false.

    HTTP ONLY CLUSTER COOKIE

    Select false to disable the HTTPOnly flags for Identity Server cluster cookies. The default value is true.

    For example, see Enabling Secure or HTTPOnly Flags for Cluster Cookies.

    HTTP POPULATE LOGINNAME FROM SAML AUTH REQUEST

    Select true to auto-populate the email ID on the Identity Server login page for a SAML 2.0 authentication. The default value is false.

    For more information, see Auto-Populating the Username on the Identity Server Login Page.

    HTTP POPULATE PARSED LOGINNAME FROM SAML AUTH REQUEST

    Select true to auto-populate the username instead of the entire email ID on the Identity Server login page for a SAML 2.0 authentication. For example, to populate steve.smith instead of steve.smith@example.com. The default value is false.

    For more information, see Auto-Populating the Username on the Identity Server Login Page.

    HTTP POPULATE LOGINNAME FROM WSFED AUTH REQUEST

    Select true to auto-populate the email ID on the Identity Server login page for a WS-Fed authentication request. The default value is false.

    HTTP POPULATE PARSED LOGINNAME FROM WSFED AUTH REQUEST

    Select true to auto-populate the username instead of the entire email ID on the Identity Server login page for a WS-Fed authentication.

    For example, to populate steve.smith instead of steve.smith@example.com. The default value is false.

    IS SAML2 POST INFLATE

    Select true to enable Identity Server to receive deflated SAML 2.0 POST messages from its trusted providers. The default value is false.

    You can configure post binding to be sent as a compressed option by configuring this property. For example, see the note in Step 4.

    IS SAML2 POST SIGN RESPONSE

    Select true to enable the identity provider to sign the entire SAML 2.0 response for all service providers.

    SAML2 ISSUER FORMAT

    Select true to add the Format attribute in saml:Issuer element. Add /opt/novell/nids/lib/webapp/WEB-INF/classes/nidpconfig.properties file on each Identity Server in the cluster.

    SAML2 ISSUER NAME QUALIFIER

    Select true to add the Name Qualifier attribute in saml:Issuer element.Add /opt/novell/nids/lib/webapp/WEB-INF/classes/nidpconfig.properties file on each Identity Server in the cluster.

    LOGIN CSRF CHECK

    Select true to enable Cross-Site Request Forgery (CSRF) check for the Password Class and TOTP Class. This is applicable for Access Manager default pages. If you have modified any page, you must add the CSRF token to the page. To add the CSRF token, add the following:

    JAVA:

    <%
    String sid = request.getParameter("sid")!=null ? request.getParameter(NIDPConstants.SID) : (String)request.getAttribute(NIDPConstants.SID);
    NIDPSessionData sData = NIDPContext.getNIDPContext().getSession(request).getSessionData(sid);
    boolean csrfCheckRequired = NIDPEdirConfigUtil.isConfigured(NIDPConfigKeys.LOGIN_CSRF_CHECK.name()) ?     NIDPEdirConfigUtil.getValueAsBoolean(NIDPConfigKeys.LOGIN_CSRF_CHECK.name()) : false; 
    %>

    HTML:

    <% if (csrfCheckRequired) { %>
               <input type="hidden" name="AntiCSRFToken" value=" <%=sData.getAntiCSRFToken()%>">
    <% } %>

    OAUTH TOKENS IN BINARY FORMAT

    Select true to send tokens in the binary format.

    By default, the value is set to false and tokens are sent in the JWT format.

    It is recommended to not use this property unless you have an existing client application that cannot manage a token larger than the existing binary token.

    NOTE:: When set to true, few features, such as token encryption using resource server keys and token revocation, will not be available.

    RENAME SESSION ID

    Select false to prevent changing the session ID automatically. The default value is true.

    SAML1X ATTRIBUTE MATCH BY NAME

    Select true to perform a strict check on the name space of the attributes received in the assertion.

    For example, see SAML 1.1 Service Provider Re-requests for Authentication.

    SAML2 ATTRIBUTE CONSUMING INDEX

    This option can be used to identify globally the value of AttributeConsumingServiceIndex of SAML 2 authentication requests. If SAML2 ATTRIBUTE CONSUMING INDEX is not configured in SAML 2.0 options, Access Manager considers the SAML2 ATTRIBUTE CONSUMING INDEX configuration in Identity Server global options. If you require to assign the property values for multiple entries, you can use comma (,) as separator.

    Provide the value in the format specified in the following example:

    For protected resource URL: https://www.example.com:446/test/Test/test.php->2

    In this example, the “2” is assigned to AttributeConsumingServiceIndex of SAML 2 authentication request coming from the protected resource.

    For default value: default->10

    If the SAML 2 authentication request comes from the protected resource that is not configured, the default value 10 is assigned to AttributeConsumingServiceIndex.

    For multiple protected resource URLs: https://www.example.com:446/test/Test/test.php->2,https://www.example.com:446/test/Test/view.php->3

    SECURE CLUSTER COOKIE

    Select false to disable the secure flags for cluster cookies. The default value is true.

    For example, see Enabling Secure or HTTPOnly Flags for Cluster Cookies.

    STS CHANGE ISSUER

    Specify the value in this format: SPentityID:UPNDomain -> new IssuerID. For example, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/

    In case of multiple children domains, add each parent domain and child domain separated by a comma. For example, if namnetiq.in is the parent domain and support.namnetiq.in and engineering.namnetiq.in are children domains, specify the following entries:

    urn:federation:MicrosoftOnline:namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:engineering.namnetiq.in -> https://namnetiq.com/nidp/wsfed/

    For example, see Configuring Federation for Multiple Domains.

    STS OFFICE365 MULTI DOMAIN SUPPORT AUTO

    Select true to enable users to access Office 365 services by using the Issuer URI specific to the domain they belong to. The default value is false.

    For example, see Creating Multiple Domains in Office 365 and Establishing Federation with Access Manager.

    USE DEVICE ID IN URN COOKIE

    (Access Manager 5.0 Service Pack 1 and later)

    In an Access Manager environment with multiple Identity Servers and Access Gateways, a cluster cookie (UrnNovellNidpClusterMemberId) is automatically set for the serving node of the cluster. When requests come to Identity Server or Embedded Service Provider (ESP), this cookie is used by all nodes of the cluster to perform the proxying, if necessary.

    For higher security, enable this property to use hashing for the cookie value.

    • false: The default setting.

    • true: Enables this property for both Identity Server and ESP.

    • IDP: Enables this property for Identity Server.

    To set up this property only for ESP, see USE_DEVICE_ID_IN_URN_COOKIE in Configuring ESP Global Options.

    WSF SERVICES LIST

    • Select full to enable users to access the Services page.
    • Select 404 to return an HTTP 404 status code: Not Found.
    • Select 403 to return an HTTP 403 status code: Forbidden.
    • Select empty to return an empty services list.

    The default value is full.

    For example, see Blocking Access to the WSDL Services Page.

    WSFED ASSERTION VALIDITY

    Specify the assertion validity time in second for WS Federation Provider (SP) to accommodate clock skew between the service provider and SAML identity provider.

    The default value is 1800 seconds.

    For example, see Assertion Validity Window.

    NOTE:You can set the WSFED assertion validity time for each WS-Federation Service Provider where the default is 300.

    WSTRUST AUTHORIZATION ALLOWED ACTAS VALUES

    Specify the user names who can perform ActAs operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with ActAs elements.

    You can specify more than one user name separated by a comma.

    For example, see Adding Policy for ActAs and OnBehalfOf.

    WSTRUST AUTHORIZATION ALLOWED ONBEHALF VALUES

    Specify the user names who can perform OnBehalfOf operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with OnBehalfOf elements.

    You can specify more than one user name separated by a comma.

    For example, see Adding Policy for ActAs and OnBehalfOf.

    WSTRUST AUTHORIZATION ALLOWED VALUES

    Specify the user names who can perform both ActAs and OnBehalfOf operations. You can specify more than one user name separated by a comma.

    For example, see Adding Policy for ActAs and OnBehalfOf.

    SESSION ASSURANCE USER AGENT EXCLUDE LIST

    Specify the user-agent string for that you want to disable the session validation.

    For example, see Disabling Advanced Session Assurance for Identity Server.

    SESSION ASSURANCE USER AGENT REGEX EXCLUDE LIST

    Specify the user-agent REGEX for that you want to disable the session validation.

    For example, see Disabling Advanced Session Assurance for Identity Server.

    SESSION ASSURANCE URL EXCLUDE LIST

    Specify the URL for that you want to disable the session validation.

    For example, see Disabling Advanced Session Assurance for Identity Server.

    SESSION ASSURANCE URL REGEX EXCLUDE LIST

    Specify the URL REGEX for that you want to disable the session validation.

    For example, see Disabling Advanced Session Assurance for Identity Server.

    SESSION ASSURANCE IDC COOKIE GRACEPERIOD

    Specify the time in second till which Identity Server will accept the old IDC cookie after issuing a new cookie. The default value is 15 second.

    OTHER

    Specify Property Name and Property Value if you want to configure any other property.

    NAM_DFP_KEYS_ENFORCE_STRICT

    Click OTHER to configure this property.

    When Advanced Session Assurance is enabled, specify true to send session keys only the first time when the device information is fetched. Specify false to send session keys each time the device information is fetched. The default value is false.

    ENCODE_TARGET_URL_QUERY

    Click OTHER to configure this property.

    When this option is set to true, the target URL query (SAML Request) is URL encoded. This option is set to true by default. When you set this option to false, the following will happen after authentication:

    • The target URL query is not URL encoded

    • The user is not redirected to the service provider

    • The following message is displayed:

      <amLogEntry> 2018-08-20T17:00:18Z WARNING NIDS Application: Error during Inflate.
      Exception message: "It should be divisible by four"

    NMAS_SAML_SIGN_METHODDIGEST_SHA256

    Click OTHER to configure this property.

    Set this option to true while using the NMAS SAML method. When set to true, it uses SHA265 algorithm for SAML 2 assertion. If this property is not configured or the value is set to false, SHA1 algorithm is used. The default value is false.

    persist_caches_on_reconfigure

    Click OTHER to configure this property.

    After you update a configuration or reconfigure it, the user session details and read attributes get deleted from the cache. Set this option to true to retain the details after a configuration update.

    OAUTH_CLAIMS_TO_USE_LDAP_ATTR_FORMAT

    Click OTHER to configure this property.

    Set this option to true to configure the OAuth claims data type according to the schema data type of the LDAP attribute. If the LDAP attribute data type is single-valued, the claims data is returned as a string. If the LDAP attribute data type is multi-valued, the claims data is returned as a string array irrespective of the value count.

    For example, let us assume that a client application uses the Authorization Code flow and sends the access token to the userinfo endpoint. Then you can choose the format of the token's attribute data type that will be returned.

    The following is an example of attributes when this property is not configured or set to false:

        "family_name": "Lastname"

    The following is an example of attributes when this property is set to true:

        "family_name": [
            "Lastname"
        ]

    This option is set to false by default.

    OAUTH_REDIRECT_URL_EXACT_MATCH

    Click OTHER to configure this property.

    Set this option to true. When set to true, it validates query parameters in the redirect URI registered with the OAuth client applications.

    OAUTH_PARAMETERS_ENCODE_BASE64

    Click OTHER to configure this property.

    Set this option to true. When set to true, and state parameter is passed with “&” and redirect URI as URL encoded values in the request, the state parameter parses the “&” and gets decoded state value.

    ENCODE_AUTHZ_STATE_PARAMETER

    Click OTHER to configure this property.

    Set this option to true. When set to true, and state parameter is passed with JSON value as URL encoded values in the request, the same state encoded JSON state value is received in the response.

    OIDC_PROTOCOL_COMPLIANCE

    Click OTHER to configure this property.

    Set this option to true. When set to true, the attribute values in the token is received as Boolean.

    The following is an example of attributes when this property is set to true:

    email_verifed : true

  3. Click OK > Apply.