Access Manager includes a class that can be configured to accept any combination of name/password, X.509, or RADIUS credentials. When this class executes as part of a contract, users can select and enter their preferred type of credential.
For example, if a name/password credential is ORed with an X.509 credential, the user can select to use a certificate or to enter a name and password. As an administrator, you have decided that both credentials are equally secure for the protected resource the contract is protecting.
To create an ORed credential class:
Click Devices > Identity Servers > Edit > Local > Classes > New.
Specify the following details:
Display name: Specify a name for the class.
Java class: Select NPOrRadiusOrX509Class.
Click Next
Select at least one of the following options:
Use Name/Password: Select this option if you want the PasswordClass to be one of the authentication options available to the user.
Use Radius: Select this option if you want the RadiusClass to be one of the authentication options available to the user.
Use X509: Select this option if you want the X509Class to be one of the authentication options available to the user.
(Conditional) If you want to use the protected version of the PasswordClass or RadiusClass, select the Enforce use of HTTPS option.
(Conditional) If you selected the Use Name/Password option, configure the properties:
In the Name/Password Properties section, click New.
Specify a property name and property value.
For information about the properties that PasswordClass and ProtectedPasswordClass support, see Specifying Common Class Properties.
Click OK.
Click Next.
(Conditional) If you selected the Use Radius option, configure the Radius properties.
For information about the configuration options, see RADIUS Authentication.
(Conditional) If you selected the Use X509 option, configure how the certificate is validated.
For information about the configuration options, see Mutual SSL (X.509) Authentication.
Click Next.
(Conditional) If you selected the Use X509 option, configure the attribute mappings.
For information about the configuration options, see Mutual SSL (X.509) Authentication.
Click Next.
Click Finish.
Continue with creating a method and a contract for this class.
See Configuring Authentication Methods and Configuring Authentication Contracts.
The RADIUS class prompts the user for a token instead of a password. The user can use the drop-down menu to select between the password and the token. If the user selects to send a certificate, the username and password/token options become unavailable.