On the Home page, click Identity Servers > [cluster name] > Authentication > Classes > Plus icon.
The following classes are recommended only for testing purposes:
Basic: Uses basic HTTP authentication.
Password: Passes the user name and password over HTTP in readable text, and uses a form-based login to collect the name and password.
RADIUS: RADIUS enables communication between remote access servers and a central server. For a production environment, use ProtectedRadiusClass.
For a production environment, select one of the following classes:
|
Class |
Description |
|---|---|
|
X509 |
To implement certificate-based authentication. See Mutual SSL (X.509) Authentication. |
|
Social Authentication |
To implement authentication through external OAuth providers, such as Facebook, GooglePlus, LinkedIn, and Twitter. See Social Authentication. |
|
TOTP |
To implement two-factor authentication. See Two-Factor Authentication Using Time-Based One-Time Password. |
|
Risk-based Authentication |
To assess the risk after authentication. See Risk-based Authentication. |
|
Risk-based Pre-Authentication |
To assess the risk before authentication. See Risk-based Authentication. |
|
Protected Basic |
BasicClass protected by HTTPS. |
|
Protected Password |
PasswordClass protected by HTTPS (form-based). |
|
Protected RADIUS |
RadiusClass protected by HTTPS. See RADIUS Authentication. |
|
Kerberos |
To use Kerberos for Active Directory and Identity Server authentication. See Kerberos Authentication. |
|
NMAS |
For NMAS, which uses fingerprint and other technology as a means to authenticate a user. See Smart Card Authentication with NMAS. |
|
NP/RADIUS/X509 |
To create a contract from which the user can select an authentication method: name/password, RADIUS, or X.509. See ORed Credential Class. |
|
Password Fetch |
To allow Identity Server to retrieve a user’s password when the user has used a non-password class for authentication. See Password Retrieval. |
|
Persistent Authentication |
For persistent logins, long authentication sessions, or remember my password functionality. See Persistent Authentication. |
|
IDP Select |
To allow a user to authenticate with an external IDP and to provide an option to remember the user choice. See Configuring IDP Select (Class). |
|
Custom |
For third-party authentication classes or if you have created a custom class. For information about how to create a custom class, see Access Manager Developer Resources. |
|
Alias Name Password |
To authenticate a user against user's alias name. This class uses the alias object of the user object and the password of the corresponding user object to authenticate. |
|
Advanced Authentication |
To support Advanced Authentication (for example, Email OTP, FIDO U2F). See Multi-Factor Authentication Using Advanced Authentication. |
|
SecureCredentialsAuthClass |
To support encryption of user password. See SecureCredentialsAuthClass. |
IMPORTANT:To enable the CSRF check, perform the steps mentioned in LOGIN CSRF CHECK and add a property AntiCSRFCheck=true to the class. Do not add this property to Password Class and TOTP Class.
You cannot enable the CSRF check for Advanced Authentication class and SocialAuthClass.
Click Next to configure the properties for each class.
Click New.
Specify a name and value.
The names and values are case-sensitive. For information about the properties used by the classes Basic and Password, see Specifying Common Class Properties.
Click Finish.
Continue with Section 6.1.3, Configuring Authentication Methods.
To use an authentication class, the class must have one or more associated methods.