6.1.3 Configuring Authentication Methods

Authentication methods let you associate authentication classes with user stores. An authentication class is used to obtain credentials of an entity, and then credentials are validated in the configured user stores.

After the entity is located in a user store, no further checking occurs, even if credentials fail to validate the entity. This entity is often a user, and the description of an authentication method indicates whether this is the case. You can modify an authentication class's functionality by setting properties (name/value pairs) that override those of the authentication class.

To configure a method for an authentication class:

On the Home page, click Identity Servers > [cluster name] > Authentication > Methods > Plus icon.

Specify the following details:

Field	Description
Name	The name of the method.
Class	The authentication class that will use this method. See Creating Authentication Classes.
Advanced Authentication Chains	(Conditional) Select a chain. If you do not specify any chain, the user is prompted to select the chain when the user authenticates. This option is available when the Advanced Authentication server is configured and you select AAGenericClass in Class. For more information, see Configuring Advanced Authentication.
Identify Users	Turn on the toggle if you want this authentication method must be used to identify the user. While configuring multiple methods for a contract, you might need to disable this option for some methods. If you enable this option on two or more methods in a contract, these methods need to identify the same user in the same user store. If you enable this option on just one method in the contract, that method identifies the user when the authentication method succeeds. The other methods in the contract must succeed, but might not authenticate the user. For example, the method that identifies the user could require a name and a password for authentication, and the other method in the contract could prompt for a certificate that identifies the user’s computer. To achieve SSO to backend web applications when the passwordfetch class is enabled, see TID.
Overwrite a Temporary User	Turn on the toggle if you want to overwrite the temporary user credentials profile obtained from the previous method in the same session with the real user credentials profile obtained from this authentication method.
Overwrite a Real User	Turn on the toggle if you want to overwrite the real user credentials profile obtained from the previous method in the same session with the real user credentials profile obtained from this authentication method.

Select user stores.

If you select several user stores, the system searches through them based on the order specified here.

If you do not select any user store, then Default User Store is used. See Specifying Authentication Defaults.

(Optional) To specify properties, click Advanced Settings > Plus icon, and specify the following details:

Field	Description
Advanced Authentication Property	Select a property from the list. For more information about each property, see Optional Properties (KEY/Value) for Authentication Methods.
Property Name	The name of the property is case-sensitive and specific to an authentication class. You can set the same properties to an authentication class and to a method. You can use method properties to override the property settings specified in an authentication class. For example, you want to use an authentication class for multiple companies, but use a slightly different login page that is customized with the company’s logo. You can use the same authentication class, create a different method for each company, and use the JSP property to specify the appropriate login page for each company. For information about available properties for basic and form classes, see Specifying Common Class Properties. If this method is part of multi-factor authentication, you can set the following additional property: PRINCIPAL_MISMATCH_ERR: Specifies the error message to be displayed if this method identifies a different principal than other methods in the multi-factor authentication. RADIUS (Class) has the following additional properties: RADIUS_LOOKUP_ATTR: Defines an LDAP attribute whose value is read and used as the ID is passed to the RADIUS server. If not specified, the user name entered is used. NAS_IP_ADDRESS: Specifies an IP address used as a RADIUS attribute. You can use this property when service providers are using a cluster of small network access servers (NASs). The value you enter is sent to the RADIUS server. The following property is available for RADIUS methods: RADIUS_AUTHN_FIRST: Set this property to true if you want RADIUS authentication to be performed first, preceded by LDAP authentication. By default, this property is set to false.

Field

Description

Advanced Authentication Property

Select a property from the list. For more information about each property, see Optional Properties (KEY/Value) for Authentication Methods.

Property Name

The name of the property is case-sensitive and specific to an authentication class. You can set the same properties to an authentication class and to a method.

You can use method properties to override the property settings specified in an authentication class. For example, you want to use an authentication class for multiple companies, but use a slightly different login page that is customized with the company’s logo. You can use the same authentication class, create a different method for each company, and use the JSP property to specify the appropriate login page for each company. For information about available properties for basic and form classes, see Specifying Common Class Properties.

If this method is part of multi-factor authentication, you can set the following additional property:

PRINCIPAL_MISMATCH_ERR: Specifies the error message to be displayed if this method identifies a different principal than other methods in the multi-factor authentication.

RADIUS (Class) has the following additional properties:

RADIUS_LOOKUP_ATTR: Defines an LDAP attribute whose value is read and used as the ID is passed to the RADIUS server. If not specified, the user name entered is used.
NAS_IP_ADDRESS: Specifies an IP address used as a RADIUS attribute. You can use this property when service providers are using a cluster of small network access servers (NASs). The value you enter is sent to the RADIUS server.

The following property is available for RADIUS methods:

RADIUS_AUTHN_FIRST: Set this property to true if you want RADIUS authentication to be performed first, preceded by LDAP authentication. By default, this property is set to false.

Click Done > Save.
Continue with Section 6.1.4, Configuring Authentication Contracts. To use a method for authenticating a user, each method must have an associated contract.