Creating the Identity Server’s Administrator class, method, and contract provides you the rights to create a logging ticket. You need to know the DNs of the operators who are going to be responding to the users who are experiencing problems. Creating a Logging Session’s class, method, and contract provides you ........
To create a class:
On the Homepage, click Identity Servers > [cluster name] > Authentication > Classes > Plus icon.
Under General, select Other.
Specify the name of the class. For example, IDP Administrator or Logging Session.
Click Save.
To create a method:
On the Home page, click Identity Servers > [cluster name] > Authentication > Methods > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
The name of the method. For example, IDP Administrator Method or Logging Session Method. |
|
Class |
Select the authentication class that will use this method. See Creating Authentication Classes. |
|
Advanced Authentication Chains |
(Conditional) Select a chain. If you do not specify any chain, the user is prompted to select the chain when the user authenticates. |
|
Identifies Users |
Turn on the toggle if you want this authentication method must be used to identify the user. |
|
Overwrite a Temporary User |
Turn on the toggle if you want to overwrite the temporary user credentials profile obtained from the previous method in the same session with the real user credentials profile obtained from this authentication method. |
|
Overwrite a Real User |
Turn on the toggle if you want to overwrite the real user credentials profile obtained from the previous method in the same session with the real user credentials profile obtained from this authentication method. |
Select user stores that contain your operators, then move them to the list of User Stores.
If you select several user stores, the system searches through them based on the order specified here.
If you do not select any user store, then Default User Store is used. See Specifying Authentication Defaults.
(Optional) To specify properties, click Advanced Settings > Plus icon, and specify the following details:
|
Field |
Description |
|---|---|
|
Name |
The name of the property. For example, Administrator1. For more information about each property, see Section 6.2.2, Specifying Common Class Properties. |
|
Value |
The value of the property. The Property Value must be the DN of an operator in the user stores you selected in Step 3. Use LDAP typed comma notation for the DN. |
Repeat Step 4 for each IDP Administrator you require. You can later modify the method to add or remove IDP Administrators when responsibilities change. change
Click Done > Save.
To create a contract:
On the Home page, click Identity Servers > [cluster name] > Authentication > Contracts > Plus icon.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
The name of the method. For example, IDP Administrator Contract or Logging Session Contract. |
|
URL |
Specify a unique value. For example, /mycompany/name/password/form |
|
Login Redirect URL |
Specify the URL to which users will be redirected. |
|
Allow User Interaction |
Select this option to allow the user to decide whether to continue to access a pre-configured URL or to continue to the page that the user usually accesses. |
|
Satisfiable by an External Provider |
Allows the system to satisfy this authentication contract if a user has logged in using another contract of an equal or higher authentication level, as specified in Authentication Level of an authentication contract. |
|
Authentication Card |
Select an image from the list, such as the IDP Administrator image that was created for this type of contract. |
|
Show Card |
Turn on Show Card to show the card to users, which allows them to select and use the card for authentication. |
|
Passive Authentication Only |
Turn on Passive Authentication Only if you do not want to prompt users for credentials. If Identity Server can fulfill the authentication request without any user interaction, the authentication succeeds. |
Click Advanced Settings and specify the following details:
|
Field |
Description |
|---|---|
|
Authentication Level |
Specify a number to indicate its security level or rank. This setting preserves authentication contracts of a higher security level. |
|
Authentication Timeout |
Specify how long the session can be inactive before the user is prompted to log in again. The value can be from 5 minutes to 65535 minutes and must be divisible by 5. |
|
Password Expiration Servlet |
Specify a URL to a page where a user can change the password when it expires or is within the grace login period. You must use eDirectory to change the number of grace logins. Grace logins work only with eDirectory. For more information, see Using a Password Expiration Service. |
|
Allow User Interaction |
If you specify a password expiration servlet, you can enable this option. This allows users to decide whether to go to the servlet and change their passwords or to skip the servlet. If you always want to force the users to go the servlet to change their passwords, do not select this option. |
|
Activity Realm |
Specify the name of the realm that can be used to indicate activity. Use a comma-separated list to specify multiple realms. See Using Activity Realms. |
|
Satisfiable by a contract of equal or higher level |
Allows the system to satisfy this authentication contract if a user has logged in using another contract of an equal or higher authentication level, as specified in Authentication Level of an authentication contract. |
|
Requested By |
Select one of the following options:
|
|
Allowable Class |
Specify the class that instructs a service provider to send a request for a specific authentication type to the identity provider. You can modify this option only when you select authentication types. |
Click Done > Save
Continue with Enabling Basic Logging.