Authentication contracts define how authentication occurs. An Identity Server can have several authentication contracts, such as name/password, X.509, and Kerberos. You assign an available contract to a specific resource. An attempt to access a resource triggers the authentication process. If a user has already supplied the required credentials for the contract, the user is not prompted for them again.
Each contract is assigned a unique URI. You can share this URI with other providers so that they can identify the type of credentials the identity provider requires. You can also restrict a contract to be used only for local authentication.
On the Home page, click Identity Servers > [cluster name] > Authentication > Contracts > Plus icon.
Specify the following details:
Field |
Description |
---|---|
Name |
Specify the name of the authentication contract. |
URI |
Specify a unique value. It is used to identify this contract for external providers and is a unique path value that you create. No space is allowed. The following are examples: /mycompany/name/password/form http://mycompany.com/login secure/form/password/bcompany |
Satisfy with Contract of Equal or Higher Level |
Allows the system to satisfy this authentication contract if a user has logged in using another contract of an equal or higher authentication level, as specified in Authentication Level of an authentication contract. When you enable this option, consider the authentication levels you have set for other contracts and the level that has been assigned to the default contract. When the protected resource is configured with Name/Password -Form as authentication procedure, the user authentication details are prompted with transient federation. You must enable this option to avoid prompting for authentication in the target service provider. |
Authentication Level |
Specify a number to indicate its security level or rank. This setting preserves authentication contracts of a higher security level. When you enable Satisfy with Contract of Equal or Higher Level, this value is used as a reference. For example, create a name/password authentication contract and assign it to level one. Also create an X.509 authentication contract and assign it to level two. If a user supplies the credentials for the X.509 level-two contract, the system does not require the credentials to satisfy the name/password level-one authentication contract. Note: If two contracts have the same methods but different authentication levels, then methods take precedence. |
Authentication Timeout |
Specify how long the session can be inactive before the user is prompted to log in again. The value can be from 5 minutes to 65535 minutes and must be divisible by 5. If you modify the timeout value for a contract, the new value is given to users as they log in. Currently logged in users retain the old value until they re-authenticate. Discover what values are best for your network configuration, your security requirements, and your users.
For example, if you set the timeout to 5 minutes, an authentication check needs to be done 12 times each hour for each user authenticating with this contract. If the timeout is set to 60 minutes, an authentication check is done only one time each hour for each user. However, for the 5 minute timeout, resources can be freed within 5 minutes of inactivity by the user. For the 60 minute timeout, resources can take as long as 60 minutes to be freed, depending upon when the user goes inactive. NOTE:When Name/Password - Basic and Secure Name/Password - Basic contracts are assigned to a protected resource, the session is timed out. The session gets renewed after timeout without user’s intervention using the Basic header sent from the browser to Identity Server. For information about using it with Access Gateway, see Assigning a Timeout Per Protected Resource. |
Authentication Methods |
Click the Authentication Methods icon to select the authentication method to use for the contract. You can specify the order in which the methods are executed. However, all the methods you specify are required. You can enable multi-factor authentication by associating more than one methods to a contract. If you add more than one X.509 method, only the first one is used and it is automatically moved to the top of the list. When you choose a secure method, such as Secure Name/Password, ensure that you have enabled security for Identity Server configuration by setting the protocol to HTTPS. See Enabling SSL Communication. |
Click Plus icon under Authentication Card and specify the following details to configure a card for the contract:
Field |
Description |
---|---|
Card Image |
Select an image to be displayed on the card. |
Card ID |
Specify an alphanumeric value that identifies the card. If you need to reference this card outside of Administration Console, specify a value here. If you do not assign a value, Identity Server creates one for its internal use. |
Text |
Specify the text that is displayed on the card to the user. |
Click Done.
Turn on Show Card to show the card to users, which allows them to select and use the card for authentication. When this option is turned off, the card is only used when a service provider makes a request for the card.
Turn on Passive Authentication Only if you do not want to prompt users for credentials. If Identity Server can fulfill the authentication request without any user interaction, the authentication succeeds. Otherwise, it fails.
Click Advanced Settings and specify the following details:
Field |
Description |
---|---|
Password Expiration Servlet |
Specify a URL to a page where a user can change the password when it expires or is within the grace login period. You must use eDirectory to change the number of grace logins. Grace logins work only with eDirectory. For more information, see Using a Password Expiration Service. |
Allow User Interaction |
If you specify a password expiration servlet, you can enable this option. This allows users to decide whether to go to the servlet and change their passwords or to skip the servlet. If you always want to force the users to go the servlet to change their passwords, do not select this option. |
Login Redirect URL |
Specify the URL to which users will be redirected. Use this setting in the following scenarios:
For more information, see Using Login Redirect URL Parameters. |
Allow User Interaction |
Enable this option to allow the user to decide whether to continue to access a pre-configured URL or to continue to the page that the user usually accesses. For example, a user frequently accesses www.a.com and have specified the redirect URL as https://someservice.com/path/password?user=<USERID>&store=<STOREID>&returl=<RETURN_URL>. This will allow the user to continue with that website that is www.a.com and redirect URL will take the user to the URL https://someservice.com/path/password?user=<USERID>&store=<STOREID>&returl=<RETURN_URL>&action=expire and then to www.a.com. |
Activity Realm |
Specify the name of the realm that can be used to indicate activity. Use a comma-separated list to specify multiple realms. This allows a user’s session to be kept alive when the user is accessing resources that are protected by different contracts. If both contracts belong to the same realm, activity on either resource keeps the session alive on the other resource. See Using Activity Realms. |
Satisfiable with an External Provider |
Allows a contract to be selected when configuring an identity provider for SAML 2.0. When enabled, you can select this contract while configuring an authentication request and configure the identity provider to use this contract for authentication. |
Requested By |
Select one of the following options:
|
Allowable Class |
Specify the class that instructs a service provider to send a request for a specific authentication type to the identity provider. You can modify this option only when you select authentication types. In SAML 2.0 federation with Access Manager as a service provider, if an external identity provider authenticates a user, it sends the <AuthnContext> information after authentication in the response. Access Manager uses this <AuthnContext> to find a matching contract at the service provider to identify the user. It identifies the contract by trying to match <saml:AuthnContextClassRef> with AllowableClass attribute or <saml:AuthnContextDeclRef> with URI attribute of existing contracts at the service provider. For example, if the external identity provider sends the following AuthnContext: <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> <saml:AuthnContextDeclRef>adroit:login:user:np</saml:AuthnContextDeclRef> </saml:AuthnContext> And Access Manager (as a service provider) has a contract A with uri = adroit:login:user:np or with Allowable class = urn:oasis:names:tc:SAML:2.0:ac:classes:Password, it matches the contract. NOTE:Allowable class is blank when an inbuilt authentication class is used in Identity Server. |
Click Done > Save.
Update Identity Server and any devices that use the Identity Server configuration.
To use this contract:
Assign it as the default contract for Identity Server, see Specifying Authentication Defaults.
Configure it for a protected resource, see Protecting Web Resources Through Access Gateway.