Skip to end of metadata
Comment: Migrated to Confluence 4.0
Go to start of metadata

The OpenIAM Identity Manager allows you to define an authentication policy that will manage the behavior of authentication related tasks. This includes controlling factors such as :

  • The number of failed attempts before you lock an account
  • The format of the security token
  • The life of the token
  • The type of repository that you want to authenticate with

Define Authentication Policy

An authentication policy can be configured through the ADMIN CONSOLE. The following section describes how to configure a typical authentication policy.

  • Log into the admin console
  • Select Authentication Policy from the Policy Section
  • To update an existing policy, select from one of the policies shown in the results. To create a new policy, select the 'New Policy' link.

The screen below allows you the configure the authentication parameters.

Attribute Name

Description

Example

AUTO_UNLOCK_TIME

If defined, then an account that has been locked due several failed authentication attempts will automatically be unlocked in specified time. Time is expressed in minutes 

30

TOKEN_TYPE

Defines the format of the security token. If SAML2_TOKEN is defined then the token format will be SAML 2

SAML2_TOKEN

LOGIN_MODULE_SEL_POLCY

Allows you define rules on which login module you should use.

authn/loginModSel.groovy

FAILED_AUTH_COUNT

Number of failed authentication attempts after which the account will be locked.

3

DEFAULT_LOGIN_MOD

Login module that should be used when no other rules apply. The DefaultLoginModule uses the OpenIAM repository. The LDAPLoginModule uses LDAP and ActiveDirectoryLoginModule uses Active Directory

org.openiam.idm.srvc.auth.spi.DefaultLoginModule

TOKEN_LIFE

Number of minutes in which the token will expire.

15

TOKEN_ISSUER

Name of the issuer.

openiam

LOGIN_MOD_TYPE

Indicates the type of login module to use. OpenIAM supports two types of login modules

  • Classes with extend AbstractLoginModule
  • Provisioning connectors that implement the Authenticate() operation

Valid options are:

  • 1 - LOGIN_MODULE
  • 2 - CONNECTOR SUPPORTING AUTHENTICATE OPERATION

AUTH_REPOSITORY

If you are using a login module other than the DefaultLoginModule, then an authentication repository should be defined. See the Configure LDAP Based Authentication for an example of how to setup the authentication repository

 

SUCCESS_URL

URL to be shown upon successful authentication

 

FAIL_URL

URL to be shown when an authentication attempt fails.

 

The authentication policy contains the following parameters:

Authentication Policies and Security Domains

Once a policy has been defined, it needs to be linked to a security domain. This is done through the admin console using the steps described below:

  • Log into the webconsole
  • Select 'Security Domain' from the Administration menu
  • From the Authentication Policy drop down, select the appropriate authentication policy.

Labels:
None
Edit Labels