8.3 Configuring Authentication Methods

Authentication methods let you associate authentication classes with user stores. You use a particular authentication class to obtain credentials about an entity, and then validate those credentials against a list of user stores.

After the system locates the entity in a particular user store, no further checking occurs, even if the credentials fail to validate the entity. Typically, the entity being authenticated is a user, and the definition of an authentication method specifies whether this is the case. You can alter the behavior of an authentication class by specifying properties (name/value pairs) that override those of the authentication class.

To configure a method for an authentication class:

  1. In the Administration Console, click Access Manager > Identity Servers > Servers > Edit > Local > Methods.

    Authentication methods

  2. Click one of the predefined authentication methods, or click New to create one.

    Configuring an authentication method

  3. Fill in the following fields:

    Display Name: The name to be used to refer to the new method.

    Class: The authentication class to use for this method. See Section 8.2, Creating Authentication Classes.

    Identifies User: Resolves to a user in the directory when credentials are provided. If this is not enabled, only the authentication is validated, such as the authentication of a computer. If multiple methods identify the user during the user session, all methods that identify the user must identify the same user in order for authentication to succeed.

  4. Add user stores to search.

    You can select from the list of all the user stores you have set up. If you have several user stores, the system searches through them based on the order specified here. If a user store is not moved to the User stores list, users in that user store cannot use this method for authentication.

    <Default User Store>: The default user store in your system. See Section 8.5, Specifying Authentication Defaults.

  5. (Optional) Under Properties, click New, then fill in the following fields:

    Property Name: The name of the property to be set. This value is case sensitive and specific to an authentication class. The same properties that can be set on an authentication class can be set on the method. For a list, see Step 4 in Section 8.2.1, Creating Basic or Form-Based Authentication Classes.

    You can use the method properties to override the property settings specified on the authentication class. For example, you might want to use the authentication class for multiple companies, but use a slightly different login page that is customized with the company’s logo. You can use the same authentication class, create a different method for each company, and use the filename property to specify the appropriate login page for each company.

    The Radius classes have the following additional properties that can be set on the method:

    • RADIUS_LOOKUP_ATTR: Defines an LDAP attribute whose value is read and used as the ID is passed to the RADIUS server. If not specified, the user name entered is used.

    • NAS_IP_ADDRESS: Specifies an IP address used as a RADIUS attribute. You might use this property for situations in which service providers are using a cluster of small network access servers (NASs). The value you enter is sent to the RADIUS server.

    Property Value: The values associated with the Property Name field.

  6. Click Finish.

  7. Continue with Section 8.4, Configuring Authentication Contracts.

    To use a method for authenticating a user, each method must have an associated contract. Contracts are assigned to resources, and it is access to a resource that triggers the authentication process. If the user has already supplied the required credentials for the contract, the user is not prompted for them again.