If you have configured contracts that do not use a username and password for the credentials and you want to configure single sign-on to protected resources that require a user’s name and password, you need to configure the PasswordFetchClass to retrieve the user’s name and password. You need to create the class, then create a method from the class. The method needs to be assigned as the second method for the authentication contract that does not prompt the user for a username and password. When the Identity Server executes the contract, the PasswordFetchClass retrieves the username and password and stores them with the LDAP credentials, which makes them available for Identity Injection policies.
IMPORTANT:The PasswordFetchClass only works with eDirectory user stores.
In the Administration Console, click > > > > .
Click , then fill in the following fields:
Display name: Specify a name for the class.
Java class: Select .
The Java class path is configured automatically.
Click , then configure the following general properties:
Ignore password retrieval failure: Select this option if you want users to continue with their sessions when the Identity Server can’t retrieve their passwords. If this option is not selected, users are denied access when their passwords can’t be retrieved.
Password to be retrieved: If your users have been configured to use a universal password, select . Otherwise, select .
NOTE:Universal Password Retrieval options needs to be properly set in the configuration of the Universal Password policy, so that it allows the password to be retrieved from the User Store.
For more information on Unable to retrieve Universal Password from eDirectory using PasswordFetchClass issue, see TID 7007114
Click .
Create a method for this class.
For instructions, see Section 3.3, Configuring Authentication Methods.
Assign the password fetch method as the second method for a contract that is using one of the following for its authentication method:
RADIUS. See Configuring for RADIUS Authentication.
X.509. See Configuring Mutual SSL (X.509) Authentication.
OpenID. See Configuring for OpenID Authentication.
Smart Card. See Configuring Access Manager for NESCM.
Kerberos. See Configuring for Kerberos Authentication.
Update the Identity Server.
The PasswordFetchClass has been enhanced to retrieve passwords from different user stores, than the authenticated user store by configuring properties of the authentication method in 3.1 SP2 IR3.
NOTE:Make sure that you have appropriate policies and permissions configured in the eDirectory to retrieve passwords.
The Novell Access Manager supports password retrieval of the users who are mapped in the following ways:
CN to CN
distinguishedName (DN) to LDAP Attribute
NOTE:Please do not edit any property values and use the same values as mentioned in the examples below.
The CN users are mapped between two different user stores.
For Example - Active Directory CN is mapped with eDirectory CN for retrieving the password from eDirectory user store.
To achieve the password retrieval for this case add the below properties to Authentication Method which is using Passwordfetchclass
Property name = com.novell.nidp.authentication.local.pwdfetch.userStoreToUse Property value= local Property name = com.novell.nidp.authentication.local.pwdfetch.userLookupType Property value= usingCN
If the property value of the com.novell.nidp.authentication.local.pwdfetch.userStoreToUse is equal to local, then the passwordfetchclass tries fetching the password from the current user store (eDirectory). The principal user store is where the user is already authenticated using previous method (Active Directory).
If the property value of the com.novell.nidp.authentication.local.pwdfetch.userLookupType is equal to usingCN then the passwordfetchclass tries fetching the password from the current user store (eDirectory) by mapping the CN users between two different user stores.
The user names are detected and handled in LDAP attribute or DN users of theActive Directory are mapped with LDAP attribute of the eDirectory.
For Example - Active Directory DN is mapped with eDirectory LDAP attribute samAccountName for retrieving the password from eDirectory user store.
To achieve the password retrieval for this case add the below properties to Authentication Method, which is using Passwordfetchclass.
property name = com.novell.nidp.authentication.local.pwdfetch.userStoreToUse property value= local property name = com.novell.nidp.authentication.local.pwdfetch.userLookupType property value= usingAttr property name = com.novell.nidp.authentication.local.pwdfetch.attributeName property value = ldapattributename property name = com.novell.nidp.authentication.local.pwdfetch.attributeAutoProvision property value = false
If the property value of the com.novell.nidp.authentication.local.pwdfetch.userStoreToUse is equal to local, then the passwordfetchclass tries fetching the password from the current user store (eDirectory).The principal user store is where the user is already authenticated using previous method (Active Directory).
If the property value of the com.novell.nidp.authentication.local.pwdfetch.userLookupType is equal to usingAttr,then the passwordfetchclass tries fetching the password from the current user store (eDirectory) by mapping the DN users of the Active Directory with LDAP attribute of the eDirectory.
If the property value of the com.novell.nidp.authentication.local.pwdfetch.attributeName is equal to ldapattributename (samAccountName), then the passwordfetchclass tries fetching the password from the current user store based on the value of the LDAP attribute samAccountName, which are mapped to DN users of the Active Directory.
If the property value of the com.novell.nidp.authentication.local.pwdfetch.attributeAutoProvision is equal to false, then the passwordfetchclass tries fetching the password from LDAP attribute (samAccountName) which has the value of the DN users of the Active Directory and retrieves the password.
If the property value of the com.novell.nidp.authentication.local.pwdfetch.attributeAutoProvision is equal to true, then the passwordfetchclass tries fetching the password from LDAP attribute (samAccountName) which has the value of the DN users of the Active Directory and retrieves the password, else it prompts to log in to the eDirectory.
If the log in is successful, then the LDAP attribute(samAccountName) value populates in the DN user of the Active Directory. Next time when the user is logged in the same value is used.