Authentication and Session Module Configuration
This appendix includes configuration details for the authentication modules described in "Authentication and Session Modules".
Authentication modules, as configured in the authentication.json
file, include a number of properties.
Session Module
Authentication Property | Property as Listed in the Admin UI | Description |
---|---|---|
keyAlias | (not shown) | Used by the Jetty Web server to service SSL requests. |
maxTokenLifeMinutes | Max Token Life (in seconds) | Maximum time before a session is cancelled. Note the different units for the property and the UI. |
tokenIdleTimeMinutes | Token Idle Time (in seconds) | Maximum time before an idle session is cancelled. Note the different units for the property and the UI. |
sessionOnly | Session Only | Whether the session continues after browser restarts. |
Static User Module
Authentication Property | Property as Listed in the Admin UI | Description |
---|---|---|
enabled | Module Enabled | Does IDM use the module? |
queryOnResource | Query on Resource | Endpoint hard coded to user anonymous |
username | Static User Name | Default for the static user, anonymous |
password | Static User Password | Default for the static user, anonymous |
defaultUserRoles | Static User Role | Normally set to openidm-reg for self-registration |
The following table applies to several authentication modules:
Managed User
Internal User
Client Cert
Passthrough
IWA
The IWA module includes several Kerberos-related properties listed at the end of the table.
Common Module Properties
Authentication Property | Property as Listed in the Admin UI | Description |
---|---|---|
enabled | Module Enabled | Does IDM use the module? |
queryOnResource | Query on Resource | Endpoint to query |
queryId | Use Query ID | A defined queryId searches against the queryOnResource endpoint. An undefined queryId against queryOnResource with action=reauthenticate |
defaultUserRoles | Default User Roles | Normally blank for managed users |
authenticationId | Authentication ID | Defines how account credentials are derived from a queryOnResource endpoint |
userCredential | User Credential | Defines how account credentials are derived from a queryOnResource endpoint; if required, typically password or userPassword |
userRoles | User Roles | Defines how account roles are derived from a queryOnResource endpoint |
groupMembership | Group Membership | Provides more information for calculated roles |
groupRoleMapping | Group Role Mapping | Provides more information for calculated roles |
groupComparisonMethod | Group Comparison Method | Provides more information for calculated roles |
managedUserLink | Managed User Link | For pass-through authentication, this property specifies the mapping from the system resource to the IDM managed user. For example, if the user authenticates using their account in an LDAP directory, the managedUserLink might be systemLdapAccounts_managedUser |
augmentSecurityContext | Augment Security Context | Includes a script that is executed only after a successful authentication request. For more information on this property, see "Authenticating as a Different User". |
servicePrincipal | Kerberos Service Principal | (IWA only) For more information, see "IWA" |
keytabFileName | Keytab File Name | (IWA only) For more information, see "IWA" |
kerberosRealm | Kerberos Realm | (IWA only) For more information, see "IWA" |
kerberosServerName | Kerberos Server Name | (IWA only) For more information, see "IWA" |