AuthnMethodComposite

Description of the configuration object

A numeric weight to be assigned to this authentication method. You can create authorization conditions based on these assurance level weights.

The holder for common URL configurations of an authentication method.

Whether or not the authentication service correlates user accounts in the 'User Repository' upon successful validation of provided credentials. SAML assertion based authentication at SPs should consider unchecking depending on the underlying scenario.

Whether or not the authentication service considers validity metadata for example, account lifetime or locking state.

Whether or not the authentication service invokes the server-global subject attribute finder plug-in for this authentication method. This plug-in allows you to look up supplementary information about an authenticated user that is not part of the user account against which authentication was performed and is used when information about a single user is distributed across various repositories.

A value to be imprinted as SAML authentication context class reference when issuing SAML assertions for subjects that have been authenticated with this method. If the value is undefined, a default mapping to SAML-defined values is used.

Whether or not to generate the authentication-method-specific domain name in the format: authentication_id@authentication_method_id.

The domain identifier used for the names retrieved by this authentication method during the domain name resolution.

The domain name format used for the names retrieved by this authentication method during domain name resolution. The format may contain placeholders: #1 (replaced by the authentication identifier), and #2 (replaced by the domain identifier).

Whether or not the authentication identifier is hashed before it is included into the domain name.

To what extent is the user correlation with an existing user record in user repository for this authentication method forced. This element has priority over the Do correlate user accounts element.

Reference to authentication method of the same type to share the credentials and credential-specific configuration with. If null, this method works with its own configuration and set of credentials for each user. For every authentication method the domain name configuration is being resolved which is then used during unique name resolution. Specifics for some methods are:

Indicates whether Just-in-Time (JIT) provisioning of user records to the application repository is enabled. If enabled, a user record is automatically created in the application repository after successful authentication if it does not already exist. If disabled, authentication will not trigger the creation of a new user record if one does not exist.

Whether or not to generate the initial list of authentication methods for the first step on the DirX Access Services server. If unchecked, the client must have knowledge of this value or generate it itself from configuration.

The user account LDAP attribute that will be compared to resolved authentication identifier to correlate the subject to the user account. By default and if null, the correlation is done via the value of the login name attribute specified in Subject Template.

The maximum elapsed time in seconds since the last authentication method interaction after which the system closes the composite authentication session.

The authentication identifier resolution strategy used by the composite authentication method. Possible values are:

The most important configuration element for 'Composite' authentication method types is the 'Composite authentication steps options' collection. The collection usually consists of several authentication steps that must all succeed for the entire authentication method to succeed.