AuthnMethodPasswordChange
Password change method configuration.
Assurance level
A numeric weight to be assigned to this authentication method. You can create authorization conditions based on these assurance level weights.
Communication URLs holder
The holder for common URL configurations of an authentication method.
Prefix for URL definitions
The prefix for URL definitions. The base URL, specified as an absolute or relative path, to which users will be directed when events occur during the authentication workflow when using this authentication method. DirX Access redirects the authenticating user to the pages specified in the following fields.
Pre-login
The URL of the page to load before the login page, relative to 'Prefix for URL definitions'.
Login
The URL of the login page where users provide credentials for form-based authentication methods, relative to 'Prefix for URL definitions'.
Login success
The URL of the page to load when authentication succeeds, relative to 'Prefix for URL definitions'.
Login failed
The URL of the page to load when authentication fails, relative to 'Prefix for URL definitions'.
Error
The URL of the page to load when an error is encountered, relative to 'Prefix for URL definitions'.
Account expired
The URL of the page to load when the user’s account has expired, relative to the 'Prefix for URL definitions'.
Do correlate user accounts
Whether or not the authentication service correlates user accounts in the 'User Repository' upon successful validation of provided credentials. SAML assertion based authentication at SPs should consider unchecking depending on the underlying scenario.
-
For traditional initial authentication, the correlation is made based on the login name and the LDAP attribute 'Login name attribute' that can be configured in the
SubjectTemplateconfiguration. -
For X.509 certificate-based authentication, the correlation details can be configured on the basis of dedicated configuration fields in
AuthnMethodX509configuration. -
For Kerberos or NTLM-based Windows authentication, the correlation is made based on the RFC 822 login name and the 'Mail attribute' that can be configured in the
SubjectTemplateconfiguration. -
For federated authentication based on SAML assertions, the correlation details can be configured in specific SAML assertion interpretation templates.
Do honor validity metadata
Whether or not the authentication service considers validity metadata for example, account lifetime or locking state.
Do use attribute finder
Whether or not the authentication service invokes the server-global subject attribute finder plug-in for this authentication method. This plug-in allows you to look up supplementary information about an authenticated user that is not part of the user account against which authentication was performed and is used when information about a single user is distributed across various repositories.
SAML authentication context class reference
A value to be imprinted as SAML authentication context class reference when issuing SAML assertions for subjects that have been authenticated with this method. If the value is undefined, a default mapping to SAML-defined values is used.
Do autogenerate domain identifier and format
Whether or not to generate the authentication-method-specific domain
name in the format:
authentication_id@authentication_method_id.
Domain identifier
The domain identifier used for the names retrieved by this authentication method during the domain name resolution.
Domain name format
The domain name format used for the names retrieved by this authentication method during domain name resolution. The format may contain placeholders: #1 (replaced by the authentication identifier), and #2 (replaced by the domain identifier).
Do hash authentication id
Whether or not the authentication identifier is hashed before it is included into the domain name.
User Correlation Policy
To what extent is the user correlation with an existing user record in
user repository for this authentication method forced. This element has
priority over the Do correlate user accounts element.
-
MANDATORY: The authentication method will fail if the user correlation cannot be made.
-
OPTIONAL: The server will try to correlate the user with a user record, but if the correlation fails the method will still pass if possible.
-
NONE: No user correlation will be done.
-
Allowed Values:
-
MANDATORY -
OPTIONAL -
NONE
-
Shared credentials authentication method identifier
Reference to authentication method of the same type to share the credentials and credential-specific configuration with. If null, this method works with its own configuration and set of credentials for each user. For every authentication method the domain name configuration is being resolved which is then used during unique name resolution. Specifics for some methods are:
-
AuthnMethodPassword - number of login failures, password from the user record with its respective configuration and max number of consecutive login failures from the authentication method configuration.
-
AuthnMethodOtpRfc4226 - number of login failures, shared secret and counter from the user record and number of digits, throttling value, shared secret encoding and look ahead from the authentication method configuration.
-
AuthnMethodOtpRfc6238 - number of login failures, shared secret and time drift from the user record and number of digits, throttling value, shared secret encoding, time step seconds and time drift limit from the authentication method configuration.
Just-in-time provisioning of user record to AppRepo
Indicates whether Just-in-Time (JIT) provisioning of user records to the application repository is enabled. If enabled, a user record is automatically created in the application repository after successful authentication if it does not already exist. If disabled, authentication will not trigger the creation of a new user record if one does not exist.
Password propagation type
The type of new password callout propagation. Currently, supported options are:
-
FRONTCHANNEL_CALLOUTThe extra request for password propagation is supposed to be sent via front channel. The callout implementation is needed to construct a POST request for the front channel redirection. -
BACKCHANNEL_CALLOUTThe extra request for password propagation is supposed to be sent via back channel. The callout implementation is needed to construct and send the back channel request. -
NONENo extra request for password propagation is sent. The callout handler identifier assignment is not required. -
Allowed Values:
-
FRONTCHANNEL_CALLOUT -
BACKCHANNEL_CALLOUT -
NONE
-
Conditional user repository attribute name
The option identifies the attribute name of an already authenticated and correlated user with the user repository where the decision that a password change is required can be found. The actual password change is responsibility of the callout handler implementation. If filled it, it is supposed that the referenced authentication method password has 'User_Repository' 'Password Source'.
Conditional user repository attribute value true
The value of the previous user repository attribute to be set when the password change is required. If the value is not filled in, it is supposed that the value of the user repository attribute is 'true' or 'false'.
Authentication method password identifier (required)
The option identifies the authentication method password configuration object for which the password is supposed to be changed by this method. Application repository user record may contain also a decision that the password needs to be changed. In Application repository user record, the decision, the number of login failures and even the password (if the 'Password Source' is 'Application_Repository') are changed regardless of the password propagation type configuration and the actual callout handler assignment.
Enforced
If the value is true, the password change is enforced for anyone regardless of any attribute. The method then behaves like a password reset method.