CloudPep

Description of the configuration object

Whether or not the communication between the client and a DirX Access Services server must be secured using SSL/TLS. The client always tries to establish the SSL/TLS secured connection first. When the secured connection cannot be established, for example, due to missing or wrong client crypto material, and this value is false then the client establishes non-secured connection to the server instead. The configuration parameter 'Do use SSL/TLS' applies to the actual operation phase of a PEP: it means that if SSL/TLS is required but is not available (for some reason), no data will be exchanged. Note that this does not apply to the PEP bootstrap phase, where configuration data is obtained from the server. In this phase, PEPs may silently fall back to plain text communication if no SSL/TLS support is available.

Clients automatically cache configuration information, increasing system performance. The property determines the length of time in seconds that must elapse before this client refreshes its cache. Note that this setting also influences how quickly the client can learn that a cached object was changed on the server side.

The DirX Access Services cluster group with which the client communicates. By default, cluster group 0 is selected

The type of the PEP.

A symbolic identifier for this PEP used in the normalization of SSO request URIs. Follows the format host:`port`. When processing SSO requests from the PEP, DirX Access replaces the host and port parts in the request URI with the Authority value. Evaluation of authentication and authorization policies is then performed using the normalized request URI.

The maximum time in seconds since an initial or federated authentication may elapse before the system closes an SSO session created during the authentication.

The maximum idle time in seconds since the last processed SSO request that may elapse before the system closes an SSO session created during an initial or federated authentication.

Time (in secs) for which user’s request for authentication timeouts extension remains valid; after this timeout, user has to re-request. If 0, user can’t ask for the timeouts extension.The "authentication timeouts extension" capability means that the authentication process run via this PEP will enable the subject being authenticated to extend any authentication-related timeout that is configured server-side. The maximal extension is set at ten-times the corresponding server-side configuration (specific to corresponding authentication method). The goal of this parameter is to comply to the WCAG 2.2 Level AA - Timeouts requirement.

The PEP excludes from processing all SSO requests with the URI containing the path part excluded with one of these exclusions.

Controls the mapping of authorization decision results Indeterminate and NotApplicable.

The URL for which the authorization failed operation is performed.

The domain name within which to authenticate users.

The hostname for the Windows domain controller.

The identifier of the Kerberos SPN table to be used by this PEP.

The identifier of the XACML request construction template to be used with specified PDP.

The identifier of the PDP that renders authorization decisions for this PEP.

The set of all identifiers to the request injection templates to be used with this PEP.

The identifier of the default authentication method to be used when processing requests based on a distinct PEP configuration object and an authentication method identifier is not present in the request or cannot be determined by means of, for example, an authentication policy.

The set of all identifiers to represent all allowed authentication methods that can be used with this PEP. The default and RS authentication methods are allowed by default.

The list of all multi-PEP assignments for multi-PEP purposes based on this PEP.

Whether the internal authorization is used or permit anything.

Whether or not the PEP should use HTTP session cookies to store and pass DirX Access SSO state. In order to enable DirX Access SSO state cookies, set following fields as well: Cookie name, Cookie domain name (optional), Cookie path for single sign-on (optional), Cookie version (optional), Do require SSL/TLS for cookie transfer (optional) and Set the 'HttpOnly' flag (optional).

The holder holding the PEP cookie configuration

Whether or not URL rewriting is enabled. URL rewriting (referring to Web application environments) can be used as an alternative to HTTP cookie headers to maintain DirX Access session state. The full URL rewriting feature can be used with dynamic Web resources and is currently limited to Java PEPs (working with 'HttpServletRequest' abstractions). The URL rewriting feature in C PEPs is limited to providing DirX Access session state to backend applications via HTTP header injection and to encoding it into a redirection URL (HTTP header Location in HTTP 302 responses). To enable URL rewriting, set the URL rewriting field name (optional) in addition to this field.

The name of HTTP URL query parameter used by the PEP to store and pass DirX Access SSO state. When empty, then the Cookie name property value is used instead.

Whether or not the PEP should recognize SSO requests with URI equal to the 'Authentication form action' field value as form-based authentication requests. To enable form-based authentication for the PEP, set the 'Authentication form action', 'Loginname field name', 'Password field name' and 'Form authentication target URL field name' fields as well.

The URI path that represents form-based authentication endpoint. When form-based authentication is enabled and the SSO request URI is equal to the 'Authentication form action URI', then the PEP gets credentials and a target URL from the request parameters and performs the authentication.

The name of an HTTP request parameter from which the PEP gets the login name for the form-based authentication.

The name of an HTTP request parameter from which the PEP gets the password for the form-based authentication.

The name of an HTTP request parameter from which the PEP gets the target URL for the form-based authentication. On successful authentication the PEP makes a redirection to the target URL.

The URI for which the logout operation is performed.

The field name within the specified logout operation that specifies the URL of the target resource to present on logout.

Controls the setting of the "do not cache" header property by the PEP.

The holder holding the PEP custom data. Custom data consists of a pool of information that originates from an actual request and its parts, such as HTTP headers, cookie headers, session attributes, and request parameters and attributes. This pool of information can be associated with the SSO state of an authenticated subject and can be used in subsequent processing such as authorization decision-making or SAML assertion issuance.

The identifier of the authentication method to be used for resolution of the OAuth token, if the PEP shall represent the OAuth Resource Server. If null, the OAuth Resource Server is not supported. If non-null, the processing of each request at this PEP is subject to the configuration of given authentication method.

The location of the authentication application to be used for authentication (creation of DirX Access SSO state) in case there is no Cookie found or DirX Access SSO state is not valid. At least "Enable URL rewriting" and "URL rewriting field name" must be set in case authentication application residing in different domain than a Cloud PEP. Authentication application can now issue a cookie into request parameter with "URL rewriting field name".

Whether or not DirX Access SSO state should be seeked also in query parameters. The control is connected with 'Enable URL rewriting' and 'URL rewriting field name'. Transmitting DirX Access SSO state is more secure in HTTP POST body parameters. The value must be set in case DirX Access SSO state must be transmitted in HTTP GET query parameters.