OtherPep

Description of the configuration object

Whether or not the communication between the client and a DirX Access Services server must be secured using SSL/TLS. The client always tries to establish the SSL/TLS secured connection first. When the secured connection cannot be established, for example, due to missing or wrong client crypto material, and this value is false then the client establishes non-secured connection to the server instead. The configuration parameter 'Do use SSL/TLS' applies to the actual operation phase of a PEP: it means that if SSL/TLS is required but is not available (for some reason), no data will be exchanged. Note that this does not apply to the PEP bootstrap phase, where configuration data is obtained from the server. In this phase, PEPs may silently fall back to plain text communication if no SSL/TLS support is available.

Clients automatically cache configuration information, increasing system performance. The property determines the length of time in seconds that must elapse before this client refreshes its cache. Note that this setting also influences how quickly the client can learn that a cached object was changed on the server side.

The DirX Access Services cluster group with which the client communicates. By default, cluster group 0 is selected

The type of the PEP.

A symbolic identifier for this PEP used in the normalization of SSO request URIs. Follows the format host:`port`. When processing SSO requests from the PEP, DirX Access replaces the host and port parts in the request URI with the Authority value. Evaluation of authentication and authorization policies is then performed using the normalized request URI.

The maximum time in seconds since an initial or federated authentication may elapse before the system closes an SSO session created during the authentication.

The maximum idle time in seconds since the last processed SSO request that may elapse before the system closes an SSO session created during an initial or federated authentication.

Time (in secs) for which user’s request for authentication timeouts extension remains valid; after this timeout, user has to re-request. If 0, user can’t ask for the timeouts extension.The "authentication timeouts extension" capability means that the authentication process run via this PEP will enable the subject being authenticated to extend any authentication-related timeout that is configured server-side. The maximal extension is set at ten-times the corresponding server-side configuration (specific to corresponding authentication method). The goal of this parameter is to comply to the WCAG 2.2 Level AA - Timeouts requirement.

The PEP excludes from processing all SSO requests with the URI containing the path part excluded with one of these exclusions.

Controls the mapping of authorization decision results Indeterminate and NotApplicable.

The URL for which the authorization failed operation is performed.

The domain name within which to authenticate users.

The hostname for the Windows domain controller.

The identifier of the Kerberos SPN table to be used by this PEP.

The identifier of the XACML request construction template to be used with specified PDP.

The identifier of the PDP that renders authorization decisions for this PEP.

The set of all identifiers to the request injection templates to be used with this PEP.

The identifier of the default authentication method to be used when processing requests based on a distinct PEP configuration object and an authentication method identifier is not present in the request or cannot be determined by means of, for example, an authentication policy.

The set of all identifiers to represent all allowed authentication methods that can be used with this PEP. The default and RS authentication methods are allowed by default.

The list of all multi-PEP assignments for multi-PEP purposes based on this PEP.

Whether the internal authorization is used or permit anything.