| Name
|
|
|
|
|
| enableSecurityTokenAttribute
|
N
|
Y
|
N
|
Controls if the security token that was authenticated should be included in the AttributeStatement of the issued SAML assertion.
Default: Checked.
|
| enableSAMLAttributesPurge
|
|
|
|
Controls if AttributeStatements of the authenticated assertion should be included in the AttributeStatements of the issued SAML assertion.
Default: Checked.
|
| enableHolderOfKeyAssertion
|
|
|
|
Controls if Holder-of-Key Subject Confirmation method should be used in the issued SAML assertion.
Select one of the following security token types:
- SAML 1.1 Token 1.1
- SAML 2.0 Token 1.1
-
|
| samlValiditySeconds
|
N
|
Y
|
Y
|
The duration of the validity of the SAML tokens.
Default: 600 s.
|
| tokenSigningService
|
N
|
Y
|
Y
|
The name of an Identity Provider resource that identifies the signer of the SAML tokens.
|
| initialCtxFactory
|
N
|
Y
|
Y
|
The factory object that provides the starting point for resolution of names within the LDAP server.
Default: com.sun.jndi.ldap.LdapCtxFactory.
|
| serverURL
|
Y
|
Y
|
Y
|
A space-separated list of URLs for an LDAP server. To achieve fault tolerance, you can specify URLs. For example, ldap://server1.example.com:686 ldap://server2.example.com:1686.
Default: ldap://localhost:389.
|
| searchTimeOut
|
N
|
Y
|
Y
|
The time to wait for a response from the LDAP directory server.
Default: -1, which means to wait forever.
|
| userAttributeUsersName
|
N
|
Y
|
Y
|
The name of the LDAP attribute from which the user display name can be obtained. Always specify an Attribute Name even though this field is labeled optional.
You must use an attribute that is part of the LDAP schema. Otherwise, any attribute not defined by the schema can result in an error.
Default: None
|
| userAttributeGroupsName
|
Y
|
Y
|
Y
|
The name of the attribute in each user object that lists
the groups to which the user belongs.
Default: None.
|
| userAttributesExtra
|
N
|
Y
|
Y
|
Optional list of user attributes to retrieve from the LDAP directory during authentication.
Default: None.
|
| groupAttributeGroupsName
|
Y
|
Y
|
Y
|
The name of the attribute in the group object that contains the name of the group. For example, for OpenLDAP: cn, for ActiveDirectory:sAMAccountName.
Default: None.
|
| userSearchBaseDN
|
Y
|
Y
|
Y
|
Base distinguished name from which the search starts.
Example: ou=department, dc=company, dc=com.
|
| userSearchScopeSubtree
|
|
|
|
|
| userSearchExpression
|
N
|
Y
|
Y
|
The expression used for searching a user. An example for this expression is (CN={0}). '{0}' is replaced by the username being searched for.
You can define any complex filter like (&(cn={0}) (objectClass=account)).
Default: &(objectClass=person)(uid={0})
|
| groupSearchBaseDN
|
N
|
Y
|
Y
|
Searches for groups beginning at this base distinguished name (DN).
Default: None.
|
| enableNestedGroupSearch
|
|
|
|
|
| groupSearchExpression
|
Y
|
Y
|
Y
|
Search by matching this expression against potential groups.
Default: None.
|
| groupSearchScopeSubtree
|
N
|
N
|
N
|
Search the entire subtree starting at the base DN for groups (default). Otherwise, search only the nodes one level below the base DN.
Default: Checked.
|
| groupIndication
|
N
|
Y
|
N
|
Specifies how a user's group memberships are found. Group information is used by Administrator when a user, once authenticated, performs other activities in the system.
Options:
- Group has users A list of users that belong to the group.
- User has groups A list of groups to which the user belongs.
- User DN has groupsThe DN with a list of groups to which the user belongs.
- No Group Info Group memberships are not handled.
If the selected value is User has groups or User DN has groups, the Users Attribute with Group Names field displays.
If the selected value is Group has users, the following fields display:
- Group Search Base DN
- Group Search Expression
- Group Attribute with User Names
- Group Attribute with Group Name
- Group Attribute with Subgroup Names
- Group Search Scope Subtree
Default: No Group Info.
|
| groupAttributeSubgroupsName
|
N
|
Y
|
Y
|
The name of the attribute in the group object that contains its subgroups. For example, for OpenLDAP: uniqueMember, for ActiveDirectory: member.
Default: None.
|
| groupAttributeUsersName
|
Y
|
Y
|
Y
|
The name of the attribute in the group object that contains its users. For example, for OpenLDAP: uniqueMember, for ActiveDirectory: member.
Default: None.
|
| userDNTemplate
|
Y
|
Y
|
Y
|
The template by which the User DN, used to bind to the LDAP server, is generated. Because the full DN is always supplied, the template should always contain {0} which gets replaced with the actual username.
Default: {0}
|
| connectionPools
|
|
|
|
|
| securityAuthentication
|
N
|
Y
|
Y
|
Value of Simple Authentication and Security Layer (SASL) authentication protocol to use. Values are implementation-dependent. Some possible values are simple, none, md-5.
Default: Blank.
|
| followReferrals
|
N
|
Y
|
N
|
Indicate whether the client should follow referrals returned by the LDAP server.
Default: Unchecked.
|
| sslIdentityProvider
|
|
|
|
The name of the Identity Trust provider resource for establishing SSL connection to the LDAP server.
|
| credentialProvider
|
|
|
|
The name of the Credential Keystore or Credential Password provider resource containing the LDAP login credentials. This option requires a keyAlias and keyPassword to also be specified. This option can be used in place of the adminIdentityProvider setting.
|
| adminIdentityProvider
|
|
|
|
The name of the Identity Subject provider resource containing the LDAP login credentials. This option can be used in place of the credentialProvider/keyAlias/ keyPassword setting tuple.
|
| keyPassword
|
Y
|
Y
|
Y
|
The password protecting the key entry.
Default: None
|
| keyAlias
|
Y
|
Y
|
Y
|
Alias of the user's key entry in the keystore managed by the keystore provider.
Default: None
|
