+

Search Tips   |   Advanced Search

Step-up authentication properties

After enabling step-up authentication, we can adjust the settings. Use the WAS admin console to create new properties, if necessary, or update existing properties. For each additional authentication level create at least one properties file according to the following naming convention:

  • The authentication level name.
  • An underline character followed by a language locale. For example, en for English.
  • The string .properties

For example, for an authentication level of yourlevel, create a file such as yourlevel.properties or yourlevel_en.properties. This file must be available in class path at...

    com/ibm/portal/auth/sua/nls/

The file must contain two key value pairs. For example, for the system specified authentication level authenticated, there are two definitions

  • display-name=authenticated

  • description=User authentication using username and password

These two strings are used to select the authentication level in the Administration portlet for configuration.

The following information contains all properties that apply to the appropriate portal configuration service, namely WP StepUpConfigService.

Log on to WAS admin console and then go to...

    Resources | Resource Environment | Resource Environment Providers | WP StepUpConfigService | Custom properties

All property changes require a portal server restart in order for the changes to take effect.

    sua.enable

    Enable and disable the step-up authentication mechanism.

    Default: false

    Type: java.lang.Boolean

    sua.authLevel.enable

    Provide a comma-separated list of authentication level names.

    • If step-up authentication is enabled, the authentication level name must be specified.

    • To use the Remember me cookie, make sure that it is enabled and add the authentication level name for this property.

    Default: authenticated

    Type: java.lang.String

    sua.authLevel.auth_level_name.strength

    Authentication level strength of the authentication level with the name auth_level_name. The value is a non-negative integer that expresses the implied strength of a particular authentication method. The step-up authentication framework considers one authentication method to be stronger than another if it has a higher value.

    The value 0 is reserved by the step-up authentication engine, and therefore it is not allowed to assign values less than one. It is possible to leave gaps in the sequence of authentication level strengths. It is not possible to assign the same authentication level to multiple authentication level names.

    Default:

      sua.authLevel.identified.strength=5
      sua.authLevel.authenticated.strength=10

    Type: java.lang.Integer

    sua.authLevel.auth_level_name. required

    Whether the authentication level with the name auth_level_name is optional or required. When a user accesses a resource with an optional authentication level, this resource might be accessed if the first required authentication level is verified. When an authentication level is flagged as required, it can be verified successfully only if all required authentication levels can be verified successfully.

    This property must not be set for the authentication level identified or authenticated. If one authentication level is set as optional, all previous levels must also be optional.

    Default: true

    Type: java.lang.boolean

    sua.authLevel.auth_level_name.authLevelVerifier

    Specify the fully qualified name of the class that implements the com.ibm.portal.auth.stepup.AuthLevelVerifier SPI. It also verifies whether the authentication level of auth_level_name is valid for a request.

    This property must not be set for the authentication level identified or authenticated.

    Default: -

    Type: java.lang.String

    sua.authLevel.auth_level_name.stepUpAuthHandler

    Specify the fully qualified name of the class that implements the com.ibm.portal.auth.stepup.StepUpAuthHandler SPI. It also establishes the authentication level of auth_level_name.

    This property must not be set for the authentication level identified or authenticated.

    Default: -

    Type: java.lang.String

    sua.authLevel.auth_level_name.postRedirectionTargetProtected

    The step-up authentication handler redirects a user with a certain authentication level to another page. For example, it redirects to a page with a login form. The step-up authentication framework redirects the user to the resource requested before the authentication level enforcement. Whether the redirection to the originally requested resource point to the public or the protected portal area. The implementation of the authentication level might move the user from an unauthenticated to an authenticated state.

    This property must not be set for the authentication level identified or authenticated.

    Default: false

    Type: java.lang.Boolean

    Example: true

    sua.authLevel.auth_level_name.property.property_name

    Specify further properties available. The properties are received with their property_name. The prefix sua.authLevel.auth_level_name.property is omitted.

    Default: -

    Type: java.lang.String


Parent Enable step-up authentication and the Remember me cookie