Authentication policy parameters and credentials

When we add or modify an authentication policy, we specify parameters for the authentication mechanism and the attributes that we want in the credential. The credentials are evaluated as part of the access control decision. We cannot modify predefined authentication policies.

Parameters

Parameters pass policy configuration to the authentication mechanism. Parameters can be set for each workflow step. Parameter values can be a literal string provided in the parameter settings or they can be a context attribute reference. A context attribute consists of an attribute source, attribute namespace, and attribute ID.

Authentication mechanism	Parameter	Default	Description
Username Password	reauthenticate	true	The user must authenticate even if the user previously authenticated.
One-Time Password	reauthenticate	true	The user must authenticate even if the user previously authenticated.
One-Time Password	username	No default value	The user name for OTP authentication. If the Pass check box is not checked, the OTP authentication mechanism retrieves the user name from the current authentication service credential.
HOTP One-Time Password	reauthenticate	true	The user must authenticate even if the user previously authenticated.
HOTP One-Time Password	username	No default value	The user name in HOTP authentication. If the Pass check box is not checked, the HOTP authentication mechanism retrieves the user name from the current authentication service credential.
HOTP One-Time Password	secretKey	No default value	The secret key in HOTP authentication. If the Pass check box is not checked, the HOTP authentication mechanism retrieves the secret key of the user from its internal database. Users can configure their own secret key on the OTP Secret Keys management page. See Manage OTP secret keys
TOTP One-Time Password	reauthenticate	true	The user must authenticate even if the user previously authenticated.
TOTP One-Time Password	username	No default value	The user name in TOTP authentication. If the Pass check box is not checked, TOTP authentication mechanism retrieves the user name from the current authentication service credential.
TOTP One-Time Password	secretKey	No default value	The secret key in TOTP authentication. If the Pass check box is not checked, the TOTP authentication mechanism retrieves the secret key of the user from its internal database. Users can configure their own secret key on the OTP Secret Keys management page. See Manage OTP secret keys
MAC Email One-time Password MAC One-time Password MAC SMS One-time password	mobileNumber	No default value	Phone number that delivers the one-time password value.
MAC Email One-time Password MAC One-time Password MAC SMS One-time password	emailAddress	No default value	The email address that delivers the one-time password value.
MAC Email One-time Password MAC One-time Password MAC SMS One-time password	reauthenticate	true	The user must authenticate even if the user previously authenticated. If you create a policy that uses both the SMS and Email delivery types with reauthenticate set to false, only the first delivery type is executed.
MAC Email One-time Password MAC One-time Password MAC SMS One-time password	username	No default value	The user name in MAC OTP authentication. If the Pass check box is not checked, MAC OTP authentication mechanism retrieves the user name from the current authentication service credential.
MAC Email One-time Password MAC One-time Password MAC SMS One-time password	deliveryType	Email SMS	The type of delivery mechanisms to use for delivering the one-time password value. When specified, the MAC One-Time password bypasses the OTPMethods mapping rule. If you create a policy and have both the SMS and Email delivery types defined and reauthenticate is set to false, only the first delivery type is executed.
RSA One-Time Password	reauthenticate	true	The authentication value that indicates whether the user must authenticate even if the user previously authenticated.
RSA One-Time Password	username	No default value	The user name in RSA authentication. If the Pass check box is not checked, RSA authentication mechanism retrieves the user name from the current authentication service credential.
HTTP Redirect Authentication	redirectURL	No default value	The URL that contacts the custom authentication implementation. The HTTP Redirect authentication mechanism redirects the user's browser to the specified URL.
HTTP Redirect Authentication	reauthenticate	true	The user must authenticate even if the user previously authenticated.
HTTP Redirect Authentication	returnCredAttrName	No default value	Credential attribute name that determines whether the HTTP Redirect authentication is successful.
HTTP Redirect Authentication	returnCredAttrValue	No default value	Credential attribute value that is compared against to determine whether the HTTP Redirect authentication is successful.
End-User License Agreement	alwaysShowLicense	False	Prompt for the license file. Set this option to true to always prompt the user to accept the license file.
End-User License Agreement	licenseRenewalTerm	0	The number of days until the user must accept the license again. When we specify a value that is less than 1, there is not a renewal term. This parameter compares the date the user last accepted the license to the current date to determine the number of days since the user last accepted the license.
End-User License Agreement	licenseFile	No default value	The path to the license template file to display for the End-User License Agreement. For more information about how to update the license and add more license files, see Template files and Template file macros. The path to the license file is relative to the locale in the template tree.
End-User License Agreement	acceptIfLastAccepted Before	No default value	The date the license was last accepted. If the date the user last accepted the license is before this date, this parameter requires the user to accept the license again. Use the date format of YYYY-MM-DD.
End-User License Agreement	username	No default value	The user name of the user who is prompted to accept the license. If the Pass check box is not checked, the End-User License Agreement authentication mechanism retrieves the user name from the current authentication service credential.
End-User License Agreement	reauthenticate	True	The user must authenticate even if the user previously authenticated. The mechanism displays the license once per authenticated session under the following conditions: alwaysShowLicense=true reauthenticate=false
Knowledge Questions	questionPresentationMode	Group	Individual Presents each question one at a time. Group Presents all questions to the user in the same form.
Knowledge Questions	questionPresentationOrder	Random	Random Presents the questions in random order. Sequential Presents the questions in the order in which they are stored.
Knowledge Questions	amountOfCorrectAnswersRequired	1	The number of correct answers required for successful authentication. Specify any positive integer value that is not higher than the number of questions stored for each user.
Knowledge Questions	username	No default value	The user name of the user who is prompted to answer the knowledge questions. If we do not specify the user name, the user must log in before the authentication mechanism starts. The value must be a string.
Knowledge Questions	reauthenticate	True	The user must authenticate with the Knowledge Questions authentication mechanism even if the user previously authenticated. The value is Boolean.
Knowledge Questions	maxGracePeriodAuthenticationCount	0	The maximum number of user authentications during the grace period. The mechanism does not require the user to configure knowledge questions during the grace period. The value is any positive integer.
FIDO Universal 2nd Factor	username	No default value	The user name for the FIDO Universal 2nd Factor authentication. If the Pass check box is not checked, the FIDO Universal 2nd Factor authentication mechanism retrieves the user name from the current authentication service credential.
FIDO Universal 2nd Factor	appId	https:/ /webseal.com	Protocol, hostname, and port the user will use to attempt authentication.
FIDO Universal 2nd Factor	mode	Authenticate	The mode the FIDO Universal 2nd Factor authentication mechanism operates in. Authenticate Performs FIDO U2F Authentication with already registered tokens. Register Performs FIDO U2F Registration to add tokens.
FIDO Universal 2nd Factor	attestationType	None	The type of certificate attestation validation to perform. None No certificate attestation validation is performed. Keystore Certificate attestation validation is performed using the keystore configured in attestationSource. JWKS Certificate attestation validation is performed using the JSON Web Key Set configured in attestationSource.
FIDO Universal 2nd Factor	attestationSource	No default value	The keystore or key set to use for certificate attestation validation. Either the name of the keystore on the appliance, or the URL for a JSON Web Key Set.
FIDO Universal 2nd Factor	attestationEnforcement	Required	The level of enforcement of certificate attestation validation. Required Certificate attestation validation is required, and requests that fail validation will return a validation error. Optional Certificate attestation validation is performed, but requests that fail validation will not return an error.
FIDO2/WebAuthn Authentication	username	No default value	The user name for the FIDO2/WebAuthn authentication. If the Pass check box is not checked, the FIDO2/WebAuthn authentication mechanism retrieves the user name from the current authentication service credential.
FIDO2/WebAuthn Authentication	rpId	webseal.com	The relying party ID (rpId) is a domain string that identifies the Relying Party and the relying party specific configuration to use. The rpId must be based on the origin the user accesses, that is the rpId must be the registrable domain suffix of or equal to the origin's effective domain. If the Pass check box is not checked, the rpId set on the mechanism is used instead.
FIDO2/WebAuthn Authentication	userVerification	No default value	Whether user verification is required, preferred, or discouraged. User verification is authenticator dependent, but could be a PIN code, password entry, biometric or other method. If the Pass check box is not checked, the user verification default configured against the relying party ID is used instead.
MMFA Authenticator	contextMessage	No default value	A message associated with a transaction, which can contain the detail of the transaction. This message may be displayed on the user's device when prompted for verification.
MMFA Authenticator	pushMessage	No default value. If not defined, the contextMessage value is used.	Define a message sent as a push notification when a transaction is awaiting verification.
MMFA Authenticator	signingAttributeList	If not set, the value set for the property Signing Attributes in the MMFA Authenticator mechanism is used. See Configure a Mobile Multi-Factor Authentication (MMFA) Authenticator Mechanism.	A comma separated list of context attributes that is added to a new JSON value attribute that gets passed as a new pending attribute to the target mobile device. If supported by the device, this JSON value is used to extract the various messages displayed to the end user. The MMFA server also uses this JSON value during signature validation. The value set here overrides the Signing Attributes property set in the MMFA authenticator mechanism.
MMFA Authenticator	username	No default value	The name of the user for which the challenge is generated.
MMFA Authenticator	reauthenticate	True	The user must authenticate even if the user is previously authenticated.
MMFA Authenticator	policyURI	No default value	Policy ID of the authentication policy that handles the challenge response from the Authenticator Client.
MMFA Authenticator	mode	Initiate	The mode the MMFA Authenticator authentication mechanism operate in. Initiate Informs the mechanism that it is initiating the challenge to the Authenticator Client. Response Informs the mechanism that it is responsible for completing the MMFA process started in the Initiate policy.

Pass

A check in the Pass check box passes the parameter to the authenticator. The value for a passed parameter is either specified in the Value field or with the session or request information. If the Pass check box is not checked, the mechanism takes one of the following actions:

• Uses the default value.
• Uses the default method to get the default value.
• Reports an error, depending on the mechanism and the parameter.

Credentials

When the user completes the authentication process, the Authentication Service creates a credential for that user. It uses the credential to log in the user. The user credential contains information such as the name of the user, the groups the user belongs to, and attributes that further describe the user. We might want to modify the information that is included in the credential depending on the information required in the policies. The Authentication Service automatically includes the following attributes:

username	The name of the user who is making the access request.
authenticationTypes	A list of URIs of all authentication policies the user completed.
authenticationMechanismTypes	A list of URIs of all the authentication mechanisms the user completed.
authenticationTransactionId	An identifier of the latest authentication transaction the user completed.

Use Credentials to restrict the attributes in the credential by explicitly including each attribute. These attributes can be:

• A literal string provided in the credential settings.
• A context attribute reference

A context attribute consists of an attribute source, attribute namespace, and attribute ID. See Table 2 for a list of context attributes that we can use.

Credential attribute	The name of an attribute to use as an authentication credential. ASCII letters ASCII digits Period (.) Underscore (_) Hyphen (-) Do not use any other special characters or non-ASCII Unicode characters.
Source	The source specifies the provider of the value for the credential: Value The value for the credential. Use any characters. Session A context attribute with a lifetime throughout the authentication process. Request A context attribute with a lifetime of the HTTP Request.
Value	The value of the credential attribute. The value that we specify depends on the source we select in the previous field. If we select Value as a source, type a literal value in this field. If we select Session or Request, type an attribute ID and namespace.

Context attributes

The following table lists of types of values we can retrieve from a session or a request.

Type	Description	Attribute Source	Attribute Namespace	Attribute ID
Policy ID	The ID of the authentication policy in the current authentication process.	Session	urn:ibm:security:asf:policy	policyID
Transaction ID	The ID that triggers the current authentication process.	Session	urn:ibm:security:asf:transaction	transactionID
HTTP request parameters	The HTTP request parameters of the current HTTP request.	Request	Each attribute can contain multiple values. urn:ibm:security:asf:request:parameter Retrieves the first value. urn:ibm:security:asf:request:parameters Retrieves all the values.	The name of the parameter.
HTTP request headers	The HTTP request headers of the current HTTP request.	Request	Each attribute can contain multiple values. We can retrieve the first value or all of the values: urn:ibm:security:asf:request:header Retrieves the first value. urn:ibm:security:asf:request:headers Retrieves all the values.	The name of the header.
Request credential	Credential of the user in the current request.	Request	Each attribute can contain multiple values. We can retrieve the first value or all of the values: urn:ibm:security:asf:request:token:attribute Retrieves the first value. urn:ibm:security:asf:request:token:attributes Retrieves all the values.	The name of the Request credential attribute. Use username to retrieve the name of the user. Use group to retrieve the groups of the user.
Authentication Service credential	Credential of the user the Authentication Service began constructing at the beginning of the authentication process.	Session	Each attribute can contain multiple values. We can retrieve the first value or all of the values: urn:ibm:security:asf:response:token:attribute Retrieves the first value. urn:ibm:security:asf:response:token:attributes Retrieves all the values.	The name of the Authentication Service credential attribute. Use username to retrieve the name of the user. User group to retrieve the groups of the user.
Context-based access attributes	The attributes that specify the context of the request that is evaluated as part of an access control decision.	Session	Attention: Before we can use context attributes, add the attributes to the attributeCollection.authenticationContextAttributes property in the Advanced Configuration settings. See Manage advanced configuration. Each attribute can contain multiple values. We can retrieve the first value or all of the values: urn:ibm:security:asf:cba:attribute Retrieves the first value. urn:ibm:security:asf:cba:attributes Retrieves all the values.	The name of the attribute.
Request attribute names	A list of attribute names that are present in the request token.	Request	urn:ibm:security:asf:request	attributes
Request header names	A list of header names in the incoming request.	Request	urn:ibm:security:asf:request	headers
Request parameter names	A list of parameter names in the incoming request.	Request	urn:ibm:security:asf:request	parameters
Request header names	A list of attribute names in the request token.	Session	urn:ibm:security:asf:response	attributes

Parent topic: Authentication policies