Global settings

We can use the LMI to access an administrative menu to configure global settings used by both Federation and Advanced Access Control.

The Local Management Interface (LMI) has a user interface page for administering each major feature in IBM Security Verify Access. Since some features are used by multiple licensing levels for the product, the administration page for these features can be accessed through multiple user interface menu paths.

We can use either of the following LMI menus to access the global settings:

• AAC > Global Settings
• Federation > Global Settings

We can use the global settings menus to configure the following features:

• Advanced Configuration

  Some of the advanced configuration properties are common to Advanced Access Control and Federation. Others are specific to one of the licensing levels.

• User Registry

  Administer user and group memberships for the user registry used by the runtime applications. Management tasks are common to Advanced Access Control and Federation.

• Runtime Parameters

  We can use the Runtime Parameters menu to view runtime status, tune runtime parameters, and set tracing on the runtime. These functions are common to Advanced Access Control and to Federation.

  In addition, the runtime tracing feature can be set in the LMI through Monitor > Logs > Runtime Tracing > ..

  The topic for Runtime Parameters is also included in the appliance troubleshooting section of the IBM Knowledge Center. See Tuning runtime application parameters and tracing specifications

• Template Files

  Template files are HTML pages presented to our users. We can customize the content of the pages for your deployment by setting supported macros, or by adding JavaScript scripting. Template pages are used in multiple scenarios.

  • Customize the authentication process, such as error messages

  • Specify settings for the supported authentication mechanisms
  • Customize error messages for authentication attempts
  • Obtain consent for registering devices

  • Specify authorization parameters for OAuth 2.0
  • Configure user self-care tasks

• Mapping Rules

  Mapping rules are JavaScript code that runs during the authentication flow for Advanced Access Control and Federation. Mapping rules can be used for multiple purposes. For Advanced Access Control, we can modify rules for the Authentication Service, OTP, and OAuth 2.0. For Federation, we can modify mapping rules to manage identities for OIDC and SAML 2.0.

• Distributed Session Cache

  The Distributed Session Cache is supplied by the web reverse proxy and is used with all activation levels. The management windows in the LMI can also be accessed through Web > Manage > Distributed Session Cache.

  For an overview of the Distributed Session Cache, and a review of advanced configuration options, see: Distributed session cache.

• LDAP Server Connections

  Advanced Access Control and Federations both use the ISAM appliance to connect to external data sources. For Advanced Access Control, we can use the server connections menus to configure LDAP or database server connections so we can set up policy information points. For Federation, we can configure an LDAP server as an attribute source for attribute mapping.

• Point of Contact

  ISAM provides servers, such as WebSEAL, that function as point of contact servers for handling external requests for authentication and authorization. We can configure a point of contact profile to specify the information needed for the runtime to communicate with a specific point of contact server. Security Verify Access provides three Point of Contact profiles that are ready for use. We can specify callback parameters and values for these profiles.

• Access Policies

  We can use access policies to perform step-up and re-authentication during a single sign-on flow based on contextual information. Access policies can be enforced at a federation or at API Protection for OAuth and OpenID Connect.

The LMI mega-menu for the Web licensing level also presents a set of tasks under a Global Settings heading. These tasks are different from the tasks under the Global Settings menu for AAC and Federation. The Web > Global Settings LMI menus are not used with AAC and Federation .

• Manage advanced configuration
  
• Manage user registries
  
• Tuning runtime application parameters and tracing specifications
  
• Template files
  
• Mapping rules
  
• Manage Distributed Session Cache
  
• Manage server connections
  
• Point of contact profiles
  

Parent topic: Advanced Access Control configuration