Username token module
The Username token STS module validates and issues UsernameToken elements.
The Username token STS module is called UsernameTokenSTSModule. The STS handles a Username token as both an incoming and outgoing token type.
There are three supported username and password validation methods from which to select.
- Scenario
- Custom trust chains
- Supported modes
- Validate
- Issue
- Configuration properties (Validate mode)
- Skip password validation
- Do not perform password validation for the Username token. Default is cleared.
- User registry option
- Select the type of user registry to use for validation.
- Verify Access runtime
- Validate the username and password according to the Verify Access runtime configuration. Complete the following steps before using this option:
- Configure the runtime component. See Configure the runtime environment. During this process, we must specify an Verify Access user registry as your primary LDAP server.
- Configure a federated user registry. Client certificate authentication for federated directories is not supported for UsernameTokenSTSModule. See Manage federated directories.
- Enable basic users. See Configure the runtime to authenticate basic users.
- LDAP bind DN
- The username used to authenticate to the primary LDAP server. For example, cn=SecurityMaster,secAuthority=Default.
- LDAP bind Password
- The password used to authenticate to the primary LDAP server. For example, admin.
- SSL Enabled
- Select to enable SSL.
- Certificate Database
- The name of the certificate database to use for the SSL connection. For example, embedded_ldap_keys.kdb.
- Verify Access user registry
- Validate the username and password according to the configured Verify Access user registry. This method requires an LDAP server that define using the local management interface. See Manage server connections.
- Server Connection ID
- The name of the server connection that holds the required LDAP settings to access the Security Verify Access registry. This property is required if password validation is not skipped.
- Login Failures Persistent
- Login failures are used with the three-strikes policy.
If this option is set to false, each process that uses this API stores the number of login failures in memory. If multiple servers are involved, the total number of login failures to trigger a strike-out might vary.
If this option is set to true, the strike count is stored in LDAP and shared across all servers. Therefore, an accurate count is kept in a multi-server environment.
The default is false.
- Management Domain
- The management domain ISAM. The default is Default.
- Maximum Server Connections
- The maximum number of connections that are made to the ISAM registry.
The default is 16.
- Generic LDAP user registry
- Validate the username and password according to the configured LDAP user registry. It does not have to be an Verify Access user registry.
- Server Connection ID
- The name of the server connection that holds the required LDAP settings to access an LDAP user registry. This property is required if password validation is not skipped.
- Maximum Server Connections
- The maximum number of connections that are made to the LDAP user registry.
The default is 16.
- User ID attribute
- An LDAP attribute that stores the username. For example, uid.
- LDAP Base DN
- An LDAP base DN to search. For example, o=ibm,c=us.
- User search filter
- An LDAP search filter. For example, ((objectClass=person)(objectClass=ePerson)).
- Enable the time validity check, based on created time and the amount of time permitted after the issue
- Required created time element on the Username token when checked. This property is enabled by default. The software compares the value of the created time element against the value that specifies the amount of time the token is valid after it is issued.
- Amount of time the token is valid after being issued
- The amount of time a token is valid after it is issued. Default is 300 seconds. A value of -1 means the token does not expire.
- Configuration properties (Issue mode)
- Include nonce in token
- Includes a nonce (random bits used for obfuscating the element) in the token. When the password option 4 is specified, this value has no effect.
- Include token creation time in token
- Adds a time stamp to the token, indicating the creation time of the token.
- Options for including password in the token
- Whether to include the password in the token. When the password is included, we can specify the format.
- Do not include the password
- Specifies that we do not want to include the password in the token.
- Include the digest of the password value
- Specifies to include the password in the token as the digest of the password value.
- Include the password in clear text
- Specifies to include the password in the token as clear text.
Parent topic: Supported module types