Step-up authentication properties
The step-up authentication mechanism can be configured using the console in WAS.
The table given below contains all properties that apply to the appropriate portal configuration service, namely WP StepUpConfigService.
You can access the properties from the Welcome page of the WAS administrative console by clicking...
Resources | Resource Environment Providers | WP StepUpConfigService | Custom propertiesany property changes require the portal server to be restarted for the changes to take effect.
- sua.enable
- Enable and disable the step-up authentication mechanism.
Default: false
Type: java.lang.Boolean
- sua.authLevel.enable
- Use this property to provide a comma-separated list of authentication level names. The authentication levels given in this list will considered in the portal installation for step-up authentication enforcement.
Please note the following:
- If step-up authentication is enabled, at least the authentication level name authenticated has to be specified.
- If you would like to use the Remember me cookie mechanism as a distinct authentication level, make sure that it is enabled and add the authentication level name identified to this property.
Default: authenticated
Type: java.lang.String
- sua.authLevel.<auth_level_name>.strength
- Specify the authentication level strength of the authentication level with the name <auth_level_name>. The value is a non-negative integer that expresses the implied strength of a particular authentication method. The step-up authentication framework considers one authentication method to be stronger than another if it has been assigned a higher value.
Note that the value 0 is reserved by the step-up authentication engine, and therefore it is not allowed to assign values less than one. While it is possible to leave gaps in the sequence of authentication level strengths, it is not possible to assign the same authentication level to multiple authentication level names. Additionally, the authentication level identified must always have a lower strength than authenticated.
Default: sua.authLevel.identified.strength = 1 .authLevel.authenticated.strength = 5
Type: java.lang.Integer
- sua.authLevel.<auth_level_name>.required
- Whether the authentication level with the name <auth_level_name> is optional or required. When a user accesses a resource that has an optional authentication level as the authentication level requirement, this resource may be accessed if the first required authentication level above it can be verified successfully. Moreover, when an authentication level is flagged as required, it can only be verified successfully if all required authentication levels below it can be verified successfully.
Note that this property must not be set for the authentication level identified or authenticated.
Default: true
Type: java.lang.boolean
- sua.authLevel.<auth_level_name>.authLevelVerifier
- Fully qualified name of the class that implements the SPI com.ibm.portal.auth.sua.spi.AuthLevelVerifier as well as verifying whether the authentication level of the authentication level name <auth_level_name> is valid for a request.
This property must not be set for the authentication level identified or authenticated.
Default: -
Type: java.lang.String
- sua.authLevel.<auth_level_name>.stepUpAuthHandler
- Fully qualified name of the class that implements the SPI com.ibm.portal.auth.sua.spi.StepUpAuthHandler as well as establishing the authentication level of the authentication level name <auth_level_name>.
This property must not be set for the authentication level identified or authenticated.
Default: -
Type: java.lang.String
- sua.authLevel.<auth_level_name>.postRedirectionTargetProtected
- A certain authentication level is established by a step-up authentication handler by redirecting the user to another page, e.g. a portal page with a login form that takes a username and password. After the authentication level has been established successfully, the step-up authentication framework will redirect the user to the resource requested prior to the authentication level enforcement. This property specifies whether the redirection to the originally requested resource should point to the public or the protected portal area since the implementation of the authentication level may move the user from an unauthenticated to an authenticated state.
This property must not be set for the authentication level identified or authenticated.
Default: false
Type: java.lang.Boolean
Example: true
- sua.authLevel.<auth_level_name>.property.<property_name>
- Specify further properties that will be available to your authentication level verifier and your step-up authentication level handler. The properties received by these implementations in their init method have the name <property_name>, the prefix sua.authLevel.<auth_level_name>.property. is omitted.
Default: -
Type: java.lang.String
Parent topic
Securing your environment on AIX
Related tasks
Enabling step-up authentication and/or the Remember me cookie
Disable step-up authentication and/or the Remember me cookie