+

Search Tips   |   Advanced Search

Portal, V6.1

 

i5/OS - Step-up authentication properties

The step-up authentication mechanism can be configured using the console in WAS.

The table given below contains all properties that apply to the appropriate portal configuration service, namely WP StepUpConfigService.

You can access the properties from the Welcome page of the WAS administrative console by clicking Resources > Resource Environment Providers > WP StepUpConfigService > Custom properties.

any property changes require the portal server to be restarted for the changes to take effect.

sua.enable

Enable and disable the step-up authentication mechanism.

Default: false

Type: java.lang.Boolean

sua.authLevel.enable

Use this property to provide a comma-separated list of authentication level names. The authentication levels given in this list will considered in the portal installation for step-up authentication enforcement.

Please note the following:

  1. If step-up authentication is enabled, at least the authentication level name authenticated has to be specified.

  2. If you would like to use the Remember me cookie mechanism as a distinct authentication level, make sure that it is enabled and add the authentication level name identified to this property.

Default: authenticated

Type: java.lang.String

sua.authLevel.<auth_level_name>.strength

Specify the authentication level strength of the authentication level with the name <auth_level_name>. The value is a non-negative integer that expresses the implied strength of a particular authentication method. The step-up authentication framework considers one authentication method to be stronger than another if it has been assigned a higher value.

Note that the value 0 is reserved by the step-up authentication engine, and therefore it is not allowed to assign values less than one. While it is possible to leave gaps in the sequence of authentication level strengths, it is not possible to assign the same authentication level to multiple authentication level names. Additionally, the authentication level identified must always have a lower strength than authenticated.

Default: sua.authLevel.identified.strength = 1 .authLevel.authenticated.strength = 5

Type: java.lang.Integer

sua.authLevel.<auth_level_name>.required

Whether the authentication level with the name <auth_level_name> is optional or required. When a user accesses a resource that has an optional authentication level as the authentication level requirement, this resource may be accessed if the first required authentication level above it can be verified successfully. Moreover, when an authentication level is flagged as required, it can only be verified successfully if all required authentication levels below it can be verified successfully.

Note that this property must not be set for the authentication level identified or authenticated.

Default: true

Type: java.lang.boolean

sua.authLevel.<auth_level_name>.authLevelVerifier

Fully qualified name of the class that implements the SPI com.ibm.portal.auth.sua.spi.AuthLevelVerifier as well as verifying whether the authentication level of the authentication level name <auth_level_name> is valid for a request.

This property must not be set for the authentication level identified or authenticated.

Default: -

Type: java.lang.String

sua.authLevel.<auth_level_name>.stepUpAuthHandler

Fully qualified name of the class that implements the SPI com.ibm.portal.auth.sua.spi.StepUpAuthHandler as well as establishing the authentication level of the authentication level name <auth_level_name>.

This property must not be set for the authentication level identified or authenticated.

Default: -

Type: java.lang.String

sua.authLevel.<auth_level_name>.postRedirectionTargetProtected

A certain authentication level is established by a step-up authentication handler by redirecting the user to another page, e.g. a portal page with a login form that takes a username and password. After the authentication level has been established successfully, the step-up authentication framework will redirect the user to the resource requested prior to the authentication level enforcement. This property specifies whether the redirection to the originally requested resource should point to the public or the protected portal area since the implementation of the authentication level may move the user from an unauthenticated to an authenticated state.

This property must not be set for the authentication level identified or authenticated.

Default: false

Type: java.lang.Boolean

Example: true

sua.authLevel.<auth_level_name>.property.<property_name>

Specify further properties that will be available to your authentication level verifier and your step-up authentication level handler. The properties received by these implementations in their init method have the name <property_name>, the prefix sua.authLevel.<auth_level_name>.property. is omitted.

Default: -

Type: java.lang.String

 

Parent topic

Securing your environment on i5/OS

 

Related tasks


Enabling step-up authentication and/or the Remember me cookie
Disable step-up authentication and/or the Remember me cookie