Access Management Authentication Class for Static Token Login



By: BAndries

December 5, 2007 7:32 am

Reads: 214

Comments:0

Rating:0

NEW: Support for Novell Access Manager 3.1

Introduction

Here’s how the Static token-based authentication method works:

a) The authentication method asks the user name and the password from the user.
b) The credentials are checked against the user store.
c) If the credentials are valid, the user is prompted to enter a specific token. The values of the tokens are stored in attributes in the user store.
d) If the token that the user entered is matching against the corresponding token in the user store, authentication is successful.

The tokens can be hand-out to the users via mail or via a card.

Figure 1 – Static token-based authentication process

Installation

1. Get the BA Authentication modules here:
http://www.novell.com/coolsolutions/tools/20017.html

2. Go to the Identity server.

3. Copy ba-idp-auth.jar to /var/opt/novell/tomcat4/webapps/nidp/WEB-INF/lib

4. Copy the JSP’s to /var/opt/novell/tomcat4/webapps/nidp/jsp

Configuration

You’ll need to create a new Authentication Class.

1. For the Java class, choose other.

2. For the Java class, path type: com.novell.ba.idpauth.TokenLogin

3. For the properties, refer to the table and the examples below.

4. Create Authentication Methods and Contracts as described in http://www.novell.com/documentation/novellaccessmanager/adminguide/data/b1tvhkg.html

Figure 2 – Token Login, General tab

Figure 3 – Token Login, Properties tab

Property Name Default Value Description
numberTokens MUST EXIST The number of tokens stored in the User Store.
ex: 24
nameTokens MUST EXIST The prefix for the name of the attributes where the tokens are stored.
ex: LoginToken. This will result in 24 attributes, starting from “LoginToken1″ to “LoginToken24″.
useEncryption n/a If this property is present and not null, encryption is enabled. The entered value will be hashed with SHA and then converted to a base64 string. The result will be compared with the value in eDirectory.
ex: on
debug n/a If this property is present and not null, debug is enabled.
ex: on

Troubleshooting

I won’t go into much detail on troubleshooting here. There’s only one important thing you need to know: if you enabled debug in the Properties tab, you need to use the following command in bash:

?tail -f /var/opt/novell/tomcat4/logs/catalina.out | grep BADEBUG?

If you don’t find any BADEBUG entries, check to see if the jar is present on the server and if the Authentication method has been set up correctly. If you see these entries, they will tell what is going wrong:

No token attributes are found in the user object:

BADEBUG - method doPhase1 called
BADEBUG - Handled Status
BADEBUG - method doPhase2 called
BADEBUG - Missing or Duplicate Token

User entered wrong token:

BADEBUG - method doPhase1 called
BADEBUG - Handled Status
BADEBUG - method doPhase2 called
BADEBUG - compare: 2222222222 AND F543TR
BADEBUG - Token Failed

Authentication successful:

BADEBUG - method doPhase1 called
BADEBUG - Handled Status
BADEBUG - method doPhase2 called
BADEBUG - compare: F543TR AND F543TR
BADEBUG - Authentication Success
VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment