When you assign multiple Identity Servers to the same configuration, you need to install a load balancer that supports either Layer 4 or Layer 7. This device is referred to as an L4 switch here. The L4 switch allows the work load to be balanced among the machines.
Whether you have one machine or multiple machines in a cluster, the Access Manager software configuration process is the same. This section describes the following cluster management tasks:
Identity Server functions as an identity provider. You can configure it to run as an identity consumer (also known as a service provider) by using federation protocols.
In an Identity Server configuration, you specify the following information:
The DNS name for Identity Server or clustered server site.
Certificates for Identity Server.
Organizational and contact information for the server that is published in the metadata of Liberty and SAML protocols.
LDAP directories (user stores) to authenticate users, and trusted root for secure communication between Identity Server and a user store.
Perform the following steps to create an Identity Server cluster:
Click Devices > Identity Servers .
Under the Servers tab, select Identity Server, and then click New Cluster.
Selecting the server is one way to assign it to the cluster configuration.
Specify a name for the cluster configuration.
If you did not select the server in the previous step, you can now select required servers.
For more information about assigning servers to a configuration, see Assigning an Identity Server to a Cluster Configuration.
Click OK.
Specify the following details:
|
Field |
Description |
|---|---|
|
Name |
Specify a name for the cluster. This field is populated with the name you provided in the New Cluster dialog box. You can change this name here, if necessary. IMPORTANT:Carefully determine your settings for the base URL, protocol, and domain. After you have configured trust relationships between providers, changing these settings invalidates the trust model and requires a reimport of the provider’s metadata. Modifying the base URL also invalidates the trust between the Embedded Service Provider of Access Manager devices. To re-establish the trust after modifying the base URL, you must restart the Embedded Service Provider on each device. |
|
Base URL |
Specify the application path for Identity Server. Identity Server protocols rely on this base URL to generate URL endpoints for each protocol.
|
|
SSL Certificate |
Displays the currently assigned SSL certificate. Identity Server comes with a test-connector certificate that you must replace to use SSL in your production environment. You can replace the test certificate now or after you configure Identity Server. You must restart Tomcat whenever you assign an Identity Server to a configuration and whenever you update a certificate key store. See Managing the Keys, Certificates, and Trust Stores. For information about how to replace the test-connector certificate, see Section 19.0, Enabling SSL Communication. |
To configure session limits, specify the following details:
|
Field |
Description |
|---|---|
|
LDAP Access |
Specify the maximum number of LDAP connections Identity Server can create to access the configuration store. You can adjust this value for system performance. |
|
Default Timeout |
Specify the session timeout you want assigned as a default value when you create a contract. This value is also assigned to a session when Identity Server cannot associate a contract with the authenticated session. During federation, if the authentication request uses a type rather than a contract, Identity Server cannot always associate a contract with the request. |
|
Limit User Sessions |
Specify whether user sessions are limited. If selected, you can specify the maximum number of concurrent sessions a user is allowed to authenticate. To limit user sessions, you must also consider the session timeout value (the default is 60 minutes). If the user closes the browser without logging out (or an error causes the browser to close), the session is not cleared until the session timeout expires. If the user session limit is reached and those sessions have not been cleared with a logout, the user cannot log in again until the session timeout expires for one of the sessions. When you enable this option, it affects performance in a cluster with multiple Identity Servers. When a user is limited to a specific number of sessions, Identity Servers must check with the other servers before establishing a new session. |
|
Deleting Previous User Sessions |
You can configure Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. Set the DELETE OLD SESSIONS OF USER option to true and restart Identity Server. For information about how to configure this option, see Configuring Identity Server Global Options. Previous sessions are cleared across Identity Server clusters only when a fresh authentication request comes in. When Identity Server deletes previous user sessions, it sends a logout request to the service provider through the SOAP back channel. For example, a user is accessing a protected resource from a machine and wants to access the same protected resource from another device. Identity Server will not give access to the user if the Limit User Sessions has reached a maximum limit. Identity Server must terminate the old session of the user so that the user can access the new session seamlessly. |
|
Allow multiple browser session logout |
Specify whether a user with more than one session to the server is presented with an option to log out of all sessions. If you do not select this option, only the current session can be logged out. Deselect this option in instances where multiple users log in as guests. Then, when one user logs out, none of the other guests are logged out. When you enable this option, you must also restart any Embedded Service Providers that use this Identity Server configuration. |
To configure TCP timeouts, specify the following details:
|
Field |
Description |
|---|---|
|
LDAP |
Specify the duration (in seconds) that an LDAP request to the user store can take before timing out. |
|
Proxy |
Specify the duration (in seconds) that a request to another cluster member can take before timing out. When a member of a cluster receives a request from a user who has authenticated with another cluster member, the member sends a request to the authenticating member for information about the user. |
|
Request |
Specify the duration (in seconds) that an HTTP request to an application can take before timing out. |
Select the required protocols.
IMPORTANT:Enable only the required protocols.
If you are using Access Gateway, you must select the Liberty protocol. Else, the trusted relationship of Access Gateway and Embedded Service Provider with Identity Server is disabled, and authentication fails.
Liberty: Uses a structured version of SAML to exchange authentication and data between trusted identity providers and service providers and provides the framework for user federation.
SAML 1.1: Uses XML for exchanging authentication and data between trusted identity providers and service providers.
SAML 2.0: Uses XML for exchanging encrypted authentication and data between trusted identity providers and service providers and provides the framework for user federation.
WS Federation: Allows disparate security mechanisms to exchange information about identities, attributes, and authentication.
WS-Trust: Allows secure communication and integration between services by using security tokens.
OAuth & OpenID Connect: Allows Identity Server to act as an authorization server to issue access token to a client application based on user’s grant.
Click Next.
Specify the following details:
Name: The name of the organization.
Display Name: The display name for the organization.
URL: The organization’s URL for contact purposes.
Company, First Name, Last Name, Email, Telephone, and Contact Type are optional fields.
IMPORTANT:The information you specify on this page is published in the metadata for Liberty 1.2 and SAML protocols. The metadata is traded with federation partners and supplies various information regarding contact and organization information located at Identity Server.
Click Next to configure the user store.
You must reference your own user store and auto-import the SSL certificate. See Section 4.1.1, Configuring Identity User Stores for information about this procedure.
After you configure the user store, the system displays the new configuration on the Servers page.
The status icons for the configuration and Identity Server must turn green. It might take several seconds for Identity Server to start and for the system to display a green icon. If it does not, it is likely that Identity Server is not communicating with the user store you set up. Ensure that you have entered the user store information correctly, and that you imported the SSL certificate to the user store. (Edit > Local > [User Store Name].)
After you create a configuration, you must assign an Identity Server to it. For clustering, you can assign more than one Identity Server to the configuration (see Configuring a Cluster with Multiple Identity Servers for the steps to set up a cluster). A configuration uses any shared settings you have specified, such as attribute sets, user matching expressions, and custom attributes that are defined for the server.
Click Devices > Identity Servers.
On the Servers page, select the server’s check box.
You can select all displayed servers by selecting the top-level Server check box.
Click Actions > Assign to Cluster.
Select the configuration’s check box, then click Assign.
You are prompted to restart Tomcat. The status icon for Identity Server must turn green. It might take several seconds for Identity Server to start and for the system to display the green icon.
To add capacity and to enable system failover, you can cluster a group of Identity Servers and configure them in a cluster configuration to act as a single server. You can also configure the cluster to support session failover, so that users do not need to re-authenticate when an Identity Server goes down.
A cluster of Identity Servers must reside behind an L4 switch. Clients access the virtual IP (VIP) address of the cluster presented on the L4 switch, and the L4 switch alleviates server load by balancing traffic across the cluster. Whenever a user accesses the virtual IP address assigned to the L4 switch, the system routes the user to one of Identity Servers in the cluster, as traffic necessitates.
To set up a cluster, complete the following tasks:
Install an L4 switch. You can use the same switch for Identity Server clustering and Access Gateway clustering, provided that you use different virtual IPs. The LB algorithm can be anything (hash/sticky bit), defined at the Real server level. For configuration tips, see Section 11.2, Configuration Tips for the L4 Switch.
Enable persistence (sticky) sessions on the L4 switch. You can define this at the virtual server level.
Create an Identity Server configuration for the cluster and assign all Identity Servers to this configuration.
See Creating a Cluster Configuration for information about creating an Identity Server configuration.
See Assigning an Identity Server to a Cluster Configuration for information about assigning identity servers to configurations.
Ensure that the DNS name of the base URL for the cluster configuration resolves via DNS to the IP address of the L4 virtual IP address. The L4 switch balances the load between Identity Servers in the cluster.
Ensure that the L4 administration server using port 8080 has the following TCP ports open:
8443 (secure Administration Console)
7801 (for back-channel communication with cluster members).
636 (for secure LDAP)
389 (for clear LDAP)
524 (network control protocol on the L4 switch for server communication)
The identity provider ports must also be open:
8080 (non-secure login)
8443 (secure login)
1443 (server communication)
If you are using introductions (see Section 2.7.2, Configuring General Provider Settings), you must configure the L4 switch to load balance on ports 8445 (identity provider) and 8446 (identity consumer).
Enable session failover so users do not need to re-authenticate when an Identity Server goes down. See Configuring Session Failover.
Modify the name of the cluster or edit communication details. See Editing Cluster Details.
When you set up an Identity Server cluster and add more than one Identity Server to the cluster, you have set up fault tolerance. This ensures that if one of Identity Servers goes down, users still have access to your site because the other Identity Server can be used for authentication. However, it does not provide session failover. If a user has authenticated to the failed Identity Server, the user is prompted to authenticate and the session information is lost.
When you enable session failover and an Identity Server goes down, the user’s session information is preserved. Another peer server in the cluster re-creates the authoritative session information in the background. The user is not required to log in again and experiences no interruption of services.
An Identity Server cluster with two or more Identity Servers.
Sufficient memory on Identity Servers to store additional authentication information. When an Identity Server is selected to be a failover peer, Identity Server stores about 1 KB of session information for each user authenticated on the other machine.
Sufficient network bandwidth for the increased login traffic. Identity Server sends the session information to all Identity Servers that have been selected to be its failover peers.
All trusted Embedded Services Providers need to be configured to send the attributes used in Form Fill and Identity Injection policies at authentication. If you use any attributes other than the standard credential attributes in your contracts, you also need to send these attributes. To configure the attributes to send, click Devices > Identity Servers > Edit > Liberty > [Name of Service Provider] > Attributes.
Click Devices > Identity Servers.
Click the name of an Identity Server cluster.
Click the IDP Failover Peer Server Count, then select the number of failover peers for each Identity Server.
To disable this feature, select 0.
To enable this feature, select one or two less than the number of servers in your cluster. For example, if you have four servers in your clusters and you want to allow for one server being down for maintenance, select 3 (4-1=3). If you want to allow for the possibility of two servers being down, select 2 (4-2=2).
If you have eight or more servers in your cluster, the formula 8-2=6 gives each server 6 peers. This is probably more peers than you need for session failover. In a larger cluster, you must limit the number of peers to 2 or 3. If you select too many peers, your machines might require more memory to hold the session data and slow down your network with the additional traffic for the session information.
Click OK.
The failover peers for Identity Server are selected according to their proximity. Access Manager sorts the members of the cluster by their IP addresses and ranks them according to how close their IP addresses are to the server who needs to be assigned as failover peers. It selects the closest peers for the assignment. For example, if a cluster member exists on the same subnet, that member is selected to be a failover peer before a peer that exists on a different subnet.
Click Devices > Identity Servers.
Click the name of the cluster configuration.
The Cluster Details page contains the following tabs:
Details: To modify the cluster name or its settings, click Edit, then continue with Step 3.
Health: Click to view the health of the cluster.
Alerts: Click to view the alerts generated by members of the cluster.
Statistics: Click to view the statistics of the cluster members.
Modify the following details as required:
|
Field |
Description |
|---|---|
|
Cluster Communication Backchannel |
Specify a communications channel over which the cluster members maintain the integrity of the cluster. For example, this TCP channel is used to detect new cluster members as they join the cluster, and to detect members that leave the cluster. A small percentage of this TCP traffic is used to help cluster members determine which cluster member can handle a request more efficiently. This back channel must not be confused with the IP address/port over which cluster members provide proxy requests to peer cluster members.
|
|
Level Four Switch Port Translation |
Configure the L4 switch to translate the port of the incoming request to a new port when the request is sent to a cluster member. Because the cluster members communicate with each other over the same IP address/port as the L4 switch, the cluster implementation needs to know what that port is. The translated port is the port on the cluster members where other cluster members can contact it. This is the IP address and port where cluster members provide proxy requests to other cluster members.
|
|
IDP Failover Peer Server Count |
For configuration information, see Configuring Session Failover. |
Click OK and then update Identity Server when prompted.
Removing an Identity Server from a configuration disassociates Identity Server from the cluster configuration. The configuration, however, remains intact and can be reassigned later or assigned to another server.
Click Devices > Identity Servers.
Select the server, then click Stop. Wait for the Health indicator to turn red.
Select the server and then choose Actions > Remove from Cluster.
For information about deleting an Identity Server, see Section 2.2.3, Managing a Cluster of Identity Servers.
IMPORTANT:When the cluster contains only two Identity Servers, introduce a new Identity Server to the cluster before removing the other Identity Server.
You must enable a protocol and configure it before users can use the protocol for authentication. For security purposes, you must enable only the required protocols that you will use for authentication.
After disabling a protocol, update the Identity Server configuration, and stop and start Identity Server.
Click Devices > Identity Servers > Edit.
In the Enabled Protocols section, select the required protocols to enable.
To disable a protocol, deselect it.
Click OK.
(Conditional) If you have enabled a protocol, update Identity Server.
(Conditional) If you have disabled a protocol, stop and start Identity Server.
Select Identity Server and click Stop.
When the health turns red, select Identity Server, and click Start.
Repeat the process for each Identity Server in the cluster.
When you configure an Identity Server, you must carefully determine your settings for the base URL, protocol, and domain. Changing the base URL invalidates the trust model and requires a re-import of the provider’s metadata, and a restart of the affected Embedded Service Providers. It also changes the ID of the provider and the URLs that others use for access.
When you change the base URL of Identity Server, you invalidate the following trusted relationships:
The trusted relationships that Identity Server has established with each Access Manager device that has been configured to use Identity Server for authentication
The trusted relationship that each Access Manager device has established with Identity Server when Identity Server configuration was selected.
The trusted relationships that Identity Server has established with other service providers.
The sessions of any logged-in users are destroyed and no user can log in and access protected resources until the trust relationships are reestablished.
Perform the following steps to modify the base URL and reestablish trust relationships:
Click Devices > Identity Servers > Edit.
Change the protocol, domain, port, and application settings, as necessary.
Click OK.
On the Identity Servers page, click Update.
This re-creates the trusted Identity Server configuration to use the new base URL and metadata.
Restart Tomcat on each Identity Server in the configuration:
Linux Identity Server: Specify one of the following commands:
/etc/init.d/novell-idp restart
rcnovell-idp restart
Windows Identity Server: Specify the following commands:
net stop Tomcat8 net start Tomcat8
For each Access Manager device configured to trust the configuration of this modified base URL, you must update the device so that the Embedded Service Provider trusts the new Identity Server configuration:
Click Access Gateways, then click Update for any servers with a Status of Update.
For each service provider you have configured to trust the configuration of this modified base URL, you must send them the new metadata and have them re-import it.
For information about setting up SSL and changing an Identity Server from HTTP to HTTPS, see Section 19.0, Enabling SSL Communication.
Global options are applicable for all Identity Servers in a cluster.
NOTE:Access Manager 4.2 onwards, configuring the following options through files is deprecated. You must configure these option by using Administration Console.
Perform the following steps to configure Identity Server global options:
Click Devices > Identity Servers > Edit > Options.
Click New.
Set the following properties based on your requirement:
|
Property |
Value |
|---|---|
|
ALLOW AUTH POLICY EXECUTION |
Select false to disable Identity Server to execute authorization policies. The default value is true. For example, see Executing Authorization Based Roles Policy During SAML 2.0 Service Provider Initiated Request. |
|
ALLOW GRACE LOGIN FOR EXPIRING PASSWORD (Access Manager 4.5 Service Pack 4 and later) |
When the value is set to true, users get grace logins when their password is about to expire. By default, the property is set to true on all Identity Server clusters. Select false if you do not want users to get a grace login for an expiring password. In case of Active Directory, this option works when the pwdlastset attribute has a zero value (pwdlastset=0) in the user store. This means users must change their password at the next login. If you set this option to false, the user will not be redirected to Password Management Servlet (if configured). |
|
CLUSTER COOKIE DOMAIN |
Set this property to change the Domain attribute of the Identity Server cluster cookie. For example, see Configuring X.509 Authentication to Display the Access Manager Error Message. |
|
CLUSTER COOKIE PATH |
Set this property to change the Path attribute of the Identity Server cluster cookie. The default value is /nidp. For example, see Configuring X.509 Authentication to Display the Access Manager Error Message. |
|
DECODE RELAY STATE PARAM |
Select true to enable the relay state URL decoding. The default value is false. |
|
DELETE OLD SESSIONS OF USER |
Select true to enable Identity Server to delete the previous user sessions if the number of open sessions reaches the maximum limit of allowed sessions that you have specified in Limit User Sessions. The default value is false. |
|
HTTP ONLY CLUSTER COOKIE |
Select false to disable the HTTPOnly flags for Identity Server cluster cookies. The default value is true. For example, see Section 32.3.11, Enabling Secure or HTTPOnly Flags for Cluster Cookies. |
|
HTTP POPULATE LOGINNAME FROM SAML AUTH REQUEST (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Select true to auto-populate the email ID on the Identity Server login page for a SAML 2.0 authentication. The default value is false. For more information about this option, see Auto-Populating the Username on the Identity Server Login Page. |
|
HTTP POPULATE PARSED LOGINNAME FROM SAML AUTH REQUEST (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Select true to auto-populate the username instead of the entire email ID on the Identity Server login page for a SAML 2.0 authentication. For example, to populate steve.smith instead of steve.smith@example.com. The default value is false. For more information about this option, see Auto-Populating the Username on the Identity Server Login Page. |
|
HTTP POPULATE LOGINNAME FROM WSFED AUTH REQUEST (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Select true to auto-populate the email ID on the Identity Server login page for a WS-Fed authentication request. The default value is false. |
|
HTTP POPULATE PARSED LOGINNAME FROM WSFED AUTH REQUEST (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Select true to auto-populate the username instead of the entire email ID on the Identity Server login page for a WS-Fed authentication. For example, to populate steve.smith instead of steve.smith@example.com. The default value is false. |
|
IS SAML2 POST INFLATE |
Select true to enable Identity Server to receive deflated SAML 2.0 POST messages from its trusted providers. The default value is false. You can configure post binding to be sent as a compressed option by configuring this property. For example, see the note in Step 4. |
|
IS SAML2 POST SIGN RESPONSE |
Select true to enable the identity provider to sign the entire SAML 2.0 response for all service providers. |
|
LOGIN CSRF CHECK |
Select true to enable Cross-Site Request Forgery (CSRF) check for the Password Class and TOTP Class. This is applicable for Access Manager default pages. If you have modified any page, you must add the CSRF token to the page. To add the CSRF token, add the following: JAVA: <%
String sid = request.getParameter("sid")!=null ? request.getParameter(NIDPConstants.SID) : (String)request.getAttribute(NIDPConstants.SID);
NIDPSessionData sData = NIDPContext.getNIDPContext().getSession(request).getSessionData(sid);
boolean csrfCheckRequired = NIDPEdirConfigUtil.isConfigured(NIDPConfigKeys.LOGIN_CSRF_CHECK.name()) ? NIDPEdirConfigUtil.getValueAsBoolean(NIDPConfigKeys.LOGIN_CSRF_CHECK.name()) : false;
%>
HTML: <% if (csrfCheckRequired) { %>
<input type="hidden" name="AntiCSRFToken" value=" <%=sData.getAntiCSRFToken()%>">
<% } %> |
|
OAUTH TOKENS IN BINARY FORMAT |
Select true to send tokens in the binary format. By default, the value is set to false and tokens are sent in the JWT format. It is recommended to not use this property unless you have an existing client application that cannot manage a token larger than the existing binary token. NOTE:: When the value is set to true, few features, such as token encryption using resource server keys and token revocation, will not be available. |
|
RENAME SESSION ID |
Select false to prevent changing the session ID automatically. The default value is true. |
|
SAML1X ATTRIBUTE MATCH BY NAME |
Select true to perform a strict check on the name space of the attributes received in assertion. For example, see Section 32.3.24, SAML 1.1 Service Provider Re-requests for Authentication. |
|
SAML2 ATTRIBUTE CONSUMING INDEX |
This option can be used to identify globally the value of AttributeConsumingServiceIndex of SAML 2 authentication requests. If SAML2 ATTRIBUTE CONSUMING INDEX is not configured in SAML 2.0 options, then Access Manager considers the SAML2 ATTRIBUTE CONSUMING INDEX configuration in Identity Server global options. If you require to assign the property values for multiple entries, you can use comma (,) as separator. You can provide the value in the format specified in the following example: For protected resource URL: https://www.example.com:446/test/Test/test.php->2 In this example, the value 2 is assigned to AttributeConsumingServiceIndex of SAML 2 authentication request coming from the mentioned protected resource. For default value: default->10 If the SAML 2 authentication request comes from the protected resource that is not configured, then the default value, 10 gets assigned to AttributeConsumingServiceIndex. For multiple protected resource URLs: https://www.example.com:446/test/Test/test.php->2,https://www.example.com:446/test/Test/view.php->3 |
|
SECURE CLUSTER COOKIE |
Select false to disable the secure flags for cluster cookies. The default value is true. For example, see Section 32.3.11, Enabling Secure or HTTPOnly Flags for Cluster Cookies. |
|
STS CHANGE ISSUER |
Specify the value in this format: SPentityID:UPNDomain -> new IssuerID. For example, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/ In case of multiple children domains, add each parent domain and child domain separated by a comma. For example, if namnetiq.in is the parent domain and support.namnetiq.in and engineering.namnetiq.in are children domains, specify the following entries: urn:federation:MicrosoftOnline:namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:support.namnetiq.in -> https://namnetiq.in/nidp/wsfed/, urn:federation:MicrosoftOnline:engineering.namnetiq.in -> https://namnetiq.com/nidp/wsfed/ For example, see Configuring Federation for Multiple Domains. |
|
STS OFFICE365 MULTI DOMAIN SUPPORT AUTO |
Select true to enable users to access Office 365 services by using the Issuer URI specific to the domain they belong to. The default value is false. For example, see Creating Multiple Domains in Office 365 and Establishing Federation with Access Manager. |
|
WSF SERVICES LIST |
Select full to enable users to access the Services page. Select 404 to return an HTTP 404 status code: Not Found. Select 403 to return an HTTP 403 status code: Forbidden. Select empty to return an empty services list. The default value is full. For example, see Blocking Access to the WSDL Services Page. |
|
WSFED ASSERTION VALIDITY |
Specify the assertion validity time in second for WS Federation Provider (SP) to accommodate clock skew between the service provider and SAML identity provider. The default value is 1800 seconds. For example, see Assertion Validity Window. |
|
WSTRUST AUTHORIZATION ALLOWED ACTAS VALUES |
Specify the user names who can perform ActAs operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with ActAs elements. You can specify more than one user name separated by a comma. For example, see Adding Policy for ActAs and OnBehalfOf. |
|
WSTRUST AUTHORIZATION ALLOWED ONBEHALF VALUES |
Specify the user names who can perform OnBehalfOf operations. Allowed user names are the user accounts that the intermediate web service provider uses to authenticate with STS when sending a request with OnBehalfOf elements. You can specify more than one user name separated by a comma. For example, see Adding Policy for ActAs and OnBehalfOf. |
|
WSTRUST AUTHORIZATION ALLOWED VALUES |
Specify the user names who can perform both ActAs and OnBehalfOf operations. You can specify more than one user name separated by a comma. For example, see Adding Policy for ActAs and OnBehalfOf. |
|
SESSION ASSURANCE USER AGENT EXCLUDE LIST |
Specify the user-agent string for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server. |
|
SESSION ASSURANCE USER AGENT REGEX EXCLUDE LIST |
Specify the user-agent REGEX for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server. |
|
SESSION ASSURANCE URL EXCLUDE LIST |
Specify the URL for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server. |
|
SESSION ASSURANCE URL REGEX EXCLUDE LIST |
Specify the URL REGEX for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Identity Server. |
|
SESSION ASSURANCE IDC COOKIE GRACEPERIOD |
Specify the time in second till which Identity Server will accept the old IDC cookie after issuing a new cookie. The default value is 15 second. |
|
OTHER |
Specify Property Name and Property Value if you want to configure any other property. |
|
NAM_DFP_KEYS_ENFORCE_STRICT |
Click OTHER to configure this property. When Advanced Session Assurance is enabled, specify true to send session keys only the first time when the device information is fetched. Specify false to send session keys every time whenever device information is fetched. The default value is false. |
|
ENCODE_TARGET_URL_QUERY |
Click OTHER to configure this property. When this option is set to true, the target URL query (SAML Request) is URL encoded. This option is set to true by default. When you set this option to false, the following will happen after authentication:
|
|
NMAS_SAML_SIGN_METHODDIGEST_SHA256 (This option is available in Access Manager 4.5 Service Pack 1 or later versions) |
Click OTHER to configure this property. Set this option to true while using the NMAS SAML method. When you set this option to true, it uses SHA265 algorithm for SAML 2 assertion. If this property is not configured or the value is set to false, SHA1 algorithm is used. This option is set to false by default. |
|
persist_caches_on_reconfigure (This option is available in Access Manager 4.5 Service Pack 3 or later versions) |
Click OTHER to configure this property. After you update a configuration or reconfigure it, the user session details and read attributes get deleted from the cache. Set this option to true to retain the details after a configuration update. |
|
OAUTH_CLAIMS_TO_USE_LDAP_ATTR_FORMAT (This option is available in Access Manager 4.5 Service Pack 3 Hotfix 1 or later versions) |
Click OTHER to configure this property. Set this option to true to configure the OAuth claims data type according to the LDAP attribute's schema data type. If the LDAP attribute data type is single-valued, the claims data is returned as a string. If the LDAP attribute data type is multi-valued, the claims data is returned as a string array irrespective of the value count. For example, let us assume that a client application uses the Authorization Code flow and sends the access token to the userinfo endpoint. Then you can choose the format of the token's attribute data type that will be returned. The following is an example of attributes when this property is not configured or set to false: "family_name": "Lastname" The following is an example of attributes when this property is set to true: "family_name": [
"Lastname"
]
This option is set to false by default. |
Click OK > Apply.