3.1 Dynamic Configuration

IMPORTANT:The functionality is supported from NAM Advanced Authentication plug-in v2.0.121.

The dynamic configuration is a universal configuration which is required to be configured on NAM. It reads the configured chains for the NAM event from the Advanced Authentication Server. After the authentication done with a password in NAM, a user receives a list of chains which can be used for further authentication.

NOTE:If you have configured few chains which contain one method, put the more secure chains to the top of NAM event. E.g. if you have two chains added: TOTP (single) and LDAP Password+TOTP, put the LDAP Password+TOTP higher than TOTP in the list of used chains of NAM event. This is important to filter the less secure chains. In this case only LDAP Password+TOTP will be available in the list, because the Advanced Authentication filters and ignores the less secure chains.To change the chains, you are not required to change any settings in NAM. You need to update the chains list for the NAM event in the Advanced Authentication - Administrative Portal.

NOTE:The following methods are supported in the Dynamic configuration only (there are no separate classes for them):

  • Fingerprint

  • PKI

For both the methods, you must install Advanced Authentication Device Service.

To configure the dynamic configuration perform the following steps:

  1. Create a new authentication class with the following parameters:

    1. Display name: Dynamic Class

    2. Java class: Other

    3. Java class path: com.authasas.aucore.nam.method.dynamic.DynamicAuthenticationClass

  2. Create a new authentication method for the class:

    1. Display Name: Dynamic Method

    2. Class: Dynamic Class

    3. Keep the Overwrite Temporary User and Overwrite Real User check boxes cleared.

    4. Add the used user store to User Stores.

  3. Add applicable optional properties (KEY/Value).

  4. Add the following properties (KEY/Value).

    • EVENTNAME: A name of the event used, by default the event name is NAM.

    • SKIPCHAINS (any value). If property is presented the plug-in will skip the authentication chain selection and will always use a top chain from the list.

  5. Create a new authentication contract for the method in the Configuration tab:

    1. Display name: Dynamic Contract

    2. URI: dynamic/uri

    3. Configure Methods. Select one of the following options:

      • Add only Dynamic Method from the Available Methods list. In this case, you must select the Identifies User check box. Dynamic Method provides a request of an LDAP Password. After the user enters the password, the user will be asked to provide next method.

      • Add any standard method from the Available Methods list as the first one and Dynamic Method as the second one. In this case, you must clear the Identifies User check box for Dynamic Method.

    4. Clear the Satisfiable by External Provider check box.

  6. Specify applicable values for the new authentication card in the Authentication Card tab:

    1. ID: DYNAMIC_ID

    2. Text: NetIQ Authentication

    3. Image: <Select Local Image>, then select NAM_Dynamic.png from the icons folder of the NAM plug-in distribution kit.

  7. Update both the IDP and the MAG.

  8. Update NAM Server configuration.