When configuring the identity applications, this tab defines the values that the application server uses to direct users to the identity application and password management pages.
By default, the tab displays the basic options. To see all settings, click Show Advanced Options. This tab includes the following groups of settings:
This section defines settings for the identity applications to connect to the authentication server.
Required
Specifies the relative URL of the authentication server that issues tokens to OSP. For example, 10.10.10.48.
Specifies the port for the authentication server.
Specifies whether the authentication server uses TLS/SSL protocol for communication.
Applies only when you select OAuth server is using TLS/SSL and the utility is showing the advanced options.
This parameter applies when the authentication server uses TLS/SSL protocol, and the trust certificate for the authentication server is not in the JRE trust store (cacerts).
Applies only when you select OAuth server is using TLS/SSL and the utility is showing the advanced options.
Specifies the password used to load the keystore file for the TLS/SSL authentication server.
NOTE:If you do not specify the keystore path and password, identity applications fail to connect to authentication service which uses TLS/SSL protocol.
This section defines settings for the authentication server.
Required
Specifies the URL through which OSP or the authentication server can an obtain a token for authentication.
Required
Specifies the URL through which OSP can validate an obtained token.
Required
Specifies the URL through which OSP ends the session with the authentication server.
Required
Specifies the distinguished name of the container in the Identity Vault that contains any administrator User objects that OSP must authenticate. For example, ou=sa,o=data.
Required
Specifies the path to the Java JKS keystore file you want to use for authentication. The keystore file must contain at least one public/private key pair.
Required
Specifies the password used to load the OAuth keystore file.
Required
Specifies the name of the public/private key pair in the OSP keystore file that you want to use to symmetric key generation.
Required
Specifies the password for the private key used by the authentication server.
Specifies the URL of a CSS stylesheet that you want to use to customize the appearance of the login page for the identity applications.
Specifies the name of the LDAP attribute used to differentiate between multiple eDirectory User objects with the same cn value. The default value is mail.
Specifies whether searches in the user and administrator containers in the Identity Vault are restricted to only User objects in those containers or searches should also include subcontainers.
Specifies the number of minutes of inactivity in a session before the server times out the user’s session. The default value is 20 minutes.
Specifies the number of seconds an OSP access token remains valid. The default value is 60 seconds.
Specifies the number of seconds an OSP refresh token remains valid. The refresh token is used internally by OSP. The default value is 48 hours.
This section defines the values that enable OSP to authenticate users who log in to the browser-based components of Identity Manager.
For more information about OSP, see Section 4.5, Using Single Sign-on Access in Identity Manager and Section IX, Installing the Single Sign-on and Password Management Components.
Specifies the type of authentication that you want Identity Manager to use when a user logs on.
Name and Password: OSP verifies authentication with the identity vault.
Kerberos: OSP accepts authentication from both a Kerberos ticket server and the identity vault. You must also specify a value for Mapping attribute name.
SAML: OSP accepts authentication from both a SAML identity provider and the identity vault. You must also specify values for Mapping attribute name and Metadata URL.
Applies only when you specify Kerberos or SAML.
Specifies the name of the attribute that maps to the Kerberos ticket server or SAML representations at the identity provider.
Applies only when you specify SAML.
Specifies the URL that OSP uses to redirect the authentication request to SAML.
This section defines the values that enable users to modify their passwords as a self-service operation.
Specifies the type of password management system that you want to use.
SSPR: Uses the integrated SSPR method.
For your convenience, NetIQ provides SSPR with the installation media. For more information about SSPR, see Section 4.4, Using Self-Service Password Management in Identity Manager and Section IX, Installing the Single Sign-on and Password Management Components.
User Application (Legacy): Uses the password management program that Identity Manager traditionally has used. This option also allows you to use an external password management program.
This check box parameter applies only when you want to use SSPR.
Specifies whether you want users to recover a forgotten password without contacting a help desk.
You must also configure the challenge-response policies for the Forgotten Password feature. For more information, see the NetIQ Self Service Password Reset Administration Guide.
This menu list applies only when you select User Application (Legacy).
Specifies whether you want to use the password management system integrated with the User Application or an external system.
Internal: Use the default internal Password Management functionality, ./jsps/pwdmgt/ForgotPassword.jsp (without the http(s) protocol at the beginning). This redirects the user to the Forgot Password functionality built into the User Application, rather than to an external WAR.
External: Use an e external Forgot Password WAR to call back the User Application through a web service. You must also specify the settings for the external system.
Applies only when you want to use an external password management system.
Specifies the URL that points to the Forgot Password functionality page. Specify a ForgotPassword.jsp file in an external or internal password management WAR.
Applies only when you want to use an external password management system.
Specifies the URL for the Forgot Password Return Link that the user can click after performing a forgot password operation.
Applies only when you want to use an external password management system.
Specifies the URL that the External Forgot Password WAR will use to call back to the User Application to perform core forgot password functionalities. Use the following format:
https://<idmhost>:<sslport>/<idm>/ pwdmgt/service
This section defines the values that allows Identity Manager to communicate with NetIQ Sentinel for event auditing.
Specifies a custom public key certificate that you want the OSP server to use to authenticate audit messages sent to the audit system.
For information about configuring certificates for Novell Audit, see “Managing Certificates” in the Novell Audit Administration Guide.
Specifies the path to the custom private key file that you want the OSP server to use to authenticate audit messages sent to the audit system.