A protected resource configuration specifies the directories on the Web server that you want to protect. The protected resource configuration specifies the authorization procedures and the policies that you should use to enforce protection. The authentication procedures and the policies (Authorization, Identity Injection, and Form Fill) enable the single sign-on environment for the user. The type of protection a resource requires depends upon the resource, the Web server, and the conditions you define for the resource.
You can select the following types of protection:
Authentication Procedures: Specifies the type of credentials the user must use to log in such as name and password or secure name and password. You can select None for the procedure, which allows the resource to be a public resource, with no login required. In addition to selecting the contract, you can also configure how the authentication procedure handles subsequent authentication requests from an application.
Authorization Policy: Specifies the conditions a user must meet to be allowed access to a protected resource. You define the conditions, and the Access Gateway enforces the Authorization policies. For example, you can assign roles to your users, and use these roles to grant and deny access to resources.
Identity Injection Policy: Specifies the information that must be injected into the HTTP header. If the Web application has been configured to look for certain fields in the header and the information cannot be found, the Web application determines whether the user is denied access or redirected. The Web application defines the requirements for Identity Injection. The Identity Injection policies allow you to inject the required information into the header.
Form Fill Policy: Allows you to manage forms that Web servers return in response to client requests. Form fill allows you to pre-populate fields in a form on first login and then securely save the information in the completed form to a secret store for subsequent login. The user is prompted to re-enter the information only when something changes, such as a password.
These policies allow you to design a custom access policy for each protected resource:
Resources that share the same protection requirements can be configured as a group. You set up the policies, and then add the URLs of each resource that requires these policies.
A resource that has specialized protection requirements can be set up as a single protected resource. For example, a page that uses Form Fill is usually set up as a single protected resource.
Avoid configuring a policy for a protected resource with a path /* unless it is required. We recommend that configure the policy for protected resources with specific paths. For example, identityijection/subpath/* or acl/credentialprofile/*.
While configuring a Form Fill policy, try to provide the details such as Page Matching Criteria and Form Name, so that it matches only the specified form not the other pages. Also, if possible, configure the Form Fill policy for a page instead of a path.
For more information about how to configure a protected resource, seeConfiguring Protected Resources
in the NetIQ Access Manager 3.2 SP3 Access Gateway Guide.