3.5 Specifying Authentication Defaults

You can specify default values for how the system processes user stores and authentication contracts. The default contract is executed when users access the system without a specified contract, and when the Access Gateway is configured to use any authentication.

Additional default contracts can be specified for well-known authentication types that might be required by a service provider. These contracts are executed when a request for a specific authentication type comes from a service provider.

  1. In the Administration Console, click Devices > Identity Servers > Edit > Local > Defaults.

    Authentication default settings
  2. Configure the following fields as necessary:

    User Store: Specifies the default user store for local authentication. If you selected <Default User Store> when configuring an authentication method, the system uses the user store you specify here.

    Authentication Contract: Specifies the default authentication contract to be used when users access the Identity Server directly or a protected resource is configured to use Any Contract. If you create a new contract and specify it as the default, ensure that you update the Access Gateway configuration if it has protected resources configured to use Any Contract. See NetIQ Access Manager 4.0 SP1 Access Gateway Guide in the NetIQ Access Manager 4.0 SP1 Access Gateway Guide.

    Authentication Type: Specifies the default authentication contracts to be used for each authentication type. When a service provider requests a specific authentication type, rather than a contract, the identity provider uses the authentication contract specified here for the requested authentication type. For more information, see Section 3.5.1, Specifying Authentication Types.

  3. Click OK.

  4. Update the Identity Server.

3.5.1 Specifying Authentication Types

Trusted service providers can send the Identity Server an authentication request that contains a request for contract or for an authentication type. When the request is for an authentication type, the Identity Server must translate the type to a contract before authenticating the user. You can use the Authentication Type section of the Defaults page to specify which contract to use for the common types (classes).

The Identity Server has not implemented all possible types. For types that do not appear on the Defaults page, you can do one of the following:

  • You can define a contract for the class whose URI matches the requested class type. When the authentication request is received, the Identity Server uses the URI to match the request with a contract.

    When you create such a contract, you are stating that the contract is security equivalent to the class that is being requested. For configuration information, see Section 3.5.2, Creating a Contract for a Specific Authentication Type.

  • You can use the Trust Levels class to assign an authentication level for the requested class. This level is used to rank the requested type. Using the authentication level and the comparison context, the Identity Server can determine whether any contracts meet the requirements of the request. If one or more contracts match the request, the user is presented with the appropriate authentication prompts.

    For configuration information, see Section 7.2.4, Configuring the Trust Levels Class.

3.5.2 Creating a Contract for a Specific Authentication Type

The following steps explain how to create a contract that matches what a trusted service provider is asking for in its authentication request.

  1. In the Administration Console, click Devices > Identity Servers > Edit > Local > Contracts.

  2. To create a new contract, click New.

  3. Fill in the following fields:

    Display name: Specifies the name of the authentication contract.

    URI: Specifies a value that uniquely identifies the contract from all other contracts. This value must match what the service provider is sending in its authentication request for the type.

    Authentication Level: (Optional) Specify a security level or rank for the contract. This value is not used when authentication request sets the comparison type to exact. It is only used when a contract is selected based on a comparison of authentication levels.

    If the service provider sets the comparison type to minimum, the authentication level can be the same or higher. If the comparison type is set to better, the authentication level must be higher.

    Methods: Select the method that matches the class or type you specified in the URI.

    The other fields for the contract are not requirements of the authentication request and can be configured to meet the requirements of the Identity Server. For information about these fields, see Section 3.4, Configuring Authentication Contracts.

  4. Click Next.

  5. Configure an authentication card for the contract.

    For information about these fields, see Section 3.4, Configuring Authentication Contracts.

  6. Click Finish, then OK.

  7. Update the Identity Server.