4.3 Creating an ORed Credential Class

Access Manager includes a class that can be configured to accept any combination of name/password, X.509, or RADIUS credentials. When this class executes as part of a contract, users can select and enter their preferred type of credential.

For example, if a name/password credential is ORed with an X.509 credential, the user can select to use a certificate or to enter a name and password. As an administrator, you have decided that both credentials are equally secure for the protected resource the contract is protecting.

To create an ORed credential class:

  1. In the Administration Console, click Devices > Identity Servers > Edit > Local > Classes.

  2. Click New, then fill in the following fields:

    Display name: Specify a name for the class.

    Java class: Select NPOrRadiusOrX509Class.

  3. Click Next, then select the types of classes you want to OR. You must select at least one of the following:

    Use Name/Password: Select this option if you want the PasswordClass to be one of the authentication options available to the user.

    Use Radius: Select this option if you want the RadiusClass to be one of the authentication options available to the user.

    Use X509: Select this option if you want the X509Class to be one of the authentication options available to the user.

  4. (Conditional) If you want to use the protected version of the PasswordClass or RadiusClass, select the Enforce use of HTTPS option.

  5. (Conditional) If you selected the Use Name/Password option, configure the properties:

    1. In the Name/Password Properties section, click New.

    2. Specify a property name and property value.

      For information about the properties that the PasswordClass and the ProtectedPasswordClass support, see Section 3.2.2, Specifying Common Class Properties.

    3. Click OK.

    4. Repeat Step 5.a through Step 5.c to add more than one property.

  6. Click Next.

  7. (Conditional) If you selected the Use Radius option, configure the Radius properties.

    For information about the configuration options, see Section 4.1, Configuring for RADIUS Authentication.

  8. (Conditional) If you selected the Use X509 option, configure how the certificate is validated.

    For information about the configuration options, see Section 4.2, Configuring Mutual SSL (X.509) Authentication.

  9. Click Next.

  10. (Conditional) If you selected the Use X509 option, configure the attribute mappings.

    For information about the configuration options, see Section 4.2, Configuring Mutual SSL (X.509) Authentication.

  11. Click Next.

  12. Click Finish.

  13. Continue with creating a method and a contract for this class.

    For configuration information, see Section 3.3, Configuring Authentication Methods and Section 3.4, Configuring Authentication Contracts.

    If the contract allows the user to select from the three types of credentials, the login page looks similar to the following:

    The Radius class prompts the user for a token instead of a password. The user can use the drop-down menu to select between the password and the token. If the user selects to send a certificate, the username and password/token options become unavailable.