Previous Topic: Configuration of the Federation Manager Windows Agent

Next Topic: Run the Configuration Wizard on Windows

Federation Manager Agent for Windows Authentication GuideConfiguration of the Federation Manager Windows AgentInformation Required by the Configuration Wizard

Information Required by the Configuration Wizard

After you install the Federation Manager Windows Agent, run the configuration wizard. On Windows systems, you can select the authentication protocol (Kerberos or NTLM). ON UNIX systems, Kerberos is the only supported protocol.

Note: The configuration executable and folder names include the string iwa, which references support for Integrated Windows Authentication technology.

The following parameters are required for NTLM and Kerberos configurations.

Important! The values specified for these parameters must match the values specified in the Deployment settings in the Federation Manager UI, which are communicated out of band.

Cookie zone

Specifies the single sign-on security zone name.

Default: FED

Limits: Alpha string

Cookie name

Specifies the name of the open format cookie.

Default: ""

Limits: Alpha string

Encryption password

Specifies the password used to derive a key to encrypt the cookie.

Default: ""

Limits: Alphanumeric string

Encryption Transformation type

Specifies the FIPS-compliant cryptographic transform.

Default: AES128/CBC/PKCS5Padding

Limits: AES128/CBC/PKCS5Padding, AES192/CBC/PKCS5Padding, AES256/CBC/PKCS5Padding, 3DES_EDE/CBC/PKCS5Padding

UseHMAC

Specifies whether to use a Hash Message Authentication Code (HMAC).

Default: false

Limits: true or false

Note: If you are on a system running Windows and you have selected the Kerberos authentication protocol, you can optionally select NTLM as the failover option.

When specifying the Kerberos protocol, provide values for the following parameters:

KDC address

Specifies the fully qualified domain name of the key distribution center (KDC).

KDC realm

Specifies the domain name of the system on which the KDC is located.

Keytab location

Specifies the path of the keytab file, which is created on the KDC system and moved to the system on which Federation Manager Windows Agent is located.

Principal

Specifies the service principal name (SPN), which uniquely identifies an instance of a service, for example, HTTP/host.abc.com. HTTP is the name of the service and host.abc.com is the name of the host on which the service resides.

The Keytab location and Principal parameters are written to the login.conf file. The other parameters are written to the IWAConnectorConfig.conf file.

Note: If you review the login.conf file, do not change the value of the isInitiator parameter.