Previous Topic: Protection LevelsNext Topic: Basic Authentication Schemes

Policy Server GuidesPolicy Server Configuration GuideAuthentication SchemesAuthentication Schemes OverviewAuthentication Schemes and Credential Requirements

Authentication Schemes and Credential Requirements

The following table lists all supported authentication schemes and their credential requirements:

 

Credential Requirements

Authentication Schemes

Directory User Name

Directory Password

Code from Token

X.509 Certificate

User Profile Attributes

Anonymous

 

 

 

 

 

Basic

yes

yes

 

 

 

Basic over SSL

yes

yes

 

 

 

Custom

optional

optional

optional

optional

optional

HTML Forms (over SSL optional)

custom credentials

custom credentials

 

 

optional

Impersonation

yes

 

 

 

optional

MS Passport

yes

yes

 

 

yes

NTLM or Windows

yes*

yes*

 

 

 

RADIUS CHAP/PAP

yes

yes

 

 

 

RADIUS Server

yes

yes

 

 

 

SafeWord Server

yes

yes

 

 

 

SafeWord and Forms

yes

yes

 

 

optional

SecurID

yes

 

yes

 

 

SecurID and Forms

yes

 

yes

 

optional

TeleID

yes

 

yes

 

 

X.509 Client Certificate

 

 

 

yes

 

X.509 Client Certificate and Basic (uses SSL)

yes

yes

 

yes

 

X.509 Client Certificate or Basic (over SSL optional)

yes for Basic

yes for Basic

 

yes for Certificate

 

X.509 Client Certificate and HTML Forms

custom credentials

custom credentials

 

yes

optional

X.509 Client Certificate or HTML Forms

custom credentials for HTML Forms

custom credentials for HTML Forms

 

 

yes for Certificate

optional for HTML Forms

*For NTLM or Windows, when trying to access a resource, SiteMinder does not prompt the user to enter a username and password. This scheme relies on a properly-configured IIS Web server to acquire and verify a user’s credentials. The Policy Server bases authorization decisions on the user’s identity as asserted by the IIS server.

Set Up an Authentication Scheme Object in the Policy Server User Interface

To setup a new authentication scheme in the Administrative UI, components should be configured in the following order:

  1. Web Server (only for certificate, SSL, and HTML forms-based schemes)
  2. Policy Server (including Certificate Mapping for X.509 certificate schemes)

More information:

Certificate Mapping for X.509 Client Authentication Schemes

Web Server

In order for a SiteMinder Web Agent to support any SSL-based Authentication Scheme, a Web Server must be configured to support SSL.

Note: More information on Web server configuration exists in the Policy Server Installation Guide for instructions on Web server configuration.

Policy Server

After you configure your Web servers to support authentication schemes, configure the Policy Server to support the schemes.

More information:

Authentication Schemes Overview

Multiple Instances of a Single Authentication Scheme Configuration

You can configure multiple instances of most authentication schemes in the Administrative UI. For example, you might create multiple HTML forms-based schemes to process login, forgotten password requests, logout, etc. If you create multiple instances of a scheme type, be sure to set protection levels to reflect your security requirements.