|
|
|
The Scheme Setup tab is where you enter server and target information for your X.509 Client Certificate and HTML Forms authentication scheme.
Note: When this authentication scheme is associated with a realm, users who attempt to access a resource in the protected realm must have a valid X.509 client certificate that can be verified by SiteMinder using a server certificate. In addition, the user must supply forms credentials that can be located and verified in a user directory associated with the realm’s policy domain.
Fully qualified domain name of the SSL server.
Note: IP addresses are not supported.
This is the server that is responsible for establishing an SSL connection. Although it is possible, this is usually not the same server where the Web Agent is installed.
The server acts as the beginning of the URL that SiteMinder uses to redirect a user’s X.509 certificate over an SSL connection. Domain names must contain at least 2 periods and be specified using the following format:
servername.host.com:[port]
Example: server1.security.com. The port is only required for communication over a non-default port.
Path and .scc file used by the scheme.
The default path points to a virtual directory on the Web server specified in the Server Name field that was created by the SiteMinder Agent installation. The default target specifies the smgetcred.scc file, a sample file that can be customized.
(Optional) Specifies the attributes other than user name that will be collected from the user. When listing attributes, begin with AL= and use commas to separate the user attribute names.
Example: AL=PASSWORD,age,zipcode
The AL= is a SiteMinder notation that indicates the list of attributes that should be considered. By default, the list of attributes is considered an AND-style query. The Policy Server compares all of the attribute values collected from the user to the corresponding attribute values in the user directory. If all of the attribute values match exactly, the user will authenticate successfully.
Note: You can authenticate users with attributes that contain multiple values. To specify that an attribute has multiple values, prefix the attribute name with a carat (^).
Example: If you are using a multi-valued "mail" attribute to authenticate users, you would specify "AL=^mail" to indicate that "mail" is multi-valued. A user can provide one of the valid values to successfully authenticate.
Limit: The values of a multi-valued attribute should not contain a carat. A value that contains a carat introduces the possibility of users being improperly authenticated. For example, if a value is 123^456, a user would be able to authenticate with 123 and 456, in addition to 123^456.
In order for SiteMinder to collect additional attributes, the .fcc file used by SiteMinder to generate a form for HTML Forms authentication must be modified to include the attributes.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |