|
|
|
The Scheme Setup tab for X.509 Client Certificate or HTML Forms authentication is where you enter server and target information for your certificate authentication scheme.
Note: When this authentication scheme is associated with a realm, users who attempt to access a resource in the protected realm may be authenticated with a valid X.509 client certificate or by forms credentials that can be located and verified in a user directory associated with the realm’s policy domain.
Fully qualified domain name of the SSL server.
Note: IP addresses are not supported.
This is the server that is responsible for establishing an SSL connection. Although it is possible, this is usually not the same server where the Web Agent is installed.
The server acts as the beginning of the URL that SiteMinder uses to redirect a user’s X.509 certificate over an SSL connection. Domain names must contain at least 2 periods and be specified using the following format:
servername.host.com:[port]
Example: server1.security.com. The port is only required for communication over a non-default port.
Path and name for the SSL Credentials Collector (SFCC).
The target is <URI/name>.sfcc
The target tells the SiteMinder Web Agent what to use to invoke the SFCC. It completes the URL that SiteMinder uses to redirect the user’s credentials over an SSL connection and process certificate authentication.
SiteMinder provides a default path when you select the X.509 Client Certificate or HTML Forms authentication scheme.
(Optional) Specifies the attributes other than user name that will be collected from the user. When listing attributes, begin with AL= and use commas to separate the user attribute names.
Example: AL=PASSWORD,age,zipcode
The AL= is a SiteMinder notation that indicates the list of attributes that should be considered. By default, the list of attributes is considered an AND-style query. The Policy Server compares all of the attribute values collected from the user to the corresponding attribute values in the user directory. If all of the attribute values match exactly, the user will authenticate successfully.
Note: You can authenticate users with attributes that contain multiple values. To specify that an attribute has multiple values, prefix the attribute name with a carat (^).
Example: If you are using a multi-valued "mail" attribute to authenticate users, you would specify "AL=^mail" to indicate that "mail" is multi-valued. A user can provide one of the valid values to successfully authenticate.
Limit: The values of a multi-valued attribute should not contain a carat. A value that contains a carat introduces the possibility of users being improperly authenticated. For example, if a value is 123^456, a user would be able to authenticate with 123 and 456, in addition to 123^456.
In order for SiteMinder to collect additional attributes, the .fcc file used by SiteMinder to generate a form for HTML Forms authentication must be modified to include the attributes.
Select this check box if you want to specify a target to which forms collection is redirected. A possible use of such redirection is to avoid multiple SSL-based challenges.
Name of the Web server on which the alternate FCC is installed. Enter a value in this field if the Use Alternate FCC Location is selected.
Path and .fcc file. Enter a value in this field if the Use Alternate FCC Location is selected.
The default path points to a virtual directory on the Web server specified in the Alternate Server Name field that was created by the SiteMinder Agent installation. The default target specifies the login.fcc file, which is a sample file that can be customized.
Select this check box if HTML Forms credentials should be delivered over an SSL connection. You must check the Use Alternate FCC Location check box to access the Use SSL Connection checkbox.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |