Core authentication attributes

Sets a minimum and a maximum number of LDAP connections to be used by any authentication node that connects to a specific directory server. This connection pool is different to the SDK connection pool configured in the serverconfig.xml file.

Sets the default minimum and maximum number of LDAP connections to be used by any authentication node that connects to any directory server. This connection pool is different to the SDK connection pool configured in the serverconfig.xml file.

When enabled, AM requires the authenticating application to send its SSO token. This allows AM to obtain the username and password associated with the application.

When enabled, AM stores instances of post-processing classes into the authenticated session. When the user logs out, the original post-processing classes are called instead of new instances. This may be required for special logout processing.

The default authentication tree used when an administrative user, such as amAdmin, logs in to the AM admin UI.

The default authentication tree used when a non-administrative user logs in to AM.

Specifies whether a user profile needs to exist in the user datastore, or should be created on successful authentication. The possible values are:

Specifies the distinguished name (DN) of a role to be assigned to a new user whose profile is created when either the true or createAlias options are selected under the User Profile property. There are no default values. The role specified must be within the realm for which the authentication process is configured.

After a user is successfully authenticated, the user’s profile is retrieved. AM first searches for the user based on the datastore settings. If that fails to find the user, AM will use the attributes listed here to look up the user profile. This setting accepts any datastore specific attribute name.

$ ssoadm get-realm-svc-attrs \
--adminid uid=amAdmin,ou=People,dc=am,dc=example,dc=com \
--password-file PATH_TO_PWDFILE \
--realm REALM \
--servicename iPlanetAMAuthService$ ssoadm set-realm-svc-attrs \
 --adminid uid=amAdmin,ou=People,dc=am,dc=example,dc=com \
 --password-file PATH_TO_PWDFILE \
 --realm REALM \
 --servicename iPlanetAMAuthService \
 --attributevalues iplanet-am-auth-user-naming-attr=SEARCH_ATTRIBUTE

When enabled, AM deactivates the LDAP attribute defined in the Lockout Attribute Name property in the user’s profile upon login failure. This attribute works in conjunction with the other account lockout and notification attributes.

The number of attempts a user has to authenticate within the time interval defined in Login Failure Lockout Interval before being locked out.

The time in minutes during which failed login attempts are counted.

One or more email addresses to which notification is sent if a user lockout occurs.

The number of authentication failures after which AM displays a warning message that the user will be locked out.

The number of minutes a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0 enables duration lockout and disables persistent (physical) lockout. Duration lockout means the user’s account is locked for the number of minutes specified. The account is unlocked after the time period has passed.

Defines a value by which to multiply the value of the Login Failure Lockout Duration attribute for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user is locked out of the account for 6 minutes. After the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration is then 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.

The LDAP attribute used for persistent (physical) lockout. The default attribute is inetuserstatus, although the field in the AM admin UI is empty.

The value to set the lockout attribute to when an account is locked. The default value is Inactive, although the field in the AM admin UI is empty. The Lockout Attribute Name field must also contain an appropriate value.

The LDAP attribute used to hold the number of failed authentication attempts towards Login Failure Lockout Count. Although the field in the AM admin UI is empty, AM stores this data in the sunAMAuthInvalidAttemptsDataAttrName attribute defined in the sunAMAuthAccountLockout objectclass by default.

When enabled, AM stores the information regarding failed authentication attempts as the value of the Invalid Attempts Data Attribute Name in the user datastore. Information stored includes the number of invalid attempts, the time of the last failed attempt, lockout time and lockout duration. Storing this information in the identity repository allows it to be shared among multiple instances of AM.

Specifies the default language subtype to be used by the Authentication service. The default value is en_US.

This property was used only for authentication with modules and chains and is no longer documented.

This property was used only for authentication with modules and chains and is no longer documented.

When enabled, AM assigns client-side sessions to users authenticating to this realm. Otherwise, AM users authenticating to this realm are assigned server-side sessions.

This property was used only for authentication with modules and chains and is no longer documented.

If the authentication user interface is hosted separately from AM, this property specifies the URL of the external login user interface.

This property was used only for authentication with modules and chains and is no longer documented.

Specifies the location where AM stores journey sessions.

Specifies the maximum allowed duration of a journey session, including any time spent in the suspended state, in minutes.

Specifies the length of time a journey session can be suspended in minutes.

When enabled, AM allowlists journey sessions to protect them against replay attacks.

When HttpOnly session cookies are enabled and a client calls the /json/authenticate endpoint with a valid SSO token, AM returns an empty tokenId field.

Specifies the key pair alias in the AM keystore to use for encrypting persistent cookies.

This property was used only for authentication with modules and chains and is no longer documented.

This property was used only for authentication with modules and chains and is no longer documented.

This property was used only for authentication with modules and chains and is no longer documented.

When enabled, AM adds the Clear-Site-Data header to successful logout responses. The Clear-Site-Data directive instructs the browser to delete relevant site data on logout. This directive includes cache, cookies, storage, and executionContexts.

The HMAC shared secret for signing RESTful authentication requests. This secret should be Base64 encoded and at least 128 bits in length. By default, a cryptographically secure, random value is generated.

Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /am/console. Values that do not specify HTTP have that appended to the deployment URI.

Accepts a list of values that specifies where users are directed after authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that do not specify HTTP have that appended to the deployment URI.

This property was used only for authentication with modules and chains and is no longer documented.

This property was used only for authentication with modules and chains and is no longer documented.

This property was used only for authentication with modules and chains and is no longer documented.