--- title: External SASL Mechanism Handler description: The External SASL Mechanism Handler performs all processing related to SASL EXTERNAL authentication. component: pingds version: 8.1 page_id: pingds:configref:objects-external-sasl-mechanism-handler canonical_url: https://docs.pingidentity.com/pingds/8.1/configref/objects-external-sasl-mechanism-handler.html section_ids: parent: Parent dependencies: Dependencies external_sasl_mechanism_handler_properties: External SASL Mechanism Handler properties basic_properties: Basic properties certificate-attribute: certificate-attribute certificate-mapper: certificate-mapper certificate-validation-policy: certificate-validation-policy enabled: enabled advanced_properties: Advanced properties java-class: java-class --- # External SASL Mechanism Handler The External SASL Mechanism Handler performs all processing related to SASL EXTERNAL authentication. ## Parent The External SASL Mechanism Handler object inherits from [SASL Mechanism Handler](objects-sasl-mechanism-handler.html). ## Dependencies External SASL Mechanism Handlers depend on the following objects: * [Certificate Mapper](objects-certificate-mapper.html) ## External SASL Mechanism Handler properties You can use configuration expressions to set property values at startup time. For details, see [Property value substitution](expressions.html). | Basic Properties | Advanced Properties | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | | [certificate-attribute](#certificate-attribute) [certificate-mapper](#certificate-mapper) [certificate-validation-policy](#certificate-validation-policy) [enabled](#enabled) | [java-class](#java-class) | ### Basic properties Use the `--advanced` option to access advanced properties. ### certificate-attribute | | | | ----------------------- | ------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the name of the attribute to hold user certificates. | | *Description* | This property must specify the name of a valid attribute type defined in the server schema. | | *Default value* | userCertificate | | *Allowed values* | The name of an attribute type defined in the LDAP schema. | | *Multi-valued* | No | | *Required* | No | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### certificate-mapper | | | | ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the name(s) of the certificate mapper(s) that should be used to match client certificates to user entries. | | *Default value* | None | | *Allowed values* | The name of an existing [certificate-mapper](objects-certificate-mapper.html).The referenced certificate mapper(s) must be enabled when the External SASL Mechanism Handler is enabled. | | *Multi-valued* | Yes | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### certificate-validation-policy | | | | ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Indicates whether to attempt to validate the peer certificate against a certificate held in the user's entry. | | *Default value* | None | | *Allowed values* | * always: Always require the peer certificate to be present in the user's entry. * ifpresent: If the user's entry contains one or more certificates, require that one of them match the peer certificate. * never: Do not look for the peer certificate to be present in the user's entry. | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ### enabled | | | | ----------------------- | ---------------------------------------------------------------- | | *Synopsis* | Indicates whether the SASL mechanism handler is enabled for use. | | *Default value* | None | | *Allowed values* | truefalse | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | None | | *Advanced* | No | | *Read-only* | No | ## Advanced properties Use the `--advanced` option to access advanced properties. ### java-class | | | | ----------------------- | ------------------------------------------------------------------------------------------------------------- | | *Synopsis* | Specifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation. | | *Default value* | org.opends.server.extensions.ExternalSASLMechanismHandler | | *Allowed values* | A Java class that extends or implements:- org.opends.server.api.SASLMechanismHandler | | *Multi-valued* | No | | *Required* | Yes | | *Admin action required* | The object must be disabled and re-enabled for changes to take effect. | | *Advanced* | Yes | | *Read-only* | No |