IDM 7.2.2

Authentication and session module configuration

This appendix includes configuration details for the authentication modules described in Authentication and Session Modules.

Authentication modules, as configured in the authentication.json file, include a number of properties.

Session Module
Authentication Property Property as Listed in the Admin UI Description

keyAlias

(not shown)

Used by the Jetty Web server to service SSL requests.

maxTokenLifeMinutes

Max Token Life (in seconds)

Maximum time before a session is cancelled. Note the different units for the property and the UI.

tokenIdleTimeMinutes

Token Idle Time (in seconds)

Maximum time before an idle session is cancelled. Note the different units for the property and the UI.

sessionOnly

Session Only

Whether the session continues after browser restarts.

Static User Module
Authentication Property Property as Listed in the Admin UI Description

enabled

Module Enabled

Does IDM use the module?

queryOnResource

Query on Resource

Endpoint hard coded to user anonymous

username

Static User Name

Default for the static user, anonymous

password

Static User Password

Default for the static user, anonymous

defaultUserRoles

Static User Role

Normally set to openidm-reg for self-registration

The following table applies to several authentication modules:

  • Managed User

  • Internal User

  • Client Cert

  • Passthrough

  • IWA

The IWA module includes several Kerberos-related properties listed at the end of the table.

Common Module Properties
Authentication Property Property as Listed in the Admin UI Description

enabled

Module Enabled

Does IDM use the module?

queryOnResource

Query on Resource

Endpoint to query

queryId

Use Query ID

A defined queryId searches against the queryOnResource endpoint. An undefined queryId searches against queryOnResource with action=reauthenticate

defaultUserRoles

Default User Roles

Normally blank for managed users

authenticationId

Authentication ID

Defines how account credentials are derived from a queryOnResource endpoint

userCredential

User Credential

Defines how account credentials are derived from a queryOnResource endpoint; if required, typically password or userPassword

userRoles

User Roles

Defines how account roles are derived from a queryOnResource endpoint

groupMembership

Group Membership

Provides more information for calculated roles

groupRoleMapping

Group Role Mapping

Provides more information for calculated roles

groupComparisonMethod

Group Comparison Method

Provides more information for calculated roles

augmentSecurityContext

Augment Security Context

Includes a script that is executed only after a successful authentication request. For more information on this property, see Authenticate as a different user.

servicePrincipal

Kerberos Service Principal

(IWA only) For more information, see IWA

keytabFileName

Keytab File Name

(IWA only) For more information, see IWA

kerberosRealm

Kerberos Realm

(IWA only) For more information, see IWA

kerberosServerName

Kerberos Server Name

(IWA only) For more information, see IWA