PingOne Advanced Identity Cloud

Core authentication attributes

Each realm has a set of properties that applies to all authentication performed to that realm. These properties are the core authentication attributes of the realm.

To edit a realm’s authentication configuration, go to Native Consoles > Access Management > Realms > Realm Name > Authentication > Settings.

Core

The following properties are available under the Core tab:

Administrator Authentication Configuration

The default authentication journey used when an administrative user authenticates.

Organization Authentication Configuration

The default authentication journey used when a non-administrative user authenticates.

amster attribute: orgConfig

User Profile

The following properties are available under the User Profile tab:

User Profile

Whether a user profile needs to exist in the user data store, or should be created on successful authentication. The possible values are:

true. Dynamic.

After successful authentication, PingOne Advanced Identity Cloud creates a user profile if one does not already exist. PingOne Advanced Identity Cloud then issues the SSO token. PingOne Advanced Identity Cloud creates the user profile in the user data store configured for the realm.

createAlias. Dynamic with User Alias.

After successful authentication, PingOne Advanced Identity Cloud creates a user profile that contains the User Alias List attribute, which defines one or more aliases for mapping a user’s multiple profiles.

ignore. Ignored.

After successful authentication, PingOne Advanced Identity Cloud issues an SSO token regardless of whether a user profile exists in the data store. The presence of a user profile is not checked.

Any functionality which needs to map values to profile attributes, such as SAML or OAuth 2.0, will not operate correctly if the User Profile property is set to ignore.

false. Required.

After successful authentication, the user must have a user profile in the user data store configured for the realm in order for PingOne Advanced Identity Cloud to issue an SSO token.

User Profile Dynamic Creation Default Roles

This property does not apply to Advanced Identity Cloud.

Alias Search Attribute Name

After a user is successfully authenticated, the user’s profile is retrieved. PingOne Advanced Identity Cloud first searches for the user based on the data store settings. If that fails to find the user, PingOne Advanced Identity Cloud uses the attributes listed here to look up the user profile. This setting accepts any data store specific attribute name.

amster attribute: aliasAttributeName

Account Lockout

The following properties are available under the Account Lockout tab:

Login Failure Lockout Mode

When enabled, PingOne Advanced Identity Cloud deactivates the LDAP attribute defined in the Lockout Attribute Name property in the user’s profile upon login failure. This attribute works in conjunction with the other account lockout and notification attributes.

amster attribute: loginFailureLockoutMode

Login Failure Lockout Count

The number of attempts a user has to authenticate within the time interval defined in Login Failure Lockout Interval before being locked out.

amster attribute: loginFailureCount

Login Failure Lockout Interval

The time in minutes during which failed login attempts are counted. If one failed login attempt is followed by a second failed attempt within this defined lockout interval time, the lockout count starts, and the user is locked out if the number of attempts reaches the number defined by the Login Failure Lockout Count property. If an attempt within the defined lockout interval time proves successful before the number of attempts reaches the number defined by the Login Failure Lockout Count property, the lockout count is reset.

amster attribute: loginFailureDuration

Email Address to Send Lockout Notification

One or more email addresses to which notification is sent if a user lockout occurs.

Separate multiple addresses with spaces, and append |locale|charset to addresses for recipients in non-English locales.

amster attribute: lockoutEmailAddress

Warn User After N Failures

The number of authentication failures after which PingOne Advanced Identity Cloud displays a warning message that the user will be locked out.

Login Failure Lockout Duration

Defines how many minutes a user must wait after a lockout before attempting to authenticate again. Entering a value greater than 0 enables memory lockout and disables physical lockout. Memory lockout means the user’s account is locked in memory for the number of minutes specified. The account is unlocked after the time period has passed.

amster attribute: lockoutDuration

Lockout Duration Multiplier

Defines a value with which to multiply the value of the Login Failure Lockout Duration attribute for each successive lockout. For example, if Login Failure Lockout Duration is set to 3 minutes, and the Lockout Duration Multiplier is set to 2, the user is locked out of the account for 6 minutes. After the 6 minutes has elapsed, if the user again provides the wrong credentials, the lockout duration is then 12 minutes. With the Lockout Duration Multiplier, the lockout duration is incrementally increased based on the number of times the user has been locked out.

amster attribute: lockoutDurationMultiplier

Lockout Attribute Name

The LDAP attribute used for physical lockout. The default attribute is inetuserstatus, although the field is empty in the UI. The Lockout Attribute Value field must also contain an appropriate value.

amster attribute: lockoutAttributeName

Lockout Attribute Value

The action to take on the attribute defined in Lockout Attribute Name. The default value is inactive, although the field is empty in the UI. The Lockout Attribute Name field must also contain an appropriate value.

amster attribute: lockoutAttributeValue

Invalid Attempts Data Attribute Name

The LDAP attribute used to hold the number of failed authentication attempts towards Login Failure Lockout Count. Although the field appears empty in the UI, PingOne Advanced Identity Cloud stores this data in the sunAMAuthInvalidAttemptsDataAttrName attribute defined in the sunAMAuthAccountLockout objectclass by default.

amster attribute: invalidAttemptsDataAttributeName

Store Invalid Attempts in Data Store

When enabled, PingOne Advanced Identity Cloud stores the information regarding failed authentication attempts as the value of the Invalid Attempts Data Attribute Name in the user data store. Information stored includes number of invalid attempts, time of last failed attempt, lockout time and lockout duration.

amster attribute: storeInvalidAttemptsInDataStore

General

The following properties are available under the General tab:

Default Authentication Locale

The default language subtype to be used by the Authentication Service. The default value is en_US.

amster attribute: locale

Identity Types

This property does not apply to Advanced Identity Cloud.

Pluggable User Status Event Classes

This property does not apply to Advanced Identity Cloud.

+

Use Client-Side Sessions

When enabled, PingOne Advanced Identity Cloud assigns client-side sessions to users authenticating to this realm. Otherwise, PingOne Advanced Identity Cloud users authenticating to this realm are assigned server-side sessions.

amster attribute: statelessSessionsEnabled

External Login Page URL

The URL of the external login user interface, if the authentication user interface is hosted separately from PingOne Advanced Identity Cloud.

When set, PingOne Advanced Identity Cloud uses the provided URL as the base of the resume URI, rather than using the Base URL Source Service to obtain the base URL. PingOne Advanced Identity Cloud uses this URL when constructing the resume URI if authentication is suspended in an authentication journey.

amster attribute: externalLoginPageUrl

Default Authentication Level

This property does not apply to Advanced Identity Cloud.

Trees

The following properties are available under the Trees tab:

Authentication session state management scheme

The location where PingOne Advanced Identity Cloud stores authentication sessions.

Possible values are:

  • CTS. PingOne Advanced Identity Cloud stores authentication sessions server-side, in the CTS token store.

  • JWT. PingOne Advanced Identity Cloud sends the authentication session to the client as a JWT.

  • In-Memory. PingOne Advanced Identity Cloud stores authentication sessions in its memory.

For more information on authentication session storage locations, and the requirements for each, see Introduction to sessions and cookies.

Default: JWT (new installations), In-Memory (after upgrade)

amster attribute: authenticationSessionsStateManagement

Max duration (minutes)

The maximum allowed duration of an authentication session, including any time spent in the suspended state, in minutes.

Values from 1 to 2147483647 are allowed.

Default: 5

amster attribute: authenticationSessionsMaxDuration

Suspended authentication duration (minutes)

The length of time an authentication session can be suspended, in minutes.

Suspending an authentication session allows time for out-of-band authentication methods, such as responding to emailed codes or performing an action on an additional device. The value must be less than or equal to the total time allowed for an authentication session, specified in the Max duration (minutes) property.

Values from 1 to 2147483647 are allowed.

Default: 5

Enable Allowlisting

When enabled, PingOne Advanced Identity Cloud allowlists authentication sessions to protect them against replay attacks.

Default: Disabled

amster attribute: authenticationSessionsWhitelist

Security

The following properties are available under the Security tab:

Module Based Authentication

This property doesn’t apply to Advanced Identity Cloud.

Persistent Cookie Encryption Certificate Alias

The key pair alias in the PingOne Advanced Identity Cloud keystore to use for encrypting persistent cookies.

This property is deprecated. Use the rotatable secret mapping am.authentication.nodes.persistentcookie.encryption instead.

If PingOne Advanced Identity Cloud finds a matching secret in the secret store for am.authentication.nodes.persistentcookie.encryption, this alias is ignored.

Learn more about mapping and rotating secrets in Use ESVs for signing and encryption keys.

Default: test

amster attribute: keyAlias

ssoadm attribute: iplanet-am-auth-key-alias

Zero Page Login

This property does not apply to Advanced Identity Cloud.

Zero Page Login Referer Allowlist

This property does not apply to Advanced Identity Cloud.

Zero Page Login Allowed Without Referer?

This property does not apply to Advanced Identity Cloud.

Add clear-site-data Header on Logout

This property does not apply to Advanced Identity Cloud.

Organization Authentication Signing Secret

Specifies a cryptographically-secure random-generated HMAC shared secret for signing RESTful authentication requests. When users attempt to authenticate, PingOne Advanced Identity Cloud signs a JSON Web Token (JWT) containing this shared secret. The JWT contains the authentication session ID, realm, and authentication index type value, but does not contain the user’s credentials.

When modifying this value, ensure the new shared secret is Base-64 encoded and at least 128 bits in length.

amster attribute: sharedSecret

Post Authentication Processing

The following properties are available under the Post Authentication Processing tab:

Default Success Login URL

Accepts a list of values that specifies where users are directed after successful authentication. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. The default value is /openam/console. Values that do not specify HTTP have that appended to the deployment URI.

amster attribute: loginSuccessUrl

Default Failure Login URL

Accepts a list of values that specifies where users are directed after authentication has failed. The format of this attribute is client-type|URL although the only value you can specify at this time is a URL which assumes the type HTML. Values that do not specify HTTP have that appended to the deployment URI.

amster attribute: loginFailureUrl

Authentication Post Processing Classes

This property does not apply to Advanced Identity Cloud.

Generate UserID Mode

This property does not apply to Advanced Identity Cloud.

Pluggable User Name Generator Class

This property does not apply to Advanced Identity Cloud.

User Attribute Mapping to Session Attribute

This property does not apply to Advanced Identity Cloud.

For authentication journeys, use the Scripted Decision node to retrieve user attributes and session properties, or the Set Session Properties node for session properties only.