Authentication Service
Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
The Authentication Service manages authenticators and user sessions.
↓Relations from This Component
↓Properties
↓dsconfig Usage
Relations from This Component
The following components have a direct aggregation relation from Authentication Services:
Properties
The properties supported by this managed object are as follows:
Basic Properties
login-authentication-chain
Description
| Specifies authentication chain to use for login.
|
Default Value
| Login is disabled.
|
Allowed Values
| The DN of any Authentication Chain.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
second-factor-authentication-chain
Description
| Specifies the authentication chain to use for second-factor login.
|
Default Value
| Second-factor is disabled.
|
Allowed Values
| The DN of any Authentication Chain.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
cookie-domain
Description
| The host domain for which session cookies are valid.
|
Default Value
| If undefined defaults to the Data Governance Broker host.
|
Allowed Values
| A string
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
cookie-path
Description
| The URI path for which session cookies are valid.
|
Default Value
| /
|
Allowed Values
| A string
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
cookie-max-age
Description
| The maximum lifetime of a session cookie.
|
Default Value
| 520 w
|
Allowed Values
| A duration. Lower limit is 0 seconds. Upper limit is 2147483647 seconds.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
max-concurrent-sessions
Description
| The maximum number of concurrent sessions allowed for a user.
|
Default Value
| 5
|
Allowed Values
| An integer value. Lower limit is 0.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
flow-inactivity-timeout
Description
| Specifies the maximum amount of time to keep an inactive flow alive. A flow is a multi-step request that conditionally prompts the user for additional information to complete. For example, the OpenID Connect authorization flows may require the user to login or consent before the granting the token. If more than the specified time interval passes with no activity, the flow is aborted with an error.
|
Default Value
| 15 m
|
Allowed Values
| A duration. Lower limit is 1 seconds.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
identity-scim-resource-type
Description
| The SCIM Resource Type containing the credentials and attributes of identities that may be authenticated by the Data Governance Broker. The Data Governance Broker will perform authentication against this SCIM Resource Type using the credentials provided through the login UIs and REST APIs. Attributes of the authenticated identity may be retrieved and provided to applications via the SCIM /Me endpoint and/or OpenID Connect claims. If required, the Data Governance Broker may also capture consent from the authenticated identity as part of the authorization flow. Lastly, account management, password management, consent management, external identity provider login/linking, and self-registration will also be performed against identities in this SCIM Resource Type. The SCIM Resource Type must be configured with a primary LDAP store adapter connected to a Ping Identity Directory Server or a Ping Identity Directory Proxy Server.
|
Default Value
| Authentication, authorization, and identity provider services will be unavailable
|
Allowed Values
| The DN of any SCIM Resource Type. The associated SCIM Resource Type must exist and must be enabled.
|
Multi-Valued
| No
|
Required
| No
|
Admin Action Required
| Ensure the mapped SCIM Resource Type attributes in the self-registration form template, OpenID Connect claim mappings, and external identity provider attribute mappings correctly reference attributes from the SCIM Resource Type schema(s).
|
session-resource-attribute
Description
| The attributes of the identity resource the Authentication Service will expose to the client when there is a valid user session. The client may use this to provide a personalized greeting when prompting the user to perform login again or second factor flows. Examples of valid attribute paths are: - 'name' - The 'name' attribute at the top level of the SCIM Resource Type resource.
- 'urn:extension:organization' - The 'organization' attribute of a schema extension with URN 'urn:extension'.
- 'addresses[type eq "preferred"].postalCode' - The postalCode sub-attribute of the address where the sub-attribute type equals 'preferred'. Only the equality filter on the type sub-attribute is supported as the value filter.
|
Default Value
| No session identity resource attributes will be exposed to the client.
|
Allowed Values
| A string
|
Multi-Valued
| Yes
|
Required
| No
|
Admin Action Required
| None. Modification requires no further action
|
Advanced Properties
broker-ui-url (Advanced Property)
Description
| The root URL of the Data Governance Broker Authentication User Interface component. May be either an absolute or relative URL.
|
Default Value
| /auth-ui
|
Allowed Values
| A string
|
Multi-Valued
| No
|
Required
| Yes
|
Admin Action Required
| None. Modification requires no further action
|
dsconfig Usage
To view the Authentication Service configuration:
dsconfig get-authentication-service-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the Authentication Service configuration:
dsconfig set-authentication-service-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...