Note: this component stores cluster-wide configuration data and is mirrored across all servers in the topology within the the same cluster.
Note: changes to cluster-wide configuration objects are immediately and automatically mirrored across all servers within the same cluster, so offline changes are not supported.
The Username Password Identity Authenticator may be used to authenticate an end-user with a username and password using an LDAP BIND operation.
This Username Password Identity Authenticator first searches for an end-user account using the configured match-filter and then performs an LDAP BIND operation to validate the password. The configured SCIM Resource Type must use an LDAP Store Adapter as the primary Store Adapter in order to use this authenticator.
↓Parent Component
↓Relations from This Component
↓Properties
↓dsconfig Usage
The Username Password Identity Authenticator component inherits from the Identity Authenticator
The following components have a direct aggregation relation from Username Password Identity Authenticators:
The properties supported by this managed object are as follows:
| Basic Properties: | Advanced Properties: |
|---|---|
| ↓ description | None |
| ↓ authentication-method-reference | |
| ↓ schema-urn | |
| ↓ match-filter | |
| ↓ match-pattern | |
| ↓ username-recovery-account-flow-handler | |
| ↓ password-recovery-account-flow-handler |
| Description | A description for this Identity Authenticator |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
authentication-method-reference
| Description | Specifies identifiers of the authentication methods provided by this Username Password Identity Authenticator. Each value is exposed in the "amr" (authentication method reference) claim in an ID token, and also the "lastLoginMethods" and "lastSecondFactorMethods" properties of a user session SCIM sub-resource. |
| Default Value | pwd |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Description | The URN which identifies the SCIM extension schema that should contain attributes intended for this Username Password Identity Authenticator in authentication request and response messages. |
| Default Value | urn:pingidentity:scim:api:messages:2.0:UsernamePasswordAuthenticationRequest |
| Allowed Values | A URN begins with 'urn:', is followed by a namespace component that is no more than 32 alpha-numeric characters long, which is followed by one or more colon-delimited identifiers consisting of legal URN characters (letters, digits, and characters in '()+,-.:=@;$_!*'). For example, a URN in the 'acme' namespace might be "urn:acme:identity:User.name". |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the SCIM search filter that should be used when performing searches to map the provided username to a user resource. The filter pattern may include a string from a capturing group matched by the match pattern by using a dollar sign ($) followed by an integer value that indicates which capturing group should be used. Capture group 0 refers to the entire username that matched. For example, the match-filter "userName eq $1 and organization eq $2" with a match-pattern of ^(.*)@(.*)$ will substitute $1 and $2 with the portions before and after the '@' symbol in the username respectively. |
| Default Value | userName eq "$0" |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Description | Specifies the regular expression pattern that is used to identify portions of the username that will be replaced. Any portion of the username that matches this pattern is replaced in accordance with the provided match-filter replace pattern. If multiple substrings within the given username match this pattern, all occurrences are replaced. If no part of the given username matches this pattern, the match-filter is not altered. It must be a valid regular expression as described in the API documentation for the java.util.regex.Pattern class, including support for capturing groups. For example, a match-pattern of ^(.*)@(.*)$ will match an e-mail address username. The match-filter "userName eq $1 and organization eq $2" may then be used to substitute $1 and $2 with the portions before and after the '@' symbol in the username respectively. |
| Default Value | ^.*$ |
| Allowed Values | Any valid regular expression pattern which is supported by the javax.util.regex.Pattern class (see http://docs.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html for documentation about this class for Java SE 6). |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
username-recovery-account-flow-handler
| Description | The account flow handler that should be used to recover the end-user account's username. A link to initiate the account flow handler will be included as part of the response parameters. |
| Default Value | A link to initiate the account flow handler will not be included as part of the response parameters. |
| Allowed Values | The DN of any Account Flow Handler. The associated account flow handler must be enabled. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
password-recovery-account-flow-handler
| Description | The account flow handler that should be used to recover the end-user account's password. A link to initiate the account flow handler will be included as part of the response parameters. |
| Default Value | A link to initiate the account flow handler will not be included as part of the response parameters. |
| Allowed Values | The DN of any Account Flow Handler. The associated account flow handler must be enabled. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
To list the configured Identity Authenticators:
dsconfig list-identity-authenticators
[--property {propertyName}] ...
To view the configuration for an existing Identity Authenticator:
dsconfig get-identity-authenticator-prop
--authenticator-name {name}
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the configuration for an existing Identity Authenticator:
dsconfig set-identity-authenticator-prop
--authenticator-name {name}
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Username Password Identity Authenticator:
dsconfig create-identity-authenticator
--authenticator-name {name}
--type username-password
[--set {propertyName}:{propertyValue}] ...
To delete an existing Identity Authenticator:
dsconfig delete-identity-authenticator
--authenticator-name {name}