Access Manager includes a class that can be configured to accept any combination of name/password, X.509, or RADIUS credentials. When this class executes as part of a contract, users can select and enter their preferred type of credential.
For example, if a name/password credential is ORed with an X.509 credential, the user can select to use a certificate or to enter a name and password. As an administrator, you have decided that both credentials are equally secure for the protected resource the contract is protecting.
To create an ORed credential class:
In the Administration Console, click
> > > > .Click
, then fill in the following fields:Display name: Specify a name for the class.
Java class: Select NPOrRadiusOrX509Class.
Click
, then select the types of classes you want to OR. You must select at least one of the following:Use Name/Password: Select this option if you want the PasswordClass to be one of the authentication options available to the user.
Use Radius: Select this option if you want the RadiusClass to be one of the authentication options available to the user.
Use X509: Select this option if you want the X509Class to be one of the authentication options available to the user.
(Conditional) If you want to use the protected version of the PasswordClass or RadiusClass, select the
option.(Conditional) If you selected the
option, configure the properties:In the
section, click .Specify a property name and property value.
For information about the properties that the PasswordClass and the ProtectedPasswordClass support, see Section 3.2.2, Specifying Common Class Properties.
Click
.Repeat Step 5.a through Step 5.c to add more than one property.
Click
.(Conditional) If you selected the
option, configure the Radius properties.For information about the configuration options, see Section 4.1, Configuring for RADIUS Authentication.
(Conditional) If you selected the
option, configure how the certificate is validated.For information about the configuration options, see Section 4.2, Configuring Mutual SSL (X.509) Authentication.
Click
.(Conditional) If you selected the
option, configure the attribute mappings.For information about the configuration options, see Section 4.2, Configuring Mutual SSL (X.509) Authentication.
Click
.Click
.Continue with creating a method and a contract for this class.
For configuration information, see Section 3.3, Configuring Authentication Methods and Section 3.4, Configuring Authentication Contracts.
If the contract allows the user to select from the three types of credentials, the login page looks similar to the following:
The Radius class prompts the user for a token instead of a password. The user can use the drop-down menu to select between the password and the token. If the user selects to send a certificate, the username and password/token options become unavailable.