Authenticating IAG sessions
Applies To: Intelligent Application Gateway (IAG)
This topic describes how to modify authentication requirements for client endpoint sessions to a Whale Communications Intelligent Application Gateway (IAG) 2007 site.
IAG controls access to published applications and networks by checking users against an authentication database and by opening a session only for users who authenticate successfully. Each authentication is only valid for one session. IAG forces periodic reauthentication by applying a logoff scheme. After a predetermined time, users must reenter credentials to continue working. Otherwise the session is terminated.
Authenticating a portal session
Authenticate portal sessions as follows:
To authenticate a portal session
In the IAG Configuration console, click the portal node.
Next to Advanced Trunk Configuration, click Configure.
In the Advanced Trunk Configuration dialog box, click the Authentication tab.
Click Authenticate User on Session Login to specify that only authenticated users can access the portal.
In Select Authentication Servers, click Add to add a new server that will be used to authenticate users connecting to the portal. Click Remove to remove an existing authentication server.
Select User Selects From a List of Servers to specify that users connecting to the portal should be prompted to select the server against which they will authenticate. If only one server appears in the authentication servers list, no prompt is displayed. Select Show Server Names to allow users to select a server from a drop-down list instead of requiring them to specify the server name.
Select Users Must Provide Credentials for Each Selected Server to specify that at logon, users are prompted to authenticate against all servers specified in the authentication servers list. The first server on the list is used as the lead server. After a scheduled logoff, users are only requested to authenticate against this lead server. In addition, if you use endpoint certification and the option Verify User Name Against Certificate is enabled, the user name on the lead server is verified against the certificate. Select Use the Same User Name to specify that users are prompted to enter one user name that is used for authentication against all selected servers. If this option is not enabled, users are prompted to enter a user name for each server.
Select Enable Users to Add Credentials On-the-Fly to specify that users can add credentials in cases where access to a published application with a user's current credentials is denied. If this option is not enabled, only applications for which the user has "Allow" access are displayed in the portal. With this option enabled, applications with "Allow" or "View" authorization are displayed, and users attempting to access "View" applications have the option of entering credentials to gain access.
Select Enable Users to Change Their Passwords to specify that users can change their password on demand or on expiry. This enables users who cannot logon because of an expired password to renew the password and thus logon successfully. Users can initiate a password change using the credentials management option in the portal. This option is only available when authenticating users against the following servers: Windows NT domain, Active Directory Domain Services, Netscape Lightweight Directory Access Protocol, Notes Directory, and Novell Directory.
For Active Directory, Netscape LDAP Server, Notes Directory, and Novell Directory servers, it is recommended that this option is checked only when the following conditions prevail:
IAG server is part of a domain
End users are domain users
The IAG domain trusts the user domain
Credentials specified for access to authentication servers should allow passwords to be changed. In addition, the authentication server itself should allow password changes. For example when authenticating against a Notes Directory server, you should configure the Notes server to allow password changes, and LDAP users should have write access.
For NT Domain and Active Directory authentication servers only, do the following to enable the change password feature: On the IAG server run the following file: \Whale-Com\e-Gap\common\bin\fa-allow-nt4shares.bat.
In Notify User <number_days> Days Prior to Expiration specify when users should be notified that there password is due to expire. This option is available only if Enable Users to Change Their Passwords is enabled.
Select Enable Users to Manage Their Credentials to add an option to the portal homepage that allows users to add authentication credentials or to change a password.
In order to allow users to change a password using the credentials management option in the portal page, the setting Enable Users to Change Their Passwords must be enabled on the Authentication tab of the portal properties.
Select Enable Users to Select Language to define language options for end-user Web pages, including text that appears in pop-ups and messages. With this option enabled, a drop-down list is displayed on the logon page in order to allow users to select a language, which is then used for all client endpoint sessions with the IAG server, until the user changes the language settings again. When this option is disabled, the client endpoint browser language is used if available. Otherwise, English is used. For more information about language support, see Customizing IAG language support.
In Login Page, specify the URL of the logon page with which IAG replies to client endpoints requesting access. IAG provides a default logon page. For more information about customizing logon pages, see Customizing IAG user authentication pages.
In On-the-Fly Login Page, specify the URL of the logon page that is presented to users when they are required to logon in for additional access, following the initial logon. By default this page is the same as the default logon page. For information about customizing this logon page, see Customizing IAG user authentication pages.
In Permitted Authentication Attempts, specify the number of consecutive times that a user can attempt to logon before failing. This setting also affects the number of times that users can attempt to change a password if this behavior is enabled. This does not include attempts that fail because a proposed password does not comply with corporate policy.
In Block Period, specify the period in minutes during which users are blocked from accessing the site because they failed to logon or change a password.
Select Logoff Scheme to enable a logoff scheme for the site. In Logoff URL, specify the URL of the logoff page that serves as a trigger for termination of the session. You can define the logoff URL on any internal application with a logoff mechanism.
In Logoff Message, specify a URL containing the message that will be sent to the client endpoint browser when the logoff scheme is activated.
Note
If you enable the option Send Logoff Response to Browser, the application server's response to the logoff request is sent to the browser and not the message defined in Logoff Message.
In WaitnumberSec After Logoff URL to terminate session, specify how long the IAG server waits after logoff is initiated to close the session.
In Pass the Logoff to the Application Server, specify that the logoff request should be forwarded to the application server defined in Logoff URL. In this case, the application is also closed. If this option is not selected, after logoff is initiated and until the session is closed, no requests are forwarded to the application server.
In Send Logoff Request to Browser, the application server response to the logoff request is forwarded to the requesting browser, instead of the message defined in Logoff Message. This option is only relevant if Pass the Logoff to the Application Server is enabled.