Skip to main content

About the Authentication Options

Attributes That All Authentication Types Have in Common

All authentication types have the following attributes:

  • Name

  • Description

  • Roles – The base roles to which the authentication applies.

The attributes that are unique to each authentication type are explained in the following three subsections.

Attributes of the SAML Authentication Type

Note

In addition to the attributes described below, you can also set the default login display for a SAML authentication type after you configure it. For more information, see Default Login Display for SAML Authentication.

In addition to a name, description, and associated base roles, the SAML authentication type has the following attributes:

  • Provider Name – This is the name you want to be used for JICS when it communicates with the SAML identity provider. The default value is JICS. This value tells the identity provider where the request for information is coming from. [SamlSsoProviderName]

  • SSO Audience – This setting determines whether the audience sent to the SAML identity provider is the provider name or the recipient URL. [SamlSsoAudience]

  • Identity Provider Login URL – This is the URL JICS redirects the user to when they click Login in JICS. [SamlSsoLoginUrl]

  • Identity Provider Logout URL – This is the URL JICS redirects the user to when the user clicks Logout in JICS. This should log the user out of the SAML identity provider. [SamlSsoLogoutUrl]

  • Public Key File – This is the relative path to the key provided by the SAML identity provider. A copy must be stored locally on the web server for JICS to access. If your site uses multiple web servers in a web-balanced configuration, this key must be stored in the same place on each server. [SamlSsoCertFileLocation]

  • Protocol Binding – Enter the protocol binding that you want the SAML identity provider to use when it sends responses to JICS. Note that the protocol binding used to send requests to the identity provider from JICS is always HTTP-Redirect. [SamlSsoProtocolBinding]

  • NameID Format – Enter the nameid format to be sent to the SAML identity provider. [SamlSsoNameIdFormat]

  • Use Tag Prefixes – This setting determines whether XML tag prefixes will be used in the request sent to the SAML identity provider. [SamlSsoUseTagPrefixes]

  • Time Validation Delay – In some instances, synchronized servers may return time values in a Response that actually start after the current time (in the future), causing the "Token expired" error to mistakenly appear. To avoid this without having to falsely adjust the server time, an adjustment value can be optionally given to nudge the time used for token validation into the future so it falls into the response range.

  • Show Login Page Using iFrame or Redirect – When a user clicks the Login button, this parameter controls whether the Identity Provider's login page is shown in a modal dialog using an inline frame (iFrame) or by redirecting to the login page.

  • User Mapping – This setting defines which JICS user property will be matched with the user identifier received in the NameID element of the SAML Identity Provider response.

  • Metadata Link – SAML 2.0 metadata for the current service provider configuration is available from the following URL. If you change nameid format, provider name, or audience settings, the metadata will change with it.

Attributes of an LDAP Server

In addition to a name, description, and associated base roles, the LDAP authentication type has the following attributes for each server:

  • Priority – If multiple servers are defined for this authentication method, this setting will decide what will happen when the entered username and password are found/not found on this server. A “Sufficient” server will always pass full authentication when the username and password are found on that server. A “Required” server will always fail authentication when the username and password are not found on this server. Otherwise, authentication will succeed if the username and password are found on at least one “Optional” server.

  • URL – The complete address of the user store.

  • SearchBy – How the user will be located within the store: referenced directly by DN, or searching within a root location.

  • UserDN – The DN where the user should be found. The signifier %user% will be replaced by the username entered by the authenticating user.

Attributes of an Active Directory Server

In addition to a name, description, and associated base roles, the Active Directory authentication type has the following attributes for each server:

  • Priority – If multiple servers are defined for this authentication method, this setting will decide what will happen when the entered username and password are found/not found on this server. A “Sufficient” server will always pass full authentication when the username and password are found on that server. A “Required” server will always fail authentication when the username and password are not found on this server. Otherwise, authentication will succeed if the username and password are found on at least one “Optional” server.

  • URL – The complete address of the user store. This value should be LDAP://myADServer.school.edu (for example, LDAP://10.10.10.10).

  • Search Root – The DN of the root location where users are stored.

  • Search User – The username that will be used to log into the store.

  • Search Password – The password that will be used to log into the store.

  • Filter – An Active Directory filter to narrow down the scope of what objects can be found when searching for users to authenticate against.

  • Search on userPrincipalName – Whether to search for the user using the UPN field in Active Directory.

  • Search on sAMAccountName – Whether to search for the user using the sAMAccountName field in Active Directory.

  • Search on memberOf Group – The search will only look for members of the specified Group.