Back Forward Authentication Service form
Completing the Service tab

  1. About 
  2. New 
  3. Service 
  4. SAML 2.0
  5. Mapping 
  6. Custom 
  7. History 
  8. More... 

Note: This tab only appears for custom authentication services.

Complete the Service tab to specify authentication and timeout activities that override the default authentication process, and, if using LDAP, to store the connection information for the LDAP directory server. The standard LDAP authentication and timeout activities use information in the JNDI Binding Parameters and Search Parameters sections to bind to and then search the directory server.

Field

Description

Authentication Activity

SmartPrompt Enter or select the name of the authentication activity. The selection list shows all the activities that apply to the Code-Security class rule. See More about Authentication Services for requirements for such activities.

Timeout Activity

SmartPrompt Enter or select the Activity Name of the timeout activity. The selection list shows all activities that apply to the Code-Security class.

Field

Description

Initial Context Factory

Enter the fully qualified Java class name of the JNDI initial context factory to use to connect to the directory server. For example: com.sun.jndi.ldap.LdapCtxFactory

Directory

You can enter either an explicit URL or a JNDI entry, which represents a directory located on the LDAP server. This approach enables you to relocate servers without having to reconfigure the application. The JNDI syntax is dependent upon the server environment.

Using an explicit URL:

Enter the URL of the LDAP provider as follows: ldap[s]://[servername]:[portnumber]. For example:

ldap://serverX:384 or ldaps://serverX:636

Using a JNDI entry:

  • WebSphere — Enter the name used for the JNDI lookup. This value matches the value entered as the Provider URL in the authentication server instance. For example, enter pega/ldapURL. To define the JNDI entry do the following:

    — Use the WebSphere administrative console and navigate to Environment > Naming > Name Space Bindings.
    — Specify the binding identifier; for example, pega
    — Specify the name in name space. This value matches the value entered as the Directory in the authentication service instance; for example pega/ldapURL
    — Specify the String Value, the actual URL of the directory; for example, ldap://serverx:384
  • Tomcat — Enter the full JNDI reference that corresponds to the environment entry specified in the deployment descriptor and the prefix java:com/env. For example enter java:comp/env/pega/ldapURL. Here is an example of an environment entry:

    <env-entry>
    <description><![CDATA[Generic LDAP URL entry]]> </description>
    <env-entry-name>pega/ldapURL</env-entry-name>
    <env-entry-value>ldap://serverX:384</env-entry-value>
    <env-entry-type>java.lang.String</env-entry-type>
    </env-entry>
Bind Distinguished Name

Enter the name of a bind user who is allowed to search the directory tree for the credentials of a user who is attempting to log in. The standard LDAP authentication activities authenticate PRPC with the directory server as this user so it can then search the directory for users.

Bind Password

Enter the password of the bind user.

  Test Connectivity 

After you save the form, click to test connectivity to the server. Results appear in a new window.

Field

Description

Directory Context

Specify the directory context that defines the branch in the Directory Information Tree (DIT) that holds information about the users who can be authenticated by this authentication server. For example:

ou=people, dc=yourco, dc=com
Search Filter

Enter an expression to use to find and validate the user's distinguished name (DN). For example, perhaps your directory holds an attribute that identifies a user as a PRPC user. If so, specify that attribute as the search filter. Or, set it to (cn=%V) where %V is the user ID entered by the person who is logging in.

To ensure maximum security, during sign-on PRPC scans the characters in userID and password input and deletes any characters (such as asterisk, equals sign, or vertical stroke) that are not allowed by the LDAP specification before calling the LDAP server. These characters are removed without notifying the user or rejecting the request. No log messages or error messages appear.

Review the LDAP specification for search filter expression syntax.

User Name Attribute

Leave blank in data instances you create. This field provides backward compatibility with a LDAP integration feature provided in Version 4, referred to as "version 4 LDAP."

Up About Authentication Services