Authentication Contract Condition

The Authentication Contract condition matches the contract the user logged in with to the contract specified in this condition. Identity Server has the following default contracts:

Name

URI

Name/Password - Basic

basic/name/password/uri

Name/Password - Form

name/password/uri

Secure Name/Password - Basic

secure/basic/name/password/uri

Secure Name/Password - Form

secure/name/password/uri

To configure other contracts, click Devices > Identity Servers > Edit > Local > Contracts.

To specify an Authentication Contract condition, specify the following details:

Authentication Contract: To compare the contract that the user used with a static value, select Current. To compare a static value with what the user used, select a contract from the list.

If you have created more than one Identity Server configuration, select the configuration that corresponds to the configuration your Access Gateway is configured to trust, then select the contract. The name of the contract is displayed. When you select this name, the configurations that contain a definition for this contract are highlighted.

If you select a contract that is defined on only one of your configurations, be aware that you must change this policy when you change configurations. If you select a contract that is defined in all your configurations, this policy requires no modifications and continues to function when you change configurations.

For example, the following policy has selected Name/Password - Basic as the contract:

Two Identity Server configurations have been defined (idp-43.amlab.net and idp-51.amlab.net). Both configurations are highlighted because Name/Password - Basic is a contract that is automatically defined for all Identity Server configurations. Because it is defined on both configurations, this policy’s function is the same, regardless of which configuration is selected as the trusted configuration.

Comparison: Specify how the contract is compared to the data in the Value field. Select either a string comparison or a regular expression:

  • Comparison: String: Specifies that you want the values compared as strings and how you want the string values compared. Select one of the following:

    • Equals: Indicates that the values must match, letter for letter.

    • Starts with: Indicates that the Authentication Contract value must begin with the letters specified in the Value field.

    • Ends with: Indicates that the Authentication Contract value must end with the letters specified in the Value field.

    • Contains Substring: Indicates that the Authentication Contract value must contain the letters, in the same sequence, as specified in the Value field.

  • Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.

Mode: Select the mode appropriate for the comparison type:

  • Comparison: String: Specify whether case is important by selecting Case Sensitive or Case Insensitive.

  • Comparison: Regular Expression: Matches: Select one or more of the following:

    • Canonical Equivalence
    • Case Insensitive
    • Comments
    • Dot All
    • Multi-Line
    • Unicode
    • Unix Lines

    For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.

Value: Specify the value you want to compare with the Authentication Contract value. If you select a static value for the Authentication Contract value, select Authentication Contract and Current. If you select Current for the Authentication Contract value, select Authentication Contract, then select the name of a contract.

Other value types are possible if you selected Current for the Authentication Contract value. For example:

  • You can select Data Entry Field. The value specified in the text box must be the URI of the contract for the conditions to match. For a list of these values, click Access Manager > Identity Servers > Edit > Local > Contracts.

  • If you have defined a Liberty User Profile attribute for the URI of authentication contracts, you can select Liberty User Profile and your defined attribute.

  • If you have defined an LDAP attribute for the URI of the authentication contracts, you can select LDAP Attribute and your defined attribute.

Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.