The Credential Profile condition allows you to control access based on the credentials the user entered when authenticating to the system.
To set up the matching for this condition, specify the following details:
Credential Profile: Specify the type of credential your users are using for authentication. If you have created a custom contract that uses credentials other than the ones listed below, do not use the Credential Profile as a condition.
To configure the Credential Profile condition, select one of the following:
LDAP Credentials: If you prompt the user for a username, select this option, then select LDAP User Name (the cn of the user), LDAP User DN (the fully distinguished name of the user), or LDAP Password.
The default contracts assign the cn attribute to the Credential Profile. If your user store is an Active Directory server, the SAMAccountName attribute is used for the username and stored in the cn field of the LDAP Credential Profile.
X509 Credentials: If you prompt the user for a certificate, select this option, then select one of the following:
X509 Public Certificate Subject: Retrieves the subject field from the certificate, which can match the DN of the user, depending upon who issued the certificate.
X509 Public Certificate Issuer: Retrieves the issuer field from the certificate, which is the name of the certificate authority (CA) that issued the certificate.
X509 Public Certificate: Retrieves the entire certificate, Base64 encoded.
X509 Serial Number: Retrieves the serial number of the certificate.
SAML Credential: If your users authenticate using a SAML assertion, select this option.
Comparison: Select one of the following types:
Comparison: String: Specifies that you want the values compared as strings and how you want the string values compared. Select one of the following:
Equals: Indicates that the values must match, letter for letter.
Starts with: Indicates that the Credential Profile value must begin with the letters specified in Value.
Ends with: Indicates that the Credential Profile value must end with the letters specified in Value.
Contains Substring: Indicates that the Credential Profile value must contain the letters, in the same sequence, as specified in Value.
Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.
Mode: Select the mode appropriate for the comparison type:
Comparison: String: Select Case Sensitive or Case Insensitive.
Comparison: Regular Expression: Matches: Select one or more of the following:
For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.
Value: Specify the second value for the comparison. Select one of the following data types:
LDAP Attribute: If you have an LDAP attribute that corresponds to the Credential Profile you have specified, select this option and the attribute.
Liberty User Profile: If you have a Liberty User Profile attribute that corresponds to the Credential Profile you have specified, select this option and the attribute.
Data Entry Field: Specify the string you want matched. Be aware of the following requirements:
If you selected LDAP User DN as the credential, you need to specify the DN of the user in the Value text box. If the comparison type is set to Contains Substring, you can match a group of users by specifying a common object that is part of their DNs, for example ou=sales.
If you selected X509 Public Certificate Subject as the credential, you need to specify all elements of the Subject Name of the certificate in the Value text box. Separate the elements with a comma and a space, for example, o=novell, ou=sales. If the comparison type is set to Contains Substring, you can match a group of certificates by specifying a name that is part of their Subject Name, for example ou=sales.
Other values are possible. Your policy requirements determine whether they are useful.
Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.