Authentication Contract Condition
The Authentication Contract allows you to assign a role based on the contract the user used for authentication. Identity Server has the following default contracts:
|
Name |
URI |
|---|---|
|
Name/Password - Basic |
basic/name/password/uri |
|
Name/Password - Form |
name/password/uri |
|
Secure Name/Password - Basic |
secure/basic/name/password/uri |
|
Secure Name/Password - Form |
secure/name/password/uri |
To configure other contracts, click > > > > .
The most common way to use this condition is to select for and to select and the name of a contract for .
To specify an Authentication Contract condition, specify the following details:
Authentication Contract: To compare the contract that the user used with a static value, select . To compare a static value with what the user used, select a contract from the list.
If you have created more than one Identity Server configuration, select the configuration, then select the contract. The name of the contract is displayed. When you select this name, the configurations that contain a definition for this contract are highlighted.
For example, the following policy has selected as the contract.
Two Identity Server configurations have been defined (idp-43.amlab.net and idp-51.amlab.net). Both configurations are highlighted because is a contract that is automatically defined for all Identity Server configurations.
If the contract you are selecting for a condition is a contract with ORed credentials, you need to use multiple conditions to set up a rule. See Creating a Rule for a Contract with ORed Credentials.
Comparison: Specify how the contract is compared to the data in the field. Select either a string comparison or a regular expression:
-
Comparison: String: Specifies that you want the values compared as strings and how you want the string values compared. Select one of the following:
-
Equals: Indicates that the values must match, letter for letter.
-
Starts with: Indicates that the Authentication Contract value must begin with the letters specified in the field.
-
Ends with: Indicates that the Authentication Contract value must end with the letters specified in the field.
-
Contains Substring: Indicates that the Authentication Contract value must contain the letters, in the same sequence, as specified in the field.
-
-
Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.
Mode: Select the mode appropriate for the comparison type:
-
Comparison: String: Specify whether case is important by selecting or .
-
Comparison: Regular Expression: Matches: Select one or more of the following:
- Canonical Equivalence
- Case Insensitive
- Comments
- Dot All
- Multi-Line
- Unicode
- Unix Lines
For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.
Value: Specify the value you want to compare with the Authentication Contract value. If you select a static value for the Authentication Contract value, select and . If you select for the Authentication Contract value, select , then select the name of a contract.
Other value types are possible if you selected for the Authentication Contract value. For example:
-
You can select . The value specified in the text box must be the URI of the contract for the conditions to match. For a list of these values, click > > > > .
-
If you have defined a Liberty User Profile attribute for URI of the authentication contract, you can select then select the attribute.
-
If you have defined an LDAP attribute for URI of the authentication contract, you can select then select the attribute.
Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either or . If you do not want the action applied when an error occurs, select . If you want the action applied when an error occurs, select .