Interstage Single Sign-on provides some functions to prevent illegal access. The functions include the function for requesting re-authentication after a specified time elapses, the function setting a user
Authentication
When the authenticated user connects to the business system from a client computer that has a different IP address, the user is requested to be authenticated regardless of the setting of the re- authentication interval.
Figure 1-23 Interstage Single Sign-on Authentication
Re-authentication intervals can be set using the following methods.
• To set a re-authentication interval for each user, set the time of re-authentication interval for "ssoCredentialTTL" in the user information stored in the SSO repository.
• To set a standard re-authentication interval, from the Interstage Management Console, select [System] > [Security] > [Single Sign-on] > [Authentication infrastructure] > [Authentication server] > [Settings] > [Detailed Settings [Show]]. Then, set the time of standard re-authentication interval for [Re-authentication Interval] under [Operation after Authentication].
If all 2 items above have been set, the priority (for the re-authentication) is described in the table below.
Table 1-4 The priority for the re-authentication settings
High ^ | Low
Re-authentication interval set for each user Standard re-authentication interval
For details of the user information stored in the SSO repository, refer to "User Information Entry". For details of the configurations on the Interstage Management Console, refer to Operator’s Guide.
Figure 1-24 Using Re-authentication Intervals
Remarks
• When "certificate authentication" is used as the authentication method for the user, or when the user has been authenticated by certificate authentication with "password authentication or certificate authentication" used as the authentication method, the client (Web browser) automatically presents the certificate to the Web server at re-authentication.
Therefore, the window requesting re-authentication is not shown to the user. Note that, when users are setting up the Authentication Server on multiple machines and the Repository Server on a machine, or setting up the Authentication Server and the Repository Server on multiple machines individually, the window requesting re-authentication may display even when the authentication method is "certificate authentication" or "password authentication or certificate authentication." • When the remaining time for the validity period registered as user information in the SSO repository
Authentication
User Validity Period
Validity periods can be set for users in Interstage Single Sign-on.
For example, if the information on new employees is stored in the SSO repository in advance, settings can be made to validate authentication on the beginning date of employment and specify the projected end date of employment as the validity period end date.
Thus, authentication can be invalidated temporarily, and user validity periods can be set without deletion of user information from the SSO repository.
Set the user validity period by specifying values in "ssoNotBefore" and "ssoNotAfter" for the user information in the SSO repository.
For details about the user information in the SSO repository, refer to "User Information Entry".
Lockout
In order to protect users against unauthorized access, the lockout function restricts authentication and disables access to the resources managed by Interstage Single Sign-on.
If a user inputs invalid passwords (user ID and password) for a specified number of consecutive times, the user is locked and the use of the Single Sign-on system is restricted to disable the user from attempting the input of any more passwords.
The locked user fails authentication until the userID is unlocked.
To unlock user is performed using the Interstage Management Console by the SSO administrator. The locked user can also be unlocked automatically after a specified time. Automatic unlocking after a specified time is performed at the user's first authentication operation after the specified time elapses. The count for successive authentication failures is reset when the user succeeds in password
authentication.
Remark
If a user fails in authentication using a certificate, the user is requested to input the user ID and password. If the authentication method specified for that user is "certificate authentication" or
"Password authentication and certificate authentication," the user will fail in authentication even when the user inputs valid user ID and password. If it occurs, select [Cancel] on the User ID/Password Request window.
When the user inputs a user ID and a password to the user ID/password request window, the user is regarded as a lockout target and the count for successive authentication failures is increased by one, even if the input user ID and password are valid.
Figure 1-25 Lockout in Single Sign-on Authentication
If a user has failed password authentication for a specified consecutive number of times and is locked by the lockout function, a message is sent to the user's client computer.
The message shown in Figure 1-26 notifies the user when authentication has failed. The display of this message is configured in the environment setup on the authentication server. To activate this setting, on the Interstage Management Console select [System] > [Security] > [Single Sign-on] > [Authentication infrastructure] > [Authentication server] > [Authentication server: Settings]. Then select [Yes] for [Notify Cause of Authentication Failure to user?].
If [No] is selected, the message "User name or password is invalid." is displayed on the browser. For further details, refer to "Messages that can be Customized".
Authentication
When a locked user performs authentication, the following window is displayed on the Web browser.
Figure 1-27 Screen Displayed when User has been Locked Note
Locked users cannot use Interstage Single Sign-on (even for certificate authentication) until they are unlocked.