Novell ACCESS MANAGER 3.1 SP2 - POLICY GUIDE 2010 Manual page 147

The default contracts assign the cn attribute to the Credential Profile. If your user
store is an Active Directory server, the SAMAccountName attribute is used for the
username and stored in the cn field of the LDAP Credential Profile.
X509 Credentials: If you prompt the user for a certificate, select this option, then
select one of the following option depending on your Web server requirements.
— X509 Public Certificate Subject: Specifies that the subject field from the
certificate should be the value, which can match the DN of the user, depending
upon who issued the certificate.
— X509 Public Certificate Issuer: Specifies that the issuer field from the
certificate should be the value, which is the name of the certificate authority
(CA) that issued the certificate.
— X509 Public Certificate: Specifies that the entire certificate should be the
value.
— X509 Serial Number: Specifies that the certificate serial number should be the
value.
SAML Credential: Injects the SAML assertion as the value of the field when
SAML is used for authentication. This value is usually used for the user's password.
LDAP Attribute: Indicates that the value should be retrieved from the specified LDAP
attribute. If the attribute you require does not appear in the list, click New LDAP Attribute
to add the attribute.
The Refresh Data Every option allows you to determine when to send a query to the
LDAP server to verify the current value of the attribute. Because querying the LDAP
server slows down the processing of a policy, LDAP attribute values are normally cached
for the user session.
Change the value of this option from session to a more frequent interval only on those
attributes that are critical to the security of your system or to the design of your work flow.
You can select to cache the value for the session, for the request, or for a time interval
varying from 5 seconds to 60 minutes.
Liberty User Profile: Indicates that the input field contains a Liberty User Profile
attribute. In the value field, select the attribute. The attribute you select must be mapped to
an LDAP attribute, and the Access Gateway retrieves its value from the LDAP directory.
Shared Secret: Indicates that the input field contains a user-entered value that is to be
stored in the specified shared secret store.
You can create your own value. Click New Shared Secret, specify a display name for the
store, and the Access Manager creates the store. Select the store, click New Shared Secret
Entry, specify a name for the attribute, then click OK. The store can contain one name/
value pair or a collection of name/value pairs. For more information, see
"Creating and Managing Shared Secrets," on page
The Refresh Data Every option allows you to determine when to send a query to verify the
current value of the secret. Because querying slows down the processing of a policy, secret
values are normally cached for the user session.
Change the value of this option from session to a more frequent interval only on those
secrets that are critical to the security of your system or to the design of your work flow.
You can select to cache the value for the session, for the request, or for a time interval
varying from 5 seconds to 60 minutes.
Section 5.4,
152.
Creating Form Fill Policies 147