Configuring Password Retrieval - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

Identity the OpenID user locally: After the user authenticates at the OpenID provider, Access
Manager can associate a username from the user store with the OpenID user. With this
association, Access Manager can use the policies defined for the username to enforce access to
protected resources.
 When this option is not selected, the OpenID user is not mapped to a local user. The
username of the authenticated user remains as the OpenID URL. For example, if the user
enters http://user123.myopenid.com for the URL,
becomes the username.
 When this option is selected, an attempt is made to map the OpenID user with a username
in the user store. You can do this manually by storing the user's OpenID in the attribute
specified in the LDAP Attribute Name option. You can also have the Identity Server add
the OpenID value to the attribute by selecting the Auto Provision LDAP Attribute option.
LDAP Attribute Name: Specify the name of the attribute that contains the identification
information for the users. For OpenID authentication, this attribute should contain the OpenID
for the user.
Auto Provision LDAP Attribute: Select this option when you want the user to provide
additional information for identification for the first authentication, such as a username and
password. The Identity Server uses this information to identify the user, then writes the user's
OpenID value to the attribute specified in the LDAP Attribute Name option. On subsequent
logins, the Identity Server can identify the user by using the specified attribute and the user is
not prompted for additional information.
4 Click Finish.
5 Create a method for this class.
For instructions, see
6 Create a contract for the method:
For instructions, see
If you want the user's credentials available for Identity Injection policies, add the password
fetch method as a second method to the contract. For more information about this class and
method, see
7 Update the Identity Server.

4.5 Configuring Password Retrieval

If you have configured contracts that do not use a username and password for the credentials and
you want to configure single sign-on to protected resources that require a user's name and password,
you need to configure the PasswordFetchClass to retrieve the user's name and password. You need
to create the class, then create a method from the class. The method needs to be assigned as the
second method for the authentication contract that does not prompt the user for a username and
password. When the Identity Server executes the contract, the PasswordFetchClass retrieves the
username and password and stores them with the LDAP credentials, which makes them available for
Identity Injection policies.
IMPORTANT: The PasswordFetchClass only works with eDirectory user stores.
1 In the Administration Console, click Devices > Identity Servers > Edit > Local > Classes.
2 Click New, then fill in the following fields:
148 Novell Access Manager 3.1 SP2 Identity Server Guide
Section 3.3, "Configuring Authentication Methods," on page
Section 3.4, "Configuring Authentication Contracts," on page
Section 4.5, "Configuring Password Retrieval," on page
http://user123.myopenid.com
148.
122.
124.