hsts |
Whether to enable HSTS headers that tell client browsers to use only HTTPS and a valid CA certificate
Default: false |
bruteForceDetection parameters |
|
enabled |
Whether to enable brute-force protection
Default: true |
permanentLockout |
Whether to enable permanent user lockout after the maxLoginFailures number of login failures
Default: false |
maxLoginFailures |
Number of allowed login failures before temporary or permanent lockout
Default: 5 |
waitIncrement |
Temporary lockout time, in seconds, after maxLoginFailures failed login attempts reached
Default: 60 |
quickCheck |
Number of milliseconds during which two consecutive login failures enable lockout period defined by minQuickWait parameter
Default: 1000 |
minQuickWait |
Lockout duration, in seconds, triggered by quickCheck violation
Default = 60 |
maxWait |
Maximum temporary lockout duration, in minutes
Default: 15 |
failureResetTime |
Number of hours after which to reset the login-failure counts
Default: 12 |
ldap — LDAP parameters |
enabled |
Whether LDAP is to be used for authentication
Default: false |
servers |
List of LDAP servers; specify a server using the parameters below |
|
type |
LDAP server type; valid values are:
|
name |
LDAP server name; text string |
url |
LDAP server URL with IP address or hostname and port, for example:
ldap://203.0.113.172:389
Default: none |
priority |
LDAP server priority, 0 is highest
Default: 0 |
usernameLdapAttribute |
LDAP attribute to map to OAUTH2 username, for example, cn, uid, or userPrincipalName |
rdnLdapAttribute |
LDAP attribute to use as rdn for typical user dn, typically cn |
uuidLdapAttribute |
LDAP attribute that uniquely identifies LDAP objects |
userObjectClasses |
Comma-separated list of user objectClasses |
customUserLdapFilter |
Additional filter for user searches |
searchScope |
Scope of user search in userDn; valid values are:
|
security |
LDAP server security type; valid values are:
|
timeout |
Timeout period for receiving LDAP server response, in milliseconds
Default: 5000 |
userDn |
DN of LDAP tree in which to find users |
userFilter |
User filter criteria |
groupDn |
DN of LDAP tree in which to find groups |
groupNameLdapAttribute |
LDAP attribute to map to user group |
groupsLdapFilter |
Groups filter criteria |
groupObjectClasses |
Comma-separated list of objectClasses for groups |
groupMembershipLdapAttribute |
Group attribute for user search |
groupMembershipUserLdapAttribute |
Username attribute in group membership |
groupMemberOfLdapAttribute |
User attribute that indicates group membership, usually memberOf |
bind |
LDAP bind credentials; for AUTHENTICATED server type only |
dn |
Bind user DN |
credential |
Bind user credential |
radius — RADIUS parameters |
enabled |
Whether RADIUS is to be used for authentication
Default: none |
address |
Comma-separated list of colon-separated RADIUS-server IP addresses or hostnames and ports; for example:
203.0.113.150:1812,radius-server-a:1812
Default: none |
secret |
RADIUS server secret
You can specify a unique secret for each RADIUS server.
Default: none |
protocol |
Protocol to use—PAP or CHAP
Default: none |
retries |
Maximum number of attempts to reach server
Default: 3 |
timeout |
Timeout, in milliseconds, for RADIUS-server connection attempts
Default: 5000 |
vendorId |
Vendor ID for VSA search
Default: 123 |
roleVsaId |
VSA ID used to identify group
Default: 3 |
nasId |
ID of the RADIUS Network Access Server (optional) |
nasIp |
IP address of the RADIUS Network Access Server (optional) |
nasIpv6 |
IPv6 address of the RADIUS Network Access Server (optional) |
tacacs — TACACS+ parameters |
enabled |
Whether TACACS+ authentication is to be used
Default: none |
address |
Comma-separated list of colon-separated TACACS+-server IP addresses or hostnames and ports; for example:
203.0.113.167:1812,tacacs-server-a:1812
Default: none |
secret |
Shared TACACS+ server secret
The secret must be common to all TACACS+ servers.
Default: none |
protocol |
Protocol to use
Default: PAP |
timeout |
Timeout, in milliseconds, for TACACS+-server connection attempts
Default: 7000 |
defaultGroup |
Default group to assign if no group is defined on remote server for user
The group is assigned to a TACACS+ user if the vsaEnabled parameter is set to false.
Default: none |
vsaEnabled |
Whether VSA search is enabled
If set to true, a user group attribute is expected in the user authentication response/
Default: true |
roleVsaId |
Role used for VSA search
Default: sam-security-group |
vsaServiceId |
VSA search service identifier
Default: sam-app |