Primary authentication factors
You can use the IBM® Security Access Manager for Enterprise Single Sign-On password, and directory server credentials as primary authentication factors. Secrets are typically used to recover credentials or as an alternative to bypass a strong authentication factor.
ISAM ESSO passwords
When the user signs up with AccessAgent, the user registers with the IMS Server and creates a Wallet. The user is prompted to provide a password for the user Wallet. The user can use the Active Directory password as the ISAM ESSO password. The minimum and maximum length of the password can be configured. For example: 6-20.
All application credentials are stored in the user Wallet. The ISAM ESSO password is the primary authentication factor for accessing and securing the user Wallet. AccessAgent locks the Wallet if the user enters a wrong password for five consecutive times. The number of allowed attempts is set by the organization.
The user does not have to remember all the application passwords. The ISAM ESSO password enables the user to automatically sign on to the applications listed on the Wallet.
LDAP or Active Directory passwords
Users can use enterprise directory credentials to sign-up to AccessAgent. For logon, users can use enterprise directory credentials if the Active Directory password synchronization is enabled.
If the Active Directory password is the primary password for logging on to computers and applications, enable the Active Directory password synchronization feature. Password synchronization synchronizes the ISAM ESSO password with the Active Directory password. Users can use the same password to log on to all computers, with or without AccessAgent.
If Active Directory password synchronization is enabled, the corporate Active Directory password policies supersede the ISAM ESSO password policies.
Secrets
Secrets are information that only the user knows. When a user signs up for a Wallet, the user is prompted to select one or more questions from a list and answers to those questions. All the questions are customizable and configurable.
Primary secret is the first secret that the user answers while signing up. This primary secret (answer) cannot be changed.
Users must provide a secret that is not likely to change and is not easily forgotten even if it is not used for a long time.
You can allow users to provide more than one secret.
- User-defined secrets
- By default, IBM Security
Access Manager for Enterprise Single Sign-On prompts
the user to specify user-defined secrets during sign-up. These secrets
help users:
- Reset passwords
- Bypass the use of a strong authentication factor
- System-defined secrets
If you enable the system-defined secret option, the user does not have to specify a secret during AccessAgent sign-up.
AccessAgent does not prompt the user for a secret to do reset password, Active Directory password synchronization, and offline recovery.
If you set the AccessAgent to use system-defined secrets, this setting cannot be changed again.
If you provisioned users into the IMS Server through a third-party provisioning system, enable system-defined secrets only if you want to reset the user password.