IBM Tivoli Federated Identity Manager, Version 6.2.2

Response file parameters

Use the parameters described in this section to configure response files for User Self Care.

AccountCreateLifetime
Specifies the amount of time, in seconds, that User Self Care recognizes the account creation request as valid, and retain the request in the internal cache. If the Create Account trust chain does not finish account creation in the specified time, the request is discarded and account creation terminates.

This property is required.
Type: Integer
Default: 86400
Maximum: none
Minimum: 0

A setting of '0' disables account creations because entries are not retained in the cache. Larger settings can affect memory consumption and potentially affect performance in replicated environments due to increased data being replicated using DynaCache across nodes.

When setting this property, also consider an appropriate size for the itfim-usc_accountcreate cache. See: Tuning User Self Care.

AccountRecoveryFailureLifetime
Specifies how long, in seconds, the program retains record of an unsuccessful account validation attempt. When the specified time period elapses, the record of the unsuccessful attempt is discarded, and the counter is decremented by one.

Type: Integer
Default: 86400
Maximum: none
Minimum: 0. The value 0 means to disable locking.

When setting this property, also consider an appropriate size for the itfim-usc_secretquestionfailures cache. This parameter is configured separately as part of tuning User Self Care. See: Tuning User Self Care.

AccountRecoveryFailureLimit
Specifies the number of times a user can attempt but fail to restore account access before the program locks the account. If the user does not supply a correct answer to the secret question, account access is not restored. When the user fails to restore account access, the value of this property increments by one. When the value equals the specified number, the program locks the account.

Type: Integer
Default: 3
Maximum: none
Minimum: 0

A setting of 0 or 1 for the minimum causes the account to be locked after the first failure.

AccountRecoveryFailureLockoutTime
Specifies how long, in seconds, the program keeps the account locked after the user has exceeded the maximum number of unsuccessful validation attempts. When the program has locked the account, this value specifies the amount of time that must pass before the program unlocks the account.

Type: Integer
Default: 86400
Maximum: none
Minimum: 0. The value 0 disables locking.

AccountRecoveryLookupAttribute
Specifies a user attribute used for user ID lookup. This property specifies a single attribute that the user enters in the Forgotten user ID form to retrieve their user ID (identity). User Self Care uses this registry attribute as a lookup field. User Self Care searches for an entry that contains the attribute supplied by the user, and returns the matching user ID. The attribute value is assumed to be an email address. An email containing all the forgotten user IDs are sent to this address.

Type: string
Default: mail

AccountRecoveryLookupField
This field is deprecated. Do not modify.
AccountRecoveryValidationAttributes
This field is deprecated. Do not modify.
AccountRecoveryValidationLifetime
Specifies the amount of time, in seconds, that User Self Care considers the account validation request to be valid.

During password recovery, users must finish a validation step before recovering their password. The validation step consists of responding to a user self care e-mail that specifies a link to access. If the user does not respond within the time period specified by this parameter, the program invalidates the link in the e-mail.

Type: Integer
Default: 86400
Maximum: none
Minimum: 0

A setting of 0 for the minimum disables the ability to recover an account.

When setting this property, also consider an appropriate size for the itfim-usc_forgottenpassword cache. This parameter is configured separately as part of tuning User Self Care. See: Tuning User Self Care.

AttributeMappingFilename
Specifies the path to the location of a file that contains the transformation rules for use with the Attribute Mapping STS Module. This file can be either a JavaScript or XSLT file.

User Self Care ships with a default JavaScript file named usc.js:

Federated_Identity_Manager_installation_dir/examples/js_mappings

This property is required.
Type: String
Default: none

Example:

/opt/IBM/FIM/examples/js_mappings/usc.js
BaseURL
Specifies a fully qualified URL for the root of the User Self Care federation. User Self Care uses the root to construct dynamic HTML elements. The syntax is as follows:
method//POC_server:port/FIM_junction/sps

Where:

method
Must be either http:or https:
POC_server:port
The fully qualified host name, and optional port number, of the point of contact server.
FIM_junction
The name of the WebSEAL junction. This value is only required when using a WebSEAL point of contact server.

This property is required.
Type: String
Default: none

Example:

https://myWebSEALserver.example.com/myTFIMjct/sps
Note: If you are using WebSEAL as a point of contact server, you likely have not yet created a junction to the Tivoli® Federated Identity Manager server. In most cases, you create this junction at the end of the User Self Care configuration steps. However, you must determine the name of the junction now, so that you can set the BaseURL value in the response file now. You must remember the junction name, for use later when running the tfimcfg command.
CaptchaSTSModuleId
Specifies either the demonstration Captcha module, or specifies a placeholder module that takes no action. When this value is specified, User Self Care activates the demonstration Captcha module.

This property is required.
Type: String
Default: none

There are two valid values for this field:

  • usc-captcha-demo

    Use this value if you want to activate the demonstration Captcha module. If you use this setting, you must set the other Captcha settings in this response file. To use the Captcha demonstration, you must also configure the module. See: Configuring the Captcha demonstration.

  • default-usc-captcha-noop

    Use this value if you want to use the placeholder module USCNoOpsSTSModule. This module takes no action, but serves as a placeholder for a customer-provided validation module that can be used, as an example, for Captcha validation. The USCNoOpsSTSModule makes it easier for customers to provide their own module without redefining the trust chains.

DemoCaptchaImageAndKeyList
This field is required if you are using the Captcha demonstration module.

The contents are fixed and must not be modified.

Note: The DemoCaptchaImageAndKeyList parameter has already been set. The program ignores this parameter if you are not using the demonstration Captcha module.
DemoCaptchaImageRootURL
Specifies a URL of a directory that contains the images used for the demonstration Captcha module provided with User Self Care.

You must specify a value for this property if you want to use the Captcha demonstration module.

Example:

https://images.example.com/captcha/demo
EnrollmentEmailSender
Specifies a fully qualified e-mail address for the account that User Self Care uses to send a message to the user. The message validates the user enrollment. In most cases, this address is an e-mail address that does not receive responses.

This property is required.
Type: string
Default: none

Example:

no-reply@example.com
EntitySuffix
Specifies a suffix where created users are stored in the registry. This suffix must uniquely identify the registry that User Self Care uses for all operations.

This property is required.
Type: String
Default: o=ibm,c=us

GroupMembershipGroups
Specifies a list of groups to which to add newly enrolled users. Specifies one or more groups that are defined in the user registry used by the Create Account trust chain. The group names are specific to the user registry.

Type: String
Default: none

Example:

<void method="add">
	<string>Group1</string>
</void>
<void method="add">
	<string>Group2</string>
</void>
PasswordRecoveryEmailSender
Specifies a fully qualified e-mail address for the User Self Care account that sends a message to the user. User Self Care uses the message to validate a password recovery operation. In most cases, this e-mail address does not receive responses.

This property is required.
Type: string
Default: none

Example:

no-reply@example.com
ProfileManagementAttributes
Defines the set of registry attributes that are used for profile information. To provide a working prototype, the user self care solution defines a set of registry attributes for use with the default function. User Self Care does not modify the schema of the target registry. For this reason, the number of profile attributes are limited and use standard LDAP attributes that are present in most cases.

This property is required. The list of attributes used are:

  • businessCategory
  • roomNumber
  • mobile
  • mail

The attributes are represented in the configuration file as follows:

Figure 1. Profile management attributes in the response file
<object class="java.util.ArrayList">
	<void method="add">
		<string>businessCategory</string>
	</void>
	<void method="add">
		<string>roomNumber</string>
	</void>
	<void method="add">
     		<string>mail</string>
    	</void>
	<void method="add">
     		<string>mobile</string>
    	</void>
</object>
SecretQuestionMinimumNumber
Specifies the minimum number of required secret questions that a user must provide answers to during enrollment. Depending on the configuration, some or all of the secret questions may be presented to the user for verification purposes when they forget their password.

This property is optional.
Type: Integer
Default: 2
Maximum: none
Minimum: 1

SecretQuestionMaximumNumber
Specifies the maximum number of secret questions that a user can provide answers to during enrollment. Depending on the configuration, all of the secret questions is presented to the user for verification purposes when they forget their password.

This property is optional.

Type: Integer

Default: 3

Maximum: none

Minimum: The maximum value depends on SecretQuestionMinimumNumber. The maximum value should at least be the same as the value specified in the SecretQuestionMinimumNumber parameter.

SecretQuestionRequiredForValidationNumber
Specifies the number of secret questions a user must answer correctly to validate their identity.

During password recovery, users must provide correct answers to the secret questions presented to them. The number of questions that they must answer correctly is dependent on this parameter.

Example scenario:

During enrollment, a user is presented with 3 secret questions that they must provide answers to.

An administrator configures the parameter to: SecretQuestionRequiredForValidationNumber=2

When the user forgets their password, all 3 secret questions are presented to them. However, since the parameter was set to SecretQuestionRequiredForValidationNumber=2, the user only needs to answer 2 out of the 3 questions correctly. They can leave one of the fields blank. If the user chooses to answer all the questions presented to them, they must get all the answers correctly.

In this scenario, if a user chooses to answer 3 questions, they must provide the correct answers for all 3 questions to be validated. The user cannot be validated either if they only answer 1 out of the 3 questions correctly.

This property is optional.

Type: Integer

Default: 2

Maximum: none

Minimum: The maximum value depends on SecretQuestionMinimumNumber. The maximum value should at most be the same as the value specified in the SecretQuestionMaximumNumber parameter.

SMTPAuthenticatePassword
The password for the account specified by the SMTPAuthenticateUsername parameter if using authentication to the SMTP server. This property is optional.

Type: string
Default: none

SMTPAuthenticateUsername
The user name that authenticates to the SMTP server. This property is optional.

Type: string
Default: none

SMTPServerName
The fully qualified host name of the Simple Mail Transport Protocol (SMTP) server that sends e-mail for the user. This property is required.

Type: string
Default: none

Parent topic: Configuring

Feedback