Configure Site Administration

  1. Log in to Site Administration using the site administrator user.

  2. Enable external authentication.

    1. Click the Site Users tab, click the User Settings button, and select Authentication Settings.
    2. Under Authentication type, select External Authentication and click Advanced Settings.

    3. Select the Principal Type of authentication and enter the Pattern. The default pattern is *[eE][^=]*=([^,]*@[^,]*).*, which is the pattern for the email address.

      Note: For smart card authentication, enter the Pattern you are using, or leave the Pattern empty if you are using the default pattern. For SSO authentication, enter (.*) as the Pattern.

    For details, see Enabling External Authentication for Users in User management.

  3. Set the site parameters as needed. For information on setting site parameters, see Site Parameters. For a list of external authentication site parameters, see External Authentication Site Parameters.

    Note: Before setting the site parameters , click Refresh to see which site parameters were set when you enabled external authentication.

    The following site parameters are required for external authentication:

    • Valuing EXTERNAL_AUTH_MODE with Y invokes external authentication.

      Note: This parameter can be set in the Authentication Settings screen.

    • Value EXTERNAL_AUTH_HEADER_NAME for SSO authentication with the name of the header in the HTTP request that contains the string from which OpenText Application Quality Management extracts the user search key for the external authentication. The default value is SM_USER.

    • Value EXTERNAL_AUTH_CERT_HEADER_NAME for smart card authentication with the name of the header in the HTTP request that contains the string from which OpenText Application Quality Management extracts the user search key for the external authentication. The default value is CERT.

    • EXTERNAL_AUTH_USER_FIELD_PATTERN contains a regular expression pattern. ALM replaces the string that matches the regular expression pattern with the value that matches the pattern defined between the first pair of braces.

      Note: This parameter can be set in the External Authentication Advanced Settings screen.

    • EXTERNAL_AUTH_USER_FIELD_TYPE determines how to search for the valid ALM user with the extracted user search key. If this parameter is valued with email, ALM searches for a user email that matches the user search key. If this parameter is valued with name, ALM searches the user description field for a match to the user search key. If this parameter is valued with email+name, ALM searches for a user email that matches the user search key. If no match is found, ALM then searches the user description field for a match to the user search key.

      Following are the default patterns that ALM uses to search for email and common name:

      • To match by email field: *[eE][^=]*=([^,]*@[^,]*).*
      • To match by description field: *?[cC][nN] *= *([^/,]*).*

      You can also write your own pattern.

      Note: This parameter can be set in the External Authentication Advanced Settings screen.

    The following site parameters are optional, depending on the specific external authentication mode:

    • The client certificate validity should be verified by the authentication proxy. However, some proxies do not perform some required verifications, so ALM performs the verification. Valuing EXTERNAL_AUTH_CERTIFICATE_POLICY_CHECK with Y invokes the ALM verification. If the certificate contains policy information, the verification is performed. If the certificate does not contain policy information and EXTERNAL_AUTH_IS_POLICY_REQUIRED is valued with Y, ALM does not allow the user to log in. If the value is N, ALM ignores the verification.
    • When ALM performs the verification, it checks whether the client certificate has at least one policy defined in EXTERNAL_AUTH_CERTIFICATE_VALID_POLICY. If this parameter is not valued , ALM does not allow the user to log in.
    • Value EXTERNAL_AUTH_CERTIFICATE_CRL_CHECK with Y to check whether the client certificate is in the certificate revocation list (CRL). If the client certificate does not contain information about the CRL distribution point, ALM does not perform this check even if it is enabled. If the client certificate is in the CRL or if ALM cannot access the CRL distribution point, ALM does not allow the user to log in.
    • Value EXTERNAL_AUTH_CERTIFICATE_LOCAL_CRL_CHECK with Y to check whether the client certificate is in a local CRL. The folder that contains the CRL is defined in EXTERNAL_AUTH_CERTIFICATE_CRL_FOLDER. If this parameter is not set, ALM does not perform this check even if it is enabled. The CRL files have .crl or .pem extensions.

    • Value EXTERNAL_AUTH_CERTIFICATE_OCSP_CHECK with Y to check the client certificate status using an online certificate status protocol (OCSP). This check is not performed if EXTERNAL_AUTH_CERTIFICATES_FILE is not valued. If the client certificate contains OSCP URLs, ALM perform this verification. If the client certificate does not contain OSCP URLs and EXTERNAL_AUTH_CERTIFICATE_OCSP_REQUIRED is Y, ALM does not allow the user to log in. If this parameter is N and the client certificate does not contain OSCP URLs, ALM ignores this check. If ALM fails to access the OCSP URL, the user is not allowed to log in.

    • Value ALLOW_HTTP_METHOD_OVERRIDE with Y if the SiteMinder server rejects Post or Delete HTTP requests.