External Authentication Site Parameters

Following are the external authentication site parameters:

Parameter

Description

ALLOW_HTTP_METHOD_OVERRIDE

This parameter controls whether to allow REST API requests with X-HTTP-Method-Override header.

If this parameter is set to Y, REST API requests with X-HTTP-Method-Override header are allowed.

If this parameter is set to N or is not defined, REST API requests with X-HTTP-Method-Override header are not allowed.

The default is N.

ALLOW_WEBUI_HTTP_METHOD_OVERRIDE

This parameter controls whether to allow HTTP method override.

If this parameter is set to Y, HTTP method can be overridden.

If this parameter is set to N or is not defined, HTTP method override is not allowed.

The default is N.
EXTERNAL_AUTH_MODE

Determines if external authentication is invoked (Y).

Default: N

This parameter can be set in the Authentication Settings screen.

Note: Configure other parameters before switching OpenText Application Quality Management to external authentication mode, otherwise you can lose OpenText Application Quality Management connectivity.
EXTERNAL_AUTH_HEADER_NAME

The name of the header in the HTTP request that contains the string from which OpenText Application Quality Management extracts the user search key for the external authentication.

This parameter is used for SSO authentication.

Default: SM_USER

Note: This parameter and EXTERNAL_AUTH_CERT_HEADER_NAME cannot both be set.
EXTERNAL_AUTH_CERT_HEADER_NAME

The name of the header in the HTTP request that contains the PEM encoded public client certificate from which OpenText Application Quality Management extracts the user search key for the external authentication. ALM extracts the user search key from the subject field of the certificate.

This parameter is used for smart card authentication.

Default: CERT

Note: This parameter and EXTERNAL_AUTH_HEADER_NAME cannot both be set.
EXTERNAL_AUTH_TYPE Set this parameter to CAC for smart card authentication.
EXTERNAL_AUTH_USER_FIELD_TYPE

Determines how the user is identified in the external authentication data (email, name, or email+name).

Default: email+name

This parameter can be set in the External Authentication Advanced Settings screen.
EXTERNAL_AUTH_USER_FIELD_PATTERN

Determines how to extract authentication data from the HTTP header specified by the EXTERNAL_AUTH_HEADER_NAME or the EXTERNAL_AUTH_CERT_HEADER_NAME parameter.

Default: 

  • When user matches by email field: *[eE][^=]*=([^,]*@[^,]*).*

  • When user matches by description field: *?[cC][nN] *= *([^/,]*).*

This parameter can be set in the External Authentication Advanced Settings screen.
EXTERN_AUTH_VALIDATE_USER_IN_LDAP

Determines whether OpenText Application Quality Management contacts the LDAP server (if it exists) to ensure that this user is active.

Default: N
EXTERNAL_AUTH_CERTIFICATES_FILE

The name of the file that holds all the CA and Intermediate certificates trusted by ALM. The file must contain PEM format concatenated certificates.
EXTERNAL_AUTH_CERTIFICATE_CRL_CHECK

Determines whether to enable or disable the online certificate revocation list (CRL) check.

Default: Y

Note: For smart card authentication, if the online certification revocation list (CRLDP) is required, set this parameter to Y.
EXTERNAL_AUTH_CERTIFICATE_LOCAL_CRL_CHECK

Determines whether to enable or disable the local CRL check.

Default: Y
EXTERNAL_AUTH_MATCH_DELTACRL_BY_ISSUER

Determines OpenText Application Quality Management behavior when the folder in EXTERNAL_AUTH_CERTIFICATE_CRL_FOLDER contains delta CRL files without base CRL files.

If this parameter is valued with Y, login is disabled for users if the delta CRL file is issued by same issuer.

If this parameter is valued with N, then login is disabled even if there is one delta CRL file in the folder.

Default: Y
EXTERNAL_AUTH_CERTIFICATE_CRL_FOLDER

The full path to the folder containing the CRL files.

Note: For smart card authentication, if delta CRL validation is needed, value this parameter with the location of the folder on the server that contains the CRL files. This parameter does not replace the parameter in the Apache configuration file. Both Apache and the ALM server check the CRL files.
EXTERNAL_AUTH_CERTIFICATE_DATE_CHECK

Determines whether to enable or disable the certificate date check.

Default: Y
EXTERNAL_AUTH_CERTIFICATE_POLICY_CHECK

Determines whether to enable or disable the certificate policy check.

Default: Y
EXTERNAL_AUTH_CERTIFICATE_VALID_POLICY

The list of valid certificate policy IDs.

Note: For smart card authentication, if certificate policy validation is needed, value this parameter.
EXTERNAL_AUTH_IS_POLICY_REQUIRED

Determines if each client certificate is required to have a policy.

Default: Y

Note: If the value is Y, each client certificate must have a valid policy which matches the EXTERNAL_AUTH_CERTIFICATE_VALID_POLICY parameter. If the value is N, the client certificate does not need to have a policy. However, whenever a policy is defined in the certificate, it must always match the EXTERNAL_AUTH_CERTIFICATE_VALID_POLICY.
EXTERNAL_AUTH_HARDWARE_CARD_IS_REQUIRED

Determines whether each client certificate is required to have a hardware extended key (relevant for Interactive and Not Specified client execution modes).

Default: Y
EXTERNAL_AUTH_EXTENDED_HARDWARE_KEYS

The valid hardware extended keys, separated by commas.

Default: 1.3.6.1.4.1.311.20.2.2
EXTERNAL_AUTH_EXECUTION_MODE_HEADER_NAME

The name of the header in the HTTP request that holds the execution mode of the client (NOT_SPECIFIED, INTERACTIVE, NON_INTERACTIVE).

Default: NOT_SPECIFIED
EXTERNAL_AUTH_CERTIFICATE_OCSP_CHECK

Determines whether to enable or disable the online certificate status protocol (OCSP) check.

Default: N
EXTERNAL_AUTH_CERTIFICATE_OCSP_REQUIRED

Determines whether each client certificate is required to have an OCSP link.

Default: Y