Administering : Authentication in Focal Point® : Authenticating by using Rational Directory Server : Effects of enabling Rational Directory Server
  
Effects of enabling Rational Directory Server
Before you enable IBM Rational Directory Server, make sure that you know how Focal Point® is affected.
The following features change when Rational Directory Server is enabled. To access these features, Rational Directory Server users must be authenticated in Focal Point®.
When you add users to Focal Point®, they are not automatically added to Rational Directory Server.
If you use standard authentication, you can set the user name in Focal Point®. If that name exists in Rational Directory Server, the Rational Directory Server user cannot log in to Focal Point®.
If the authentication method changes to Rational Directory Server, the standard user access is overwritten by the Rational Directory Server access.
If you are a Rational Directory Server user, you can log in to Focal Point® even if you do not have an account. Rational Directory Server users are added to the product automatically.
Users can access the workspace only after a workspace administrator adds them as members of the workspace.
Rational Directory Server users do not need a Focal Point® account to be added as a member. When a workspace administrator searches for the members to add to the workspace, a list of both types of users is displayed.
You can change your password on the Profile and Password Settings page: from the main user menu, select Preferences, and then click Password.
Administrators cannot manage passwords for users who have Rational Directory Server authentication.
If a password in Rational Directory Server is reset or expired, the Focal Point® user is prompted to change the password when they log in.
For details about administrative password management, see the Rational Directory Server documentation.
The following security settings are ignored for users who are set to be authenticated with Rational Directory Server. To view these settings, click Administration from the User menu, and select Application > Security:
Force Password Change
Password Minimum Length
Login Name Minimum Length
Password Maximum Age
Password Quality
Password Reuse
Click Administration from the User menu, and select the Users tab. Click Rational Directory Server Update. The Rational Directory Server Update menu is shown only for a user who is having User Type as “Global Administrator” and Authentication as “Rational Directory Server”. For a user who authenticates by using Rational Directory Server, the user information in Focal Point® is updated with the details from Rational Directory Server.
On the Focal Point® Login page, if a Rational Directory Server user clicks Lost Your Password?, an error message is displayed.
As an administrator, if you click Send Account Information for a Rational Directory Server user, an error message states that the password is not generated or sent. Only the user name and login URL are sent.
In Rational Directory Server, if you enabled the option to change your password the first time that you log in, when you first log in to Focal Point®, you are prompted to change your password. If you leave this page without updating your password, you can access Focal Point®, but all Rational Directory Server attributes, such as full name and email, are empty. These attributes are updated after you log in and change the password. If a user is already added to Focal Point® and does not update their password, the Rational Directory Server attributes display the old values until the password is changed.
The Need Access feature works for standard authentication. The user is added to Focal Point® only. The user name in Focal Point® must be the same as the name in Rational Directory Server. Otherwise, when you use the Update feature to synchronize, an error is displayed and synchronization fails.
When a Rational Directory Server user logs in, a token is generated and stored as a cookie in the browser. When the user logs out, the cookie is removed. The token has an idle timeout of 5 minutes and session timeout of 1 hour. The token timeout does not affect a logged-in user.
Rational Directory Server single sign-on takes precedence over other forms of automatic login within a browser in Focal Point®, including Web Single Sign‑On.
Almost all requests to Focal Point® check for the Rational Directory Server token before processing occurs. The exception is the Web services API, which does not support Rational Directory Server single sign-on. Web services integrate Focal Point® with other tools.
You cannot set the RSS and Public Homepage options to Require Authentication. If you set those options to Enabled, the RSS feed and public home page do not require authentication because they are displayed based on the permissions and views of the Rational Directory Server user who is logged in.
See also
Enabling Rational Directory Server
Authenticating by using Rational Directory Server