#
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
#
# Copyright (c) 2007 Sun Microsystems Inc. All Rights Reserved
#
# The contents of this file are subject to the terms
# of the Common Development and Distribution License
# (the License). You may not use this file except in
# compliance with the License.
#
# You can obtain a copy of the License at
# https://opensso.dev.java.net/public/CDDLv1.0.html or
# opensso/legal/CDDLv1.0.txt
# See the License for the specific language governing
# permission and limitations under the License.
#
# When distributing Covered Code, include this CDDL
# Header Notice in each file and include the License file
# at opensso/legal/CDDLv1.0.txt.
# If applicable, add the following below the CDDL Header,
# with the fields enclosed by brackets [] replaced by
# your own identifying information:
# "Portions Copyrighted [year] [name of copyright owner]"
#
# $Id: amAuth.properties,v 1.15 2009/11/25 11:57:22 manish_rustagi Exp $
#
# Portions Copyrighted 2011-2016 ForgeRock AS.
# Portions Copyrighted 2012 Open Source Solution Technology Corporation
# Portions Copyrighted 2016 Nomura Research Institute, Ltd.
onlinehelp.doc=coreauth.html
authentication=Authentication
sessNotActive=Session was never activated
requestReceived=**** Authd request received ***
Authentication=Authentication
Cert=Cert
Radius=RADIUS
RADIUS=RADIUS
LDAP=LDAP
Membership=Membership
NT=NT
SecurID=SecurID
Anonymous=Anonymous
HTTPBasic=HTTPBasic
WindowsDesktopSSO=WindowsDesktopSSO
JDBC=JDBC
AD=Active Directory
MSISDN=MSISDN
DataStore=DataStore
UserId=UserId
UserDomain=UserDomain
loginSuccess=Login Success
loginFailed=Login Failed
invalidPasswd=Invalid Password
noSuchAlgorithm=No such algorithm
noUserName=No user name
invalidKey=Invalid Key
restricted=Restricted userid session terminated
noMatchDomainURL=No match for domain url
userLoginDisabled=User login disabled
adminAuthFailedUid=Admin Authorization Failed UserId:
adminSessLogoutUid=Admin Session Logout UserId:
sessLogoutUid=Session Logout UserId:
submit=Submit
modprop=Module Properties for the Auth is null.
NoUser=User ID not found.
InvalidUP=Invalid user ID and password. Try again.
FAuth=Authentication failed.
InappAuth=Inappropriate Authentication.
LDAPex=Unknown LDAP exception.
invalidLoginState=Login process reached invalid state: {0}
iplanet-am-auth-service-description=Core
Create=Dynamic
CreateWithAlias=Dynamic with User Alias
Required=Required
Ignore=Ignored
ServiceDoesNotExist=Service does not Exist
gettingSessionFailed=AuthD failed to get auth session
invalidSessionID=Session ID is not valid
a101=Organization Authentication Modules
a101.help=Authentication modules available to this organization.
a102=User Profile
a102.help=Controls the result of the user profile success post successful authentication.
a102.help.txt=Controls whether a user profile is required for authentication to be successful or if the profile \
will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.
a104=Administrator Authentication Configuration
a104.help=Default Authentication Chain for administrators
a104.help.txt=This is the authentication chain that will be used to authentication administrative users to this realm.
a105=User Profile Dynamic Creation Default Roles
a105.help=List of roles of which dynamically created users will be a member.
a105.help.txt=Enter the DN for each role that will be assigned to a new user when their profile has been dynamically \
created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.
a106=Authentication Chaining Modules
a107=Authentication Chaining Enabled
a110=Non Interactive Modules
a111=User's Default Redirect URL
a112=User Based Authentication
a113=People Container for All Users
a114=Alias Search Attribute Name
a114.help=The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.
a114.help.txt=This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>\
For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM \
will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until \
a match is found or the list is exhausted.<br>\
<br/><br/><i>NB </i> Only used when User Profile searching is enabled.
a115=User Authentication Modules
a117=Pluggable Authentication Module Classes
a117.help=List of configured authentication modules
a117.help.txt=The list of configured authentication modules available to OpenAM. All modules must extend from the \
<code>com.sun.identity.authentication.spi.AMLoginModule</code> class.
a117.help.uri=#tbd
a118=User Naming Attribute
a118.help=The primary LDAP attribute retrieves the user's profile after successful authentication.
a119=Pluggable Authentication Page Generator Class
a120=Default Authentication Locale
a121=Organization Authentication Configuration
a121.help=Default Authentication Chain for users
a121.help.txt=This is the authentication chain that will be used to authenticate users to this realm.
a125=Login Failure Lockout Mode
a125.help=Enables account lockout functionality for users authenticating to this realm.
a125.help.txt=OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is \
breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality \
is in addition to any account lockout behaviour implemented by the LDAP Directory Server.
a126=Login Failure Lockout Count
a126.help=The maximum number of failed authentications for a user before their account is locked.
a126.help.txt=This setting controls the maximum number of failed authentications a user can have during the lockout \
interval before OpenAM locks the users account.
a127=Login Failure Lockout Interval
a127.help=The lockout interval time is in minutes.
a127.help.txt=OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If \
the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times \
over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute \
interval are ignored.
a128=Email Address to Send Lockout Notification
a128.help=An email address or set of email addresses that receive notifications about account lockout events.
a128.help.txt=OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout \
events occur. The contents of the email message is configured using the following properties in the \
<code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The "From" address of the email message</li>\
<li><code>lockOutEmailSub</code> : The subject of the email message</li>\
<li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>\
The identity for whom the account has been locked is included in the email message.<br/><br/>\
The format of this property is:<br/>\
<code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>\
Email addresses must include the domain name, such as <code>admin@example.com</code>.
a129=Warn User After N Failures
a129.help=Warn the user when they reach this level of failed authentications.
a129.help.txt=The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>\
The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.
a130=Login Failure Lockout Duration
a130.help=The duration of the users account lockout, in minutes.
a130.help.txt=OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, \
(the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able \
to successfully authenticate to OpenAM.
a1301=Lockout Duration Multiplier
a1301.help=Value multiplied to the Login Failure Lockout Duration for each successive lockout.
a1301.help.txt=This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. \
For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be \
10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>\
The default value of 1 disables this function.
a131=Lockout Attribute Name
a131.help=Name of custom lockout attribute
a131.help.txt=When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. \
In addition, OpenAM can set the value of another attribute in the users profile.
a132=Lockout Attribute Value
a132.help=Value to set in custom lockout attribute
a132.help.txt=This is the value that will be set on the custom attribute in the users profile when they account is locked.
a1321=Invalid Attempts Data Attribute Name
a1321.help=The name of the attribute used to store information about failed authentications.
a1321.help.txt=OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple \
instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom \
attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to \
store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/>\
<i>NB </i>Any attribute specified must be a valid attribute in the data store.
a133=Default Success Login URL
a133.help=Successful logins will be forwarded to this URL
a133.help.txt=This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the \
local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to \
the current URI of OpenAM.
a134=Default Failure Login URL
a134.help=Failed logins will be forwarded to this URL
a134.help.txt=This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local \
OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current \
URI of OpenAM.
a135=Authentication Post Processing Classes
a135.help=A list of post authentication processing classes for all users in this realm.
a135.help.txt=This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. \
Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. \
<br/><br/>For example: org.forgerock.auth.PostProcessClass<br/>\
<i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface \
<code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.
a135.help.uri=#tbd
a138=Generate UserID Mode
a138.help=Enables this mode in the Membership auth module.
a138.help.txt=When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the \
data store then a list of valid usernames can be shown to the user, if requested by said user.
a139=Pluggable User Name Generator Class
a139.help=The name of the default implementation of the user name generator class.
a139.help.txt=The name of the class used to return a list of usernames to the Membership auth module.<br/><br/>\
<i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>
a140=LDAP Connection Pool Size
a140.help=Controls the size of the LDAP connection pool used for authentication
a140.help.txt=Control the size of the connection pool to the LDAP directory server used by any of the authentication modules \
that use LDAP directly such as \LDAP or Active Directory.Different OpenAM servers can be configured with different connection \
pool settings.<br/><br/>Format: host:port:minimum:maximum
a141=Default LDAP Connection Pool Size
a141.help=The default connection pool size; format is: mininum:maximum
a142=Identity Types
a143=Pluggable User Status Event Classes
a143.help=List of classes to be called when status of the user account changes.
a143.help.txt=When the status of a users account changes, OpenAM can be configured to call into a custom class. \
The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/>\
<ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.
a143.help.uri=#tbd
a144=Store Invalid Attempts in Data Store
a144.help=Enables sharing of login failure attempts across AM Instances
a144.help.txt=When this setting is enabled OpenAM will store the users invalid authentication information in the data store \
under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.
a145=Module Based Authentication
a145.help=Allows a user to authenticate via module based authentication.
a145.help.txt=The feature allow users to override the realm configuration and use a named authentication module to authenticate.\
<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.
a146=Remote Auth Security
a146.help=OpenAM requires authentication client to authenticate itself before authenticating users.
a146.help.txt=When this setting is enabled, OpenAM will require the authentication client (such as a policy agent) to authentication \
itself to OpenAM before the client will be allow to use the remote authentication API to authenticate users.
a147=User Attribute Mapping to Session Attribute
a147.help=Mapping of user profile attribute name to session attribute name.
a147.help.txt=The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values \
in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name.
a148=Keep Post Process Objects for Logout Processing
a148.help=Store Post Processing Classes for the duration of the session.
a148.help.txt=Enabling this setting will cause OpenAM to store instances of post processing classes into the users session. \
When the user logs out the original instances of the post processing classes will be called instead of new instances. \
This may be needed for special logout processing.<br/><br/>\
<i>NB </i>Enabling this setting will increase the memory usage of OpenAM.
a149=Keep Authentication Module Objects for Logout Processing.
a149.help=The authentication modules instances will be stored in the users session.
a149.help.txt=Enabling this setting will cause OpenAM to store the authentication module instances used by the user to authenticate \
in the users session. Normally after authentication the module instances would be cleared. This may be needed for special logout \
processing.<br/><br/>\
<i>NB </i>Enabling this setting will increase the memory usage of OpenAM.
a150=Valid goto URL domains
a150.help=List of Valid goto URL domains
a150.help.txt=By default OpenAM will redirect the user to the URL specified in the goto parameter supplied to the authentication interface. \
To enhance security a list of valid DNS domains can be specified. OpenAM will only redirect a user if the domain of the goto URL \
is present in this list.
a151=Persistent Cookie Encryption Certificate Alias
a151.help=Keystore Alias for encrypting Persistent Cookies.
a151.help.txt=This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication \
requests.
a152=Zero Page Login
a152.help=Allows a user to authenticate using GET request parameters without showing the login screen.
a152.help.txt=Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.
a153=Persistent Cookie Authentication Level
a153.help=The authentication level for persistent cookie authentications
a153.help.txt=The authentication level set here will be used when persistent cookie is used for authentication.
a154=XUI interface
a154.help=Determines if XUI is the default interface for OpenAM
a154.help.txt=This setting determines if XUI is the default interface for OpenAM. When enabled, OpenAM will redirect any requests to the /UI/* and idm/EndUser \
pages to their respective XUI counterparts. If disabled OpenAM will pass all requests to UI/* and the idm/EndUser pages to the classic UI like normal.
a155=Zero Page Login Referer Whitelist
a155.help=List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.
a155.help.txt=Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against \
Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.
a156=Zero Page Login Allowed without Referer?
a156.help=Whether to allow Zero Page Login if the HTTP Referer header is missing.
a156.help.txt=The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from \
HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce \
the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.
a157=XUI Reverse Proxy Support
a157.help=Enable this setting if the Reverse Proxy used in front of OpenAM does not preserve the Host header.
a157.help.txt=<strong>WARNING:</strong> Enabling this setting can have adverse effect on end-users if the system was \
freshly upgraded from 12.0.0. In such cases the user's browser may still cache an old version of the XUI business \
logic, and consequently the user may get redirected to protocol://null:port/deployURI/XUI. As browsers can \
cache the XUI resource files for indefinite long intervals, the effects of enabling this option on production \
environments should be carefully considered.
a158=Use Stateless Sessions
a158.help=Enables stateless sessions.
a158.help.txt=Stateless sessions provide elastic scalability by storing all session state on the client in the SSO \
cookie. See Session service configuration to enable signing and encryption (HIGHLY RECOMMENDED).
a159=Two Factor Authentication Mandatory
a160=Organization Authentication Signing Secret
a160.help=HMAC shared secret for signing RESTful Authentication requests.
a160.help.txt=This is the shared secret for signing state used in RESTful authentication requests. Should be at \
Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.
#Always the Authentication Level attribute should be the last item in the
#display section of the profile page. Make sure the key is always a large
#number. Now it is a500. This is to avoid reshuffling the keys if new
#attributes are added.
a500=Default Authentication Level
a500.help=The default authentication level for modules in this realm.
a500.help.txt=If the authentication module does not set it's own auth level then the module will have the default authentication level \
for the realm.
a104.link=Edit
a121.link=Edit
error=General Error
changePasswdSucceeded=Changing user password succeeded
amAuth-debug.on=On
amAuth-debug.off=Off
amAuth-debug.log=Log Messages
initWorkerFailed=Failed to instantiate login worker class
getOrgFailed=Failed to get organization attributes
getUserFailed=Failed to get user attributes :
wrongCall=Method must be called in process(): {0}
invalidDN=Invalid DN string: {0}
nullLoginState=Null LoginState obtained
nullSess=Failed to get auth SSO session
noAuthenticator=No authenticators configured
multipleUserMatchFound=Multiple matches found for user search, please contact your system administrator to fix the problem
loginContextCreateFailed=Error creating LoginContext :
failedLogout=Error logging out :
authContextCreateFailed=Error creating AuthContext :
authContextRetrieveFailed=Error retrieving AuthContext :
userTokenNull=Token is null
nullLoginParams=Login Parameters are null
noRedirectTemplate=Redirect error
errorConstructingURL=Error constructing URL
redirectError=Error redirecting to URL
nullHandler=Null Callback Handler
invalidState=Invalid module state: {0}
noCallbackState=No callbacks defined for module state: {0}
invalidCode=Invalid return code: {0}
getModulePropertiesError=Could not get module properties
invalidCallbackIndex=Invalid replace callback index: {0}
nullCallback=Null replace callback instance
noConfig=Error retrieving Configuration
noUserProfile=User Profile does not exist
userInactive=User is not Active
userNotFoundInAlias=User does not exist
noUserTokens=No User Tokens
userRoleNotFound=User does not belong to this Role.
noModulesConfigured=No Authentication Modules found.
loginDenied=User denied Login
authServiceError=Authentication Service Error
callbackError=Error creating callback
abortFailed=Error aborting login process
modulePrompt=Authentication Menu
noSid=No Session ID found {0}
unknownCallback=Unsupported callback instance
errorState=Enter module error state :
loginReset=Resetting from AMLoginContext:exceuteLogin() :
sessionActivationFailed=Session Activation Failed
orgNotMatching=Organization Mismatch
lockOutEmailSub=WARNING: user lock out notice
lockOutEmailMsg=The account for {0} has been deactivated due to successive login failures
invalidtoken=SSOToken is not valid
invalidcontext=AuthContext is not valid
noInternalSession=No Old Session can be found as part of session upgrade
# This is used to form the "From" part of the e-mail that is sent out during the
# lockout. The '-' is intentional as without it the InternetAddress class throws
# an exception
lockOutEmailFrom=OpenAM
lockOutWarning=Warning: You will be locked out after {0} more failure(s).
logout=Logout
lockOut=User Locked Out.
accountExpired=User Account Expired.
loginTimeout=Login Timed Out.
moduleDenied=Authentication Module Denied.
moduleNotFound=Authentication Module Not Found.
invalidDomain=Invalid Domain
accountLockedOut=Account Locked Out.
lockoutMessage=Lockout Message Emailed to :
incorrectAuthLevel=Invalid Auth Level.
invalidChars=Invalid Characters detected in UserName
### Error codes
### format errorCode=errorMessage | errorTemplate
### seperator "|" to differentiate between errorMessage and errorTemplate
### errorMessage = is the error message describing the error
### errroTemplate = is the jsp/html page to be rendered
100=User Requires Profile to Login|login_denied.jsp
101=User Account Expired!!|account_expired.jsp
102=Authentication Error!!|auth_error_template.jsp
103=Invalid Password!!|login_failed_template.jsp
104=User not Active|user_inactive.jsp
105=No Configuration found|noConfig.jsp
107=Authentication Failed|login_failed_template.jsp
108=Domain is invalid|invalid_domain.jsp
109=Org is inactive|org_inactive.jsp
110=Session has timed out|session_timeout.jsp
111=Authentication Module Denied|module_denied.jsp
112=Your account has been locked.|user_inactive.jsp
113=User does not belong to Role|userDenied.jsp
114=Authentication Type Denied
115=You have reached your session limit.|maxSessions.jsp
116=User profile cannot be created
117=The browser is not configured or supported for the HTTP authentication handshaking|login_failed_template.jsp
118=Can not create new session.
119=Invalid Auth Level.|invalidAuthlevel.jsp
120=Module Based Authentication is not allowed.
121=Too Many Authentication Attempts!!
122=Invalid App SSO Token in Remote Authentication
123=Exceed Password Retry Limits in DS - Constraint Violation|user_inactive.jsp
124=Session Upgrade fails since user is different than original authenticated user
125=ForceAuth fails since session is stateless
126=Authentication Module Not Found.|module_denied.jsp
################################################################################
#
# Console View Properties
#
################################################################################
authentication.show.advanced.attributes=All Core Settings...
authentication.core.properties=Core
authentication.module.instances=Module Instances
authentication.module.instances.help=The list of authentication modules available to this realm
authentication.module.instances.help.txt=OpenAM uses authentication modules to identify the user. Normally authentication modules \
are associated with an authentication chain. Each realm has a default authentication chain that will be used to authenticate users. \
This section is used to add, configure or remove authentication module available for authentication into this realm.
authentication.module.instances.help.uri=#tbd
authentication.module.configurations=Authentication Chaining
authentication.module.configurations.help=The list of authentication chains available to this realm
authentication.module.configurations.help.txt=OpenAM uses authentication chains to control the authentication flow for the user. \
Use this section to add, configure or remove this realms set of authentication chains.
authentication.module.configurations.help.uri=#tbd
authentication.module.instances.action.label=Edit
authentication.module.configurations.action.label=Edit
label.items=Items
authentication.instance.table.name.column=Name
authentication.instance.table.type.column=Type
authentication.instance.table.action.column=Action
authentication.instance.table.create.button=New
authentication.instance.table.delete.button=Delete
authentication.module.instance.table.noentries=There are no instances available. Press the New button to create one.
authentication.configuration.table.name.column=Name
authentication.configuration.table.type.column=Type
authentication.configuration.table.action.column=Action
authentication.configuration.table.create.button=New
authentication.configuration.table.delete.button=Delete
authentication.configuration.table.noentries=There are no authentication chains defined. Press the New button to create one.
[Empty]=[empty]
i18nTrue=Enabled
i18nFalse=Disabled
label.current.value=Current Values
label.new.value=New Value
org-chain-list.help=This table lists the authentication modules that make up this authentication chain.
org-chain-list.help.txt=The list of modules that will be presented to the user during authentication. The criteria controls the processing \
of the chain. Each module has a set of options that be set to control how the module operates.
org-chain-list.help.uri=#tbd