Authentication chain – how can I achieve this?

This topic has 1 reply, 2 voices, and was last updated 6 years, 3 months ago by Andrew Potter.

  • Author
  • #11596

    I’m trying to work out how to create an authentication chain using 2 step verification, but skip the first step if user has already authenticated via this module.

    Lets say we have 2 modules, LDAP and OATH, and 2 chains – one with LDAP only (the default chain), and one with LDAP and OATH.

    I can create a policy rule for a page and set the rule to require authentication via the 2 step chain. This forces the user to authenticate via username/password then security codes. However, if the user has already authenticated to an area that only required authenticating via the LDAP chain, this policy forces them to re-enter their username/password and then do the security codes.

    My question is – is it possible to setup the authentication chain so the LDAP module is skipped if the user has already authenticated so they just do the second step?

    I can get the required result by setting the policy rule to require authentication to LDAP module AND require authentication to OATH module, as this seems to skip the LDAP module if already logged in, however this seems like I’m creating authentication chainsin the policy rules which seems the wrong way to do it.

    Any advice greatly appreciated.

     Andrew Potter

    It sounds like you’re after step-up authentication.
    i.e. allow a user to access some pages based on authenticating with username/password, but then challenging them from stronger authentication when accessing sensitive pages during that session.
    Typically this is done by setting the Authentication Level of the OATH module to say, 10 (it’s arbitrary).
    Then in your policy you define an environmental condition that requires the authentication level to be at least 10. The initial chain that a user uses would just be username/password. But when the user accesses the protected page they will be challenged to ‘step-up’ by entering the OATH code.
    I would also suggest that what you’re doing is not ‘wrong’. If you want to control access based on two specific modules, or a specific ‘chain’ then go ahead – it’s completely valid.
    The ‘step-up’ method I describe provides another dynamic… let’s say you also have hardware tokens available using the RSA module. You might set this to Authentication level 10 (or higher). The user would then be presented with an option – based on the advices – as to which mechanism they will use to get their session to level 10.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?