July 13, 2020 at 3:03 pm #28066
Hi all, my environment is AM 6.5 and we have 2 applications and 2 authentication chains, all within the same realm, i wonder if there is a way to enforce App-1 to use AuthChain-1 and not be allowed to use AuthChain-2, and App-2 to use AuthChain-2 and not be allowed to use AuthChain-1. So it would be like this:
App-1 -> AuthChain-1
App-2 -> AuthChain-2
Right now App-1 can use AuthChain-1 and AuthChain-2 without problems, and App-2 too.
Hopefully i made myself understandable.
Best regards to everyoneJuly 13, 2020 at 4:39 pm #28069
Could you please share what type of enforcer are you utilizing on the application side i.e. Agents, Federation Protocols?July 16, 2020 at 5:16 pm #28076
Hi Jatinder, thank you so much for your answer.
On the application side we are currently not using any Agents, all goes through Federation Protocol SAML and OAuth.
GreetingsJuly 18, 2020 at 12:10 am #28079
Within the same realm, I am afraid there may not be an option to provide such one-to-one mapping. That said, you can set-up an Authorization Policy such that if an identity in
AuthChain-2, they will be required to perform a step-up authentication using
AuthChain-1. This ensures a user is always authenticated through an authorized authentication chain for a given set of resources.
In OAuth2, an RP can also request AS to authenticate user through specific authentication methods via
acr_values. You may want to explore this option. When
acr_valuesare used, an
acrclaim is returned by the AS in
OIDC Tokenthrough which a client can validate if their request was honoured.
Hope this helps!July 20, 2020 at 1:54 am #28080
Also worth considering is moving to Authentication Trees, which offers intelligent authentication and full control over an authentication flow.July 20, 2020 at 8:20 pm #28083
Thank you Jatinder, we will be giving a try to the Authorization Policies and come back to you.
You must be logged in to reply to this topic.