Enforce apps to use particular chain

Tagged: 

This topic has 5 replies, 2 voices, and was last updated 3 months ago by aortiz.

  • Author
    Posts
  • #28066
     aortiz
    Participant

    Hi all, my environment is AM 6.5 and we have 2 applications and 2 authentication chains, all within the same realm, i wonder if there is a way to enforce App-1 to use AuthChain-1 and not be allowed to use AuthChain-2, and App-2 to use AuthChain-2 and not be allowed to use AuthChain-1. So it would be like this:

    App-1 -> AuthChain-1
    App-2 -> AuthChain-2

    Right now App-1 can use AuthChain-1 and AuthChain-2 without problems, and App-2 too.
    Hopefully i made myself understandable.
    Best regards to everyone

    #28069
     Jatinder Singh
    Participant

    Could you please share what type of enforcer are you utilizing on the application side i.e. Agents, Federation Protocols?

    #28076
     aortiz
    Participant

    Hi Jatinder, thank you so much for your answer.
    On the application side we are currently not using any Agents, all goes through Federation Protocol SAML and OAuth.
    Greetings

    #28079
     Jatinder Singh
    Participant

    Within the same realm, I am afraid there may not be an option to provide such one-to-one mapping. That said, you can set-up an Authorization Policy such that if an identity in App-1 authenticated using AuthChain-2, they will be required to perform a step-up authentication using AuthChain-1. This ensures a user is always authenticated through an authorized authentication chain for a given set of resources.

    In OAuth2, an RP can also request AS to authenticate user through specific authentication methods via acr_values. You may want to explore this option. When acr_values are used, an acr claim is returned by the AS in OIDC Token through which a client can validate if their request was honoured.

    Hope this helps!

    #28080
     Jatinder Singh
    Participant

    Also worth considering is moving to Authentication Trees, which offers intelligent authentication and full control over an authentication flow.

    #28083
     aortiz
    Participant

    Thank you Jatinder, we will be giving a try to the Authorization Policies and come back to you.
    Greetings

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?