How to enable Step Up Authentication for SAML based applications

This topic has 4 replies, 4 voices, and was last updated 4 weeks ago by Scott Heger.

  • Author
    Posts
  • #28191
     suvajitsid
    Participant

    Hi Team,

    Do we have any capability of creating structured AuthSchemes to support 2 FA or Step Up for SAML2.0 based applications which are integrated with OpenAM? Please suggest if there is any other way to achieve it?

    Regards,
    SUvajit

    #28203

    Which version of AM are you currently using?

    Please note 2FA or MFA is quite different from Step-Up authentication. I believe you imply MFA. Please correct me if I am wrong. If the AM version you are on supports Authentication Trees, you can easily set-up MFA by using the appropriate set of nodes. For example, configuring Push based authentication or using WebAuthn (FIDO2) along with Directory based look-up.

    I would suggest to look into Backstage documentation on MFA.

    https://backstage.forgerock.com/docs/am/6.5/authentication-guide/#chap-authn-implementation-mfa

    Hope this helps!

    #28218
     Rogerio Rondini
    Participant

    SAML2 spec defines the Authentication Context, which is fully supported by AM. Authentication context is part of the IDP configuration and you can define, for example, Password Policy Transport authentication context with Service or Level requirements, i.e., you can say that for an specific IDP the Password Policy Transport is configured to require Authentication Level 3.
    If existing session does not have level 3 AM will search for the services (chain or trees) that can provide level 3 and will prompt user for authentication.

    2FA in fact will be defined in the service (chain or trees) it self and not in the IDP.

    Regards,
    Rogerio

    #28219

    +1 Rogerio

    P.S Authentication modules are being deprecated v7 onwards. For that reason, try to stick to Intelligent Authentication Trees.

    #28223
     Scott Heger
    Participant

    I prefer not to specify an Authentication level in the IDP config but rather Service. The Service value is the name of an intelligent authentication tree that can determine risk and requirements and decide if the user needs to perform additional levels of authentication and how that authentication should be performed. That’s the beauty of trees!

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?