August 19, 2020 at 4:55 am #28191suvajitsidParticipant
Do we have any capability of creating structured AuthSchemes to support 2 FA or Step Up for SAML2.0 based applications which are integrated with OpenAM? Please suggest if there is any other way to achieve it?
SUvajitAugust 24, 2020 at 5:56 pm #28203Jatinder Singh (AcceptingNewProjects)Participant
Which version of AM are you currently using?
Please note 2FA or MFA is quite different from Step-Up authentication. I believe you imply MFA. Please correct me if I am wrong. If the AM version you are on supports Authentication Trees, you can easily set-up MFA by using the appropriate set of nodes. For example, configuring Push based authentication or using WebAuthn (FIDO2) along with Directory based look-up.
I would suggest to look into Backstage documentation on MFA.
Hope this helps!August 26, 2020 at 3:06 pm #28218Rogerio RondiniParticipant
SAML2 spec defines the Authentication Context, which is fully supported by AM. Authentication context is part of the IDP configuration and you can define, for example, Password Policy Transport authentication context with Service or Level requirements, i.e., you can say that for an specific IDP the Password Policy Transport is configured to require Authentication Level 3.
If existing session does not have level 3 AM will search for the services (chain or trees) that can provide level 3 and will prompt user for authentication.
2FA in fact will be defined in the service (chain or trees) it self and not in the IDP.
RogerioAugust 26, 2020 at 5:56 pm #28219Jatinder Singh (AcceptingNewProjects)Participant
P.S Authentication modules are being deprecated v7 onwards. For that reason, try to stick to Intelligent Authentication Trees.August 27, 2020 at 4:50 am #28223Scott HegerParticipant
I prefer not to specify an Authentication level in the IDP config but rather Service. The Service value is the name of an intelligent authentication tree that can determine risk and requirements and decide if the user needs to perform additional levels of authentication and how that authentication should be performed. That’s the beauty of trees!
You must be logged in to reply to this topic.