March 21, 2018 at 8:28 pm #21270
We are using AM 5.5.1 as IDP. The IDP is linked to to the realm’s default authentication chain configured in Realm > Authentication > Setting > Core “Organization Authentication Configuration”. The default authentication-chain is currently set to Kerberos. So all our SPs are going thru kerberos authentication.
However, our requirement is to invoke application (SP) specific authentication chain that is driven by application categories. For example :- finance.company.com requires “Kerberos + Radius 2FA” while perk.company.com can just go thru a simple “kerberos” authentication.
How can we invoke different Authentication-Chain based on SP-ID or some app-specific attributes ?
KabiMarch 22, 2018 at 1:45 am #21272Scott HegerParticipant
You can define authentication chain requirements at the IDP level. Go into your IDP configuration and in the Assertion Content tab go down to the Authentication Context section. In that section you have the type of authentication that is supported by your IDP. By default the PasswordProtectedTransport option is selected. You can change the supported Context Reference but more importantly for the options you do have selected you can choose “Service” in the Key column dropdown. In AM “service” = “chain”. Then in the Value column you specify the name of the chain you want this IDP to use for authentication. Then when a user gets directed to that IDP via any SPs you have configured to use that IDP they will be sent through the defined chain. You then create IDPs with each chain that you need to use and configure your SPs to use the appropriate IDP.
Hope that helps.
ScottMarch 22, 2018 at 10:05 pm #21289
Thanks Scott for the explanations. My use case is complex and looks like I will end in creating multiple IDPs for each case. Here are my use cases :-
(1) SP1 will use just Kerberos for all users.
(2) SP2 will use Kerberors for all users + 2Fa for user with “SP2-Admin” group .
(3) SP3 will use 2FA for all users.
I don’t see any issues for UseCase 1 and 3. But UseCase 2 requires SP specific Auth-Chain as the 2FA is triggered by a SP-specific group name. I have 50 applications like UseCase 2 which requires 50 IDPs with 50 different chain. Any other advice.
KabiMarch 23, 2018 at 2:51 am #21291Scott HegerParticipant
For UseCase 2, assuming in your user’s profile you have an attribute that defines their group membership, you could try to use an auth chain that has:
Kerberos as REQUISITE Adaptive Risk as SUFFICIENT 2FA module as REQUIRED
Then in your Adaptive Risk module you enable the “Profile Risk Attribute check” and define the group membership attribute and value as it would appear in a user’s profile. Configure the module so that if that attribute and value exist that it fails the module and causes authentication to move into the 2FA module. If user’s don’t have that attribute and value in their profile then Adaptive Risk passes and exits out of the chain and the user is authenticated but not required to use 2FA.
ScottMarch 26, 2018 at 8:21 pm #21321
Thank you Scott, Will try the solution you suggested. Currently we wrote IDP-Adapter for this which is really not necessary.
Yes we can check membership check in Adaptive Risk Module. But How will I bring the SP-ID in to this equation ? We have groups meant for specific SP-ID.
March 31, 2018 at 11:45 am #21365vikaskunduParticipant
- This reply was modified 4 years, 6 months ago by Kabi Patt.
Hi Scott, I’ve installed the ForgeRock Authenticator app on my Google Pixel 2 XL which is currently running Android 8.1. As I open the app it only loads a blank screen on startup and eventually crashes itself in few secs. Any idea how to fix it?
You must be logged in to reply to this topic.