Invoking SP Specific Authentication Chain in AM

Tagged: ,

This topic has 5 replies, 3 voices, and was last updated 4 years, 5 months ago by vikaskundu.

  • Author
    Posts
  • #21270
     Kabi Patt
    Participant

    We are using AM 5.5.1 as IDP. The IDP is linked to to the realm’s default authentication chain configured in Realm > Authentication > Setting > Core “Organization Authentication Configuration”. The default authentication-chain is currently set to Kerberos. So all our SPs are going thru kerberos authentication.

    However, our requirement is to invoke application (SP) specific authentication chain that is driven by application categories. For example :- finance.company.com requires “Kerberos + Radius 2FA” while perk.company.com can just go thru a simple “kerberos” authentication.

    How can we invoke different Authentication-Chain based on SP-ID or some app-specific attributes ?

    Thanks,
    Kabi

    #21272
     Scott Heger
    Participant

    Hi Kabi,

    You can define authentication chain requirements at the IDP level. Go into your IDP configuration and in the Assertion Content tab go down to the Authentication Context section. In that section you have the type of authentication that is supported by your IDP. By default the PasswordProtectedTransport option is selected. You can change the supported Context Reference but more importantly for the options you do have selected you can choose “Service” in the Key column dropdown. In AM “service” = “chain”. Then in the Value column you specify the name of the chain you want this IDP to use for authentication. Then when a user gets directed to that IDP via any SPs you have configured to use that IDP they will be sent through the defined chain. You then create IDPs with each chain that you need to use and configure your SPs to use the appropriate IDP.

    Hope that helps.

    Regards,
    Scott

    #21289
     Kabi Patt
    Participant

    Thanks Scott for the explanations. My use case is complex and looks like I will end in creating multiple IDPs for each case. Here are my use cases :-

    (1) SP1 will use just Kerberos for all users.
    (2) SP2 will use Kerberors for all users + 2Fa for user with “SP2-Admin” group .
    (3) SP3 will use 2FA for all users.

    I don’t see any issues for UseCase 1 and 3. But UseCase 2 requires SP specific Auth-Chain as the 2FA is triggered by a SP-specific group name. I have 50 applications like UseCase 2 which requires 50 IDPs with 50 different chain. Any other advice.

    Thanks again
    Kabi

    #21291
     Scott Heger
    Participant

    Hi Kabi,

    For UseCase 2, assuming in your user’s profile you have an attribute that defines their group membership, you could try to use an auth chain that has:

    Kerberos as REQUISITE
    Adaptive Risk as SUFFICIENT
    2FA module as REQUIRED

    Then in your Adaptive Risk module you enable the “Profile Risk Attribute check” and define the group membership attribute and value as it would appear in a user’s profile. Configure the module so that if that attribute and value exist that it fails the module and causes authentication to move into the 2FA module. If user’s don’t have that attribute and value in their profile then Adaptive Risk passes and exits out of the chain and the user is authenticated but not required to use 2FA.

    Regards,
    Scott

    #21321
     Kabi Patt
    Participant

    Thank you Scott, Will try the solution you suggested. Currently we wrote IDP-Adapter for this which is really not necessary.

    Yes we can check membership check in Adaptive Risk Module. But How will I bring the SP-ID in to this equation ? We have groups meant for specific SP-ID.

    Thanks,
    Kabi

    • This reply was modified 4 years, 6 months ago by Kabi Patt.
    #21365
     vikaskundu
    Participant

    Hi Scott, I’ve installed the ForgeRock Authenticator app on my Google Pixel 2 XL which is currently running Android 8.1. As I open the app it only loads a blank screen on startup and eventually crashes itself in few secs. Any idea how to fix it?

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?