Multiple Authentication Chain

This topic has 3 replies, 2 voices, and was last updated 6 years, 1 month ago by Rajesh R.

  • Author
  • #10312

    Dear Experts,

    I have a Webserver protected by an OpenAM WebAgent
    I have the following requirement:- if I access

    UrL 1:- http://webserver/abc.html I should be challenged with AuthenticationService 1(Authentication Chain) and
    Url 2:- http://webserver/xyz.html I should be challenged with AuthenticationService 2(Authentication Chain).

    How Do I go about this?
    As per the current state the user is challenged with the AuthenticationService which is mentioned in the login url configuration of OpeAM WebAgent.Can we have Authentication Policies defined for OpenAM which will Decide the challenge mechanism Dynamically based on the URL accessed.

    Any pointers will be helpful.

    Environment details :-

    OpenAM 13
    WebAgent 4
    Webserver Apache 2.4

    Let me know if any other details are required from my end to give more clarity.


     Rajesh R

    @buddhadeb-das while I don’t have a first hand experience of trying it, what you want, you probably can accomplish using the “Environment Conditions” in the Policy definition. You can define a Policy for a resource in OpenAM that’s dependent on a specific Authentication Chain or Authentication Module instance. Read more about it here:!/docs/openam/12.0.0/admin-guide/chap-authz-policy


    Hi Rajesh,

    Thanks for the update.I have tried something on the similar lines :-

    I have protected the web server with a web agent and have defined 2 separate policy for url1 and url2 and have configured the environment condition such that urls are protected by specific Authentication Modules.
    The problem I am facing is when I am accessing the protected URLs(Url1/Url2) I am being challenged with the loginUrl defined in the agent configuration first and then again I am challanged by the authentication Module defined in Application Policy.

    I am assuming this is happening because these policies are defined under Authorization,So Agent is is going the Authentication first and then as part of the authorization check the user is challenged again as per the environment conditions.Although this features can help me achieve use cases of step-up authentication but its doesnt server my requirement over here.
    Please correct me if I am wrong.
    My requirement is to have some kind of authentication policy which will check the the web resource(url) that is being accessed and challenge the user based on the policy defined.
    Does Open AM13 support something similar ?What are the other options I have to achieve this.


     Rajesh R

    @buddhadeb One way to achieve this probably is to have the agent redirect to a URL which has the capability of processing the requested URL (URL1/URL2) by the User, and based on it redirect him/her to an appropriate Authentication Module instance in OpenAM.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?