Enable step-up authentication and/or the Remember me cookie
Overview
When we enable both step-up authentication and the Remember me cookie, we receive the following authentication levels:
- standard
- identified
- authenticated
If we enable step-up authentication only, we receive the following authentication levels:
- standard
- authenticated
The Remember me cookie does not extend the Portal Personalization feature to the public area. When the Remember me cookie identifies a user in a public area, the user is still considered anonymous from an access control point of view.
Web Content Manager note: The authoring portlet and the web content viewer do not fully support step-up authentication or the Remember me cookie. However, the user name component is aware of the Remember me cookie. If the Remember me cookie is set on a request and a user is not logged in, the anonymous user design is not used. Instead, it uses the user name design complete with the name or distinguished name of the user specified by the Remember me cookie.
Restriction: Step-up authentication requires the LtpaToken2 for single sign-on.
Enable step-up authentication and/or the Remember me cookie
Log on to the WAS admin console and go to...
Security | Global security | Web and SIP security | Single sign-on (SSO)
and verify that both Interoperability Mode and Web inbound security attribute propagation are enabled.
- Edit...
WP_PROFILE/ConfigEngine/properties/wkplc.properties
...and set a value for the enable_rememberme parameter.
- To enable both step-up authentication and the Remember me cookie, set true.
- To enable step-up authentication only, set false.
- To enable the Remember me cookie only, leave blank.
If we are enabling the Remember me cookie, set values for...
- sua_user
- sua_serversecret_password
- Run ConfigEngine tasks
To enable step-up authentication and/or the Remember me cookie, run...
cd WP_PROFILE/ConfigEngine
./ConfigEngine.sh enable-stepup-authentication -DWasPassword=foo
To enable the Remember me cookie only, run...
cd WP_PROFILE/ConfigEngine
./ConfigEngine.sh enable-rememberme -DWasPassword=foo
- In a clustered environment, from one of the Portal nodes, copy...
APPSERVER_ROOT/lib/ext/wp.auth.base.sua_loginmodule.jar
...to the deployment manager host...
APPSERVER_ROOT/lib/ext/
- Stop and restart the appropriate servers to propagate the changes.
- Set the authentication level on a page or portlet...
- Go to...
Administration menu | Access | Resource Permissions
- Click either the Pages link or the Portlets link.
- Locate the page or portlet to change, then click "Authentication Level".
- Choose one of the following levels:
The following Authentication Levels are provided...
- Standard
- Allow anonymous and identified users to view the page or portlet based on the access control setting.
- If anonymous users have access to the page or portlet, no authentication is required.
- If only authenticated users have access to the page or portlet, authentication is required.
- Identified
- Available if enable_rememberme=true. Generates the com.ibm.portal.RememberMe cookie.
If a user previously authenticates to HCL WebSphere Portal, and then returns with the com.ibm.portal.RememberMe cookie, the user is "identified" and the content displays. If a user attempts to access HCL WebSphere Portal without the com.ibm.portal.RememberMe cookie, the user is asked to authenticate before the content is displayed.
Controls whether content is displayed to an unauthenticated user based on the existence of a persistent HTTP cookie. Intended for pages and portlets that are visible to anonymous users. An example is the Remember me on this computer option during login.
Do not set the Access level to identified for the Login portlet. This action causes problems when a user logs in to HCL WebSphere Portal.
- Authenticated
- Allow anonymous and identified users to log in to view the page or portlet.
WSRP considerations
Use step-up authentication with Web Services for Remote Portlets (WSRP) extensions. The authentication level defined for portlets on the Producer portal is automatically set on the Consumer portal when it consumes WSRP services. If we apply step-up authentication mechanisms on the Producer, users are also challenged for stronger authentication credentials on the Consumer portal as required. To use step-up authentication with a WSRP extension, ensure the environment meets the following requirements:
- The Producer and Consumer portals are HCL WebSphere Portal v8.5 or later.
- You enable step-up authentication on both the Producer and Consumer portals.
- The authentication levels are the same on the Producer and Consumer portals.
- Portal administrators can change authentication levels on both the Producer portal or Consumer portal at any time.
- If the authentication level on the Consumer portal is less than the authentication level on the Producer portal, the Producer portal gives the following error message: AccessDeniedFault EJPWC1118E: User authentication not strong enough. Then, users cannot access the portlet. For this reason, the authentication level on the Consumer portal must be the same as the authentication level on the Producer portal.
Parent Enable step-up authentication and the Remember me cookie