Create an authentication policy

Use the Authentication Policy Editor on the appliance local management interface to create and configure an authentication policy.

Each policy consists of one or more decisions and/or authentication mechanisms. A decision is a grouping of different branch paths that contain one or more authentication mechanisms. The specific branch path that is followed is dependent on the configured decision mapping rule. The mechanisms are modules that authenticate the user with a specific challenge or authentication technology, such as user name and password and one-time password. In the policy, the decisions and/or authentication mechanisms are grouped into a workflow. The workflow specifies the mechanism to use and the order in which each mechanism runs. The policy identifier (PolicyID) supplied as a parameter is used to initiate the authentication policy and can be supplied either with or without the standard prefix.

Steps

  1. Click Add. The Authentication Policy Editor opens.

  2. Complete the Name and Identifier fields.

  3. Optional: Provide a description in the Description field.

  4. Click Add Add Step to add an authentication mechanism as a step in the policy workflow.

    1. Select an authentication mechanism. See Authentication.

    2. Click Addto review and select parameters supported by the mechanism. Not all authentication mechanisms support parameters. However, some configuration settings for authentication mechanisms can be customized with parameters on a per policy basis. If an authentication mechanism supports parameters, use the parameters settings to assign values to the parameters. See Authentication policy parameters and credentials.

    3. Click OK.

  5. Click AddAdd Decision to add a decision point to the policy workflow.

    1. Specify a unique name for the new decision.

    2. Select a mapping rule to be used by the new decision. Only mapping rules with the category “Decision” are valid.

    3. Optional: Specify a template file to be used by the new decision. If the template file is not specified, the default template file is used.

    4. Select Whether or not to allow the workflow to return back to the decision point.

    5. Click AddAdd Branch to add a new branch to the decision.

      1. Specify a unique name for the new branch.

      2. Click AddAdd Step to add an authentication mechanism as a step in the branch. Click Add to review and select parameters supported by the mechanism. Not all authentication mechanisms support parameters. However, some configuration settings for authentication mechanisms can be customized with parameters on a per policy basis. If an authentication mechanism supports parameters, use the parameters settings to assign values to the parameters. See Authentication policy parameters and credentials.

    6. Continue with one of the following steps:

      1. Click AddAdd Branch to add another branch to the decision.

      2. Click AddAdd Step in the relevant branch to add another authentication mechanism as the first step in the branch.

      3. Click AddAdd Step in a specific authentication mechanism to add a new authentication mechanism after the existing one.

      4. Click DeleteCancel on a specific authentication mechanism to delete that authentication mechanism.

      5. Click DeleteCancel on a specific branch to delete that branch and its associated authentication mechanism steps.

      6. Click OK to finish defining the decision.

      7. Click DeleteCancel to discard the decision and its branches.

  6. Continue with one of the following steps:

    • Add another authentication mechanism to the workflow. Repeat the preceding steps.
    • After we add all authentication mechanisms, click Modify attribute to customize the information included in the user credential. See Authentication policy parameters and credentials.

    • To modify a specific workflow element in the list, use the toolbar associated with that element to perform the following tasks:

      1. Edit the element properties.

        • If the element is a decision, clicking Edit allows all decision elements to be edited.

      2. Add a new element directly after this element.

        • This is only available if the element is a top level authentication mechanism and allows a new top level authentication mechanism to be added.

      3. Delete an element.

        • If the element is a decision it also deletes all branches and branch steps.

        • If the element is a top level authentication mechanism it deletes only that element.

      4. Move element up. The move is only within the level of the selected element.

        • Decisions and top level authentication mechanism steps can be moved with each other.
        • Branch steps can be moved with each other inside the same branch.

  7. Click OK. When we are viewing or editing an authentication policy, there are two panes shown in the user interface:

    • The first pane is the tree view of the workflow. This is where the policy elements can be managed.
    • The second pane is a flowchart view of the workflow. This flowchart gives a visual representation of the steps in the workflow. This pane has a Settings button that allows the flowchart pane to be changed. The following options are available:

      • Size- Use the slider to set the size of the flowchart elements ranging from Small to Large.
      • Orientation- Use the radio buttons to set the flowchart to render either vertically or horizontally.
      • Layout- Use the radio buttons to set the flowchart pane to render beside or beneath the workflow pane.
      • Ratio- Use the slider to change the size of the workflow and flowchart panes relative to each other.

    The flowchart settings are restored by using cookies so that any subsequent uses of this page retains the same settings.


What to do next

Use this authentication policy as the Permit with authentication action in an access control policy. See Create an access control policy.

Parent topic: Authentication policies