Enforce an authentication mechanism once per session

We can enforce an authentication mechanism once per session or every time a user accesses a protected resource. In this scenario, the authentication service relies on the authenticationMechanismTypes credential attributes to determine which authentication mechanisms the user successfully completed during the authentication session.

Use this task to enforce a particular authentication mechanism only once during the user's authenticated session. This scenario uses the Username Password and MAC One-time Password mechanisms. However, we can use any authentication mechanisms.

Steps

  1. Log in to the local management interface.

  2. Click AAC.
  3. Under Policy, click Authentication.
  4. In the center panel, click Add policy.
  5. Enter the name of the custom authentication policy.
  6. Enter the Identifier.
  7. In the Workflow Steps section, click Add step Add Step.
  8. Select Username Password and click OK.

  9. Click Parameter List view.
  10. Select the Pass check box for the reauthenticate parameter.
  11. Select Value in the Source field.
  12. Select False in the Value field.
  13. Click OK.
  14. In the Workflow Steps section, click Add stepAdd Step.
  15. Select MAC One-time Password.
  16. Click OK.
  17. Click Save.
  18. Under Policy, click Access Control.
  19. In the center panel, click Add policy.
  20. Enter a name for the policy.
  21. In the Rules section, set the Precedence property to First. As a result, the policy returns a decision for the first rule in the policy that evaluates to true.
  22. Click Add Unconditional Rule.
  23. In the Decision list, select Permit with authentication.

  24. In the Authentication list, select the name of the custom authentication policy that is created in step 5.
  25. Click OK.
  26. Click Save.

This scenario uses the following settings in the policy editor:

Parent topic: Policy scenarios