Configure levels for step-up authentication

The first step in configuring authentication-specific access is to configure the supported authentication methods and determine the order in which these authentication methods must be considered stronger.

Any client that accesses a resource manager has an authentication level, such as unauthenticated or password. The level indicates the method with which the client was last authenticated by the resource manager.

In some situations, it might be necessary to enforce minimum safe levels of authentication required to access certain resources. For example, in one environment, authentication by token pass code might be considered more secure than authentication by user name and password. Another environment might require different standards.

The step-up authentication mechanism does not force clients to restart their sessions with the resource manager when they do not meet the required level of authentication. Instead, the step-up authentication mechanism provides clients a second chance to authenticate with the required method of authentication (level).

Step-up authentication allows resource managers to control how users access protected resources. If step-up authentication is required because the user has not authenticated with the sufficient method, the authorization engine still permits the access decision. However, the resource manager is presented with a required authentication level as an output of the authorization decision. The resource manager can then decide how to further authenticate the user to gain the required level of authentication to access the protected object.

How a particular authentication method is mapped to an authentication level is determined by the resource manager application. For all cases, the absolute minimum acceptable method of authentication must be set as level 0. More secure methods are mapped to integer numbers in ascending order (1..x) from that point forward.

Parent topic: Step-up authentication