OpenID Connect Provider Access Policies
We can use access policies to perform step-up and re-authentication during a single sign-on flow based on contextual information.
- prompt and max_age
- The access policy checks if one of the following attributes is requested from the authentication context and triggers an authentication policy based on the selected attribute:
- max_age
- prompt=none
For max_age, an authenticationTime attribute must be added to the authsvc_credential mapping rule. It is also available as an example.
The following prerequisites are required to use the access policy:
- The access policy uses the Advanced Access Control, UsernamePassword policy. Click AAC > Policy > Authentication > Mechanism. Search for the UsernamePassword mechanism to configure it.
- Change the ACL attached to {junction}/sps/auth from anyauth to unauth ACL.
- The access policy that is created is to be used by the API Definition that is created.
Parent topic: Achieving OpenID Connect Provider conformance with IBM Security Verify Access