Authentication process flow for tokens in new PIN mode

  1. A user requests a protected Web object that requires token authentication.

  2. WebSEAL returns an authentication page, requesting username and passcode.
  3. The user types the username and tokencode and submits the form to WebSEAL's authentication module.

    When the user has no PIN, either because the tokencard is new or the administrator reset the PIN, the tokencode is the same as the passcode. When the user has a PIN, but the tokencard is in New PIN mode, the user enters the PIN plus the tokencode.

  4. The WebSEAL token authentication module sends the authentication request to the RSA ACE/Server.
  5. The RSA ACE/Server processes the request as follows:

    1. If the authentication is unsuccessful, the result is returned to WebSEAL by the WebSEAL token authentication module. WebSEAL displays an error page to the client (return to step 2).

    2. If the token was not in new PIN mode, the user is authenticated. The WebSEAL token authentication module returns success to the WebSEAL server, which serves the requested protected Web object. (End of authentication workflow).

    3. If the token is in new PIN mode, the RSA ACE/Server returns the NEW_PIN error code to the WebSEAL token authentication module.

  6. WebSEAL presents the password expired form to the user.
  7. The user enters tokencode or passcode and the new PIN and posts it to WebSEAL.

  8. WebSEAL checks to see if a password strength module is configured.

    1. If no password strength module is configured, WebSEAL continues to step 9.

    2. If a password strength module is configured, WebSEAL checks the new PIN. If the PIN is valid, WebSEAL continues to step 9. If the PIN is not valid, WebSEAL returns to step 6.

  9. The WebSEAL authentication module sends the tokencode and new PIN to the RSA ACE/Server.
  10. The RSA ACE/Server returns a response code.

  11. If the PIN set call to the RSA ACE/Server is successful, WebSEAL returns the originally requested protected Web object to the client. If the PIN set call fails, authentication workflow returns to step 6.

Parent topic: Token authentication concepts