Authentication strength concepts

Authentication strength concepts

WebSEAL supports many authentication methods, including basic authentication, forms authentication, certificate authentication, and others. Any client that accesses a WebSEAL server has an authentication state, such as unauthenticated or certificate, which indicates the method by which the client last authenticated with WebSEAL.
Administrators can assign a ranking or level to some of the supported authentication methods. Administrators can define an ordered list that ranks each authentication method from lowest to highest. This hierarchical ranking can be arbitrarily tailored to each individual WebSEAL deployment. There is no absolute ranking between the authentication methods. No one authentication method is inherently better or stronger than another method. The ranking is simply a method for an administrator to define a relative level for each authentication method for use with a specific ISAM WebSEAL protected object namespace. The only rule governing the assignment of levels is the unauthenticated level is always lower than all other authenticated levels. This set of authentication levels can be used to implement an authentication strength policy. Authentication strength is sometimes called step-up authentication. Note, however, that step-up authentication is not a unique authentication method like forms authentication or certificate authentication. Instead, it is a defined process for requiring users to change their current authentication method to another authentication method.
The concept of changing the authentication method is useful as a way of providing additional protection for selected resources in the WebSEAL protected object namespace. For example, a user can log in using certificate authentication, and then access many resources protected by ISAM security. When the user attempts to access a more sensitive resource, which has been marked to require a higher level of access, the user is prompted to log in to a different authentication level.
Note that when a user activates authentication strength by attempting to access a protected object, the user does not have to log out first. Instead, the user is presented with a login prompt, and simply logs in again to the higher level.
Users can change authentication strength multiple times per authentication session. The authentication level specified in the controlling POP governs the level at which the user must be authenticated.
The following authentication methods can be assigned an authentication level:

Unauthenticated HTTP and HTTPS.
Password authentication HTTP and HTTPS. Limited to forms authentication. Basic authentication is not supported as a step-up authentication level.
Certificate authentication. Valid only over HTTPS. If an object that requires certificate authentication is requested over HTTP, an error page is served, as specified by the cert-stepup-http stanza entry in the [acnt-mgt] stanza of the WebSEAL configuration file.
External authentication interface HTTP and HTTPS.

Administrators apply an authentication level to a protected resource by declaring and attaching a standard ISAM protected object policy (POP) to the resource object. Authentication strength policy is set and stored in a POP attribute called an IP Endpoint Authentication Method. The attribute takes an integer value representing the authentication level. The lowest level, unauthenticated, is always 0. Each level increases the integer index up to the total number of authentication methods that have been assigned a level.
When clients first authenticate to WebSEAL, the initial authentication method used is stored as an extended attribute in the client's credential. The ISAM authorization service compares the authentication method (level) in the credential against the authentication level for the requested resource, as specified in the POP. When the level in the POP exceeds the level in the credential, the user is prompted to authenticate at the higher authentication strength level.
The IP Endpoint Authentication Method attribute can also optionally be used to restrict access to a resource, based on the network address of the client that sent the access request. The access can be restricted based on an individual network (IP) address, or a range of network addresses. WebSEAL uses the following algorithm to process the conditions in a POP:

Check the IP endpoint authentication method policy on the POP.
Check ACL permissions.
Check time-of-day policy on the POP.
Check the audit level policy on the POP.

Parent topic: Authentication strength policy (step-up)

Unauthenticated	HTTP and HTTPS.
Password authentication	HTTP and HTTPS. Limited to forms authentication. Basic authentication is not supported as a step-up authentication level.
Certificate authentication.	Valid only over HTTPS. If an object that requires certificate authentication is requested over HTTP, an error page is served, as specified by the cert-stepup-http stanza entry in the [acnt-mgt] stanza of the WebSEAL configuration file.
External authentication interface	HTTP and HTTPS.