Authentication strength level with external authentication interface
Authentication strength policy (step-up authentication) is supported for external authentication interface authentication.
[authentication-levels] level = ext-auth-interface
See Authentication strength policy (step-up).
We can associate an authentication strength level with an authentication performed by an external authentication interface module. An optional HTTP header can be returned by the external authentication interface module to specify this authentication level.
This header is configured in the same manner as other special external authentication interface headers (see HTTP header names for authentication data).
For example:
[eai]
eai-auth-level-header = am-eai-auth-level
The authentication strength level value becomes an attribute of the identity structure and the resulting credential. The authentication strength level attribute allows you to implement step-up authentication functionality by operating multiple external authentication interface authentication modules on a single external authentication interface server. Each module can process a different authentication method.
If the authentication strength level does not exist or contains an empty value, the default mechanisms for assigning an authentication level are used.
We must modify the standard WebSEAL login pages appropriately if you enable step-up authentication with external authentication interface authentication. See Login page and macro support with external authentication interface.
Parent topic: Use of external authentication interface with existing WebSEAL features