Use multiple authentication levels
You can associate more than one authentication level with a particular authentication mechanism.
Authentication mechanisms can set the authentication level, which results from a successful authentication, directly into the credential as an attribute. If so, this overrides the level set in the credential by the placement of the authentication mechanism in the [authentication-levels] stanza. We can use this method to specify the authentication level that will be set in the resulting Security Verify Access credential. Use it to associate more than one level with a particular authentication mechanism.
The reasons to enter an authentication mechanism more than once in the [authentication-levels] stanza are:
- To control the prompt displayed to a user when they are required to step-up.
- To satisfy the Policy Server requirement that a method exists that can handle every configured POP level.
This is likely to be a consideration when using an External Authentication Interface (EAI) server to perform authentication. It is common to want the EAI to handle multiple authentication levels. An EAI server can return an authentication level either as an attribute in a Privilege Attribute Certificate (PAC), if it returns one, or as an extended attribute header if it returns a User Id. The EAI authentication mechanism can then be specified in multiple lines of the [authentication-levels] stanza. For example, if an EAI server is configured to handle authenticating users at levels 2 and 3, while Forms authentication is used to authenticate users at level 1, the [authentication-levels] stanza would contain the following entries:
[authentication-levels] #---------------------- # STEP UP #---------------------- # authentication levels # # Syntax: # level = <method-name> # # Valid method names are: # unauthenticated # password # ssl # ext-auth-interface # ltpa # oidc # level = unauthenticated level = password level = ext-auth-interface level = ext-auth-interface
Parent topic: Specify authentication levels