Enforcing user identity match across authentication levels

By default, WebSEAL requires the user identity that performs the authentication strength (step-up) operation to match the user identity used to perform the initial authentication operation.

WebSEAL verifies the user identity in the new user credential matches the user identity in the original credential. If the user identities do not match, WebSEAL denies the authentication step-up, logs an error and returns an error page to the user.

This function is enabled by default.

To disable this function, edit the WebSEAL configuration file, and set the value of verify-step-up-user to no:

[step-up]
verify-step-up-user = yes

Parent topic: Authentication strength policy (step-up)