level

level = method-name

Description

Step-up authentication levels. WebSEAL enables authenticated users to increase the authentication level by use of step-up authentication. This key=value pair specifies which step-up authentication levels are supported by this WebSEAL server.

Do not specify an authentication level unless the authentication method is enabled. For example, we must enable either basic authentication or forms authentication before we set level = password.

Enter a separate key=value pair for each supported level. Supported levels include:

• ext-auth-interface
• ltpa
• oidc
• password
• ssl
• unauthenticated

The position of the entry in the file dictates the associated authentication level. The first row, typically unauthenticated, is associated with authentication level of 0. Each subsequent line is associated with the next higher level. We can add multiple entries for the same method.

It is possible for the method to set the authentication level itself. For example, an External Authentication Interface (EAI) implementation might set either authentication level of 2 or 3 depending on the authentication transaction the client undertakes. The EAI can set this authentication level directly in the identity attributes returned to WebSEAL. To support this implementation, we can create two identical lines in positions 3 and 4. For example:

level = unauthenticated 		(associated with level 0)
level = password 						(associated with level 1)
level = ext-auth-interface	(associated with level 2)
level = ext-auth-interface  (associated with level 3)

Options

method-name

Name of authentication method.

Usage: Required.

Default:

unauthenticated

password

Example:

level = unauthenticated
level = password

Parent topic: [authentication-levels] stanza