Context: Typical organizational resource access environment considers granting access to resource from both internal and external networks. Organizations who enforce integrated windows authentication (IWA), will suffice the need of granting access to users who connected to organization’s VPN and fails to serve the request when the resource is accessed from outside network. In such scenario Administrators will have challenge in configuring a single realm for both internal users, who get authenticated using IWA ,and external network users. Problem lies when an authentication scheme is not fit to get exercised based on available circumstances, the mechanism is not intelligent enough to proceed to an alternate approach for getting user securely authenticated. Below mentioned scenarios discuss the solution approaches and how they simplify and enhance the security.
Scenario 1: Administrators usually set primary authentication scheme to let users access the resource from internal network, provision must be made so that resource is accessible from internet. A mechanism should exist in order to provide such service and simplify the user experience. In other words, when primary authentication scheme fails, there should be mechanism that enables administrators to opt-in the secondary authentication method. Fallback mechanism provides supplemental authentication while maintaining the benefits of a primary authentication of protected network. When the algorithm switch determines that the user device does not possess or does not claim primary authentication supplicant or credentials, the algorithm switch falls back to secondary authentication method that recognizes user’s identity can be employed to policies that allow or deny network resource access.
Scenario 2: To increase security for a resource, users are required to get authenticated using two different authentication schemes. For example, you could set up digital certificate as the first authentication method, and IWA as the second one. Chained authentication configuration enables to secure the resources stronger than a single authentication method. Administrators can choose to enable such chained authentication for highly sensitive realms and for selected users. In both the above scenarios, user experience is important. Administrator is to carefully choose the combination of authentication schemes to make it one-step process whenever possible. Design of the underlying framework is equally important to facilitate and direct the administrators for chained authentication set up. While setting up authentication chaining, a carefully studied authentication mechanism must be chosen so that no weak links are established in authentication chaining.
With CA SSO, continuous efforts are being made to improve framework to enhance security and enable users to access resources from outside the network.
Next follow-up article outlines a CA SSO framework that lets the SSO administrators to implement secondary authentication scheme to fallback and to increase security using authentication chaining.