Symantec Access Management

Hi ,

Has anybody worked on a use case where in we have many federation apps and we want to have a step up authentication for some of the applications in federation. Let me know if some body has implemented it. We are trying to implement this feature in our organisation with custom coding. Let me know if there is any feasible way out.

Thanks

Amith

Hi

Here is an idea: I have a similar requirement and I'm planning to try the following (this is based on IDPs running on IIS, but I think could be adapted as appropriate for other web servers.)

1. Currently all Federations use ../siteminderagent/redirectjsp/redirect.jsp as authentication URL, which is protected with a particular auth scheme
2. Under IIS "/siteminderagent/redirectjsp" is a Virtual Dir pointing to "...\CA\webagent\win64\affwebservices\redirectjsp"
3. We will add a new Virtual Dir  "/siteminderagent/redirectjspHIGH/" as a new Virtual Dir also pointing to "...\CA\webagent\win64\affwebservices\redirectjsp"
4. We change policy  so that  "../siteminderagent/redirectjspHIGH/redirect.jsp is protected with a different auth scheme with higher priority
5. For any Federation that needs the step up authentication, we specify the authentication URL to be ../siteminderagent/redirectjspHIGH/redirect.jsp

I'd also be interested in any alternative approaches.

Regards

Actually this should and will work with Normal Webservers. I have a secure proxy server which points to a standard url affwebservices/public/saml2sso at SP side. Im not too sure to go about here as it dint work in this setup and im still trying and researching options

Not a direct answer to your question per se, but this enhancement idea is already marked as "planned". Have used it for a while and so far has worked great for us (no custom coding, just setting up the protection level to authncontext mapping and URLs)...not sure when it'll be in the main product though.

Dynamic Federated step-up Authentication

---------

In the current, if you don't care about 'dynamic' - so you just want to force everyone on that SP to have a certain level you should be able to do something like that with redirect.jsp like David mentioned.

I've set them up basically this way for apps that didn't support dynamic -- i.e., they couldn't pass different authncontext but still needed to force a higher level of auth. Just did the following:

- Set the "minimum authentication level" option on the partnership (assuming you are using this model) to the one I want them to be at

- Create an 'authentication URL' (this can probably be the same path just with a query string too like redirect.jsp?type=low  and redirect.jsp?type=high and appropriate policies)

- Then set the authentication URL to higher level scheme.

If a user comes in with a session that is below that min auth level, it will fire off 'unauthorized' and send to the log in URL which would be protected by your higher-level scheme. This way they're presented proper log in form or kicked off cert auth etc.

Hi CBertagnolli

Thanks for the valuable input. Just two queries

Let me know if redirect.jsp should be same directory?

.Just that i have to append this parameter ?type=low/high  in auth url of partnership. Where is this parameter used or is it stripped of while it goes through redirect.jsp?

Thanks

Amith

I've never actually done it with query string, that's why I said probably .

If using a query string, I would imagine you would not need a different directory.Should be simple enough to test out unless someone else chimes in that has definitely done it that way.

The actual setup I've used is two different directory paths - was just easier in our setup to do it this way.

----------------

Example setup below. Downside is that because it's not 'dynamic' (i.e., authentication type determined by the requested authncontext) the entire SP is forced to step-up; unless you use multiple entityIDs of course.

Auth Schemes

Auth Scheme #1

Name = Password

Level = 2

Type = HTLM Forms

Auth Scheme #2

Name = Token

Level = 3

Type = RSA Token

IIS

/login/low/redirect.aspx

/login/high/redirect.aspx

Application Object

Name = Login App

Component #1

/login/low/

Scheme = Password

Component #2

/login/high/

Scheme = Token

SAML Partnership that requires lower level

Name: MyLowApp

Authentication Method: Local

Authentication URL: https://sso.mydomain.com/login/low/

Automatically Detect Authentication Class

AuthnContext Template: MyTemplate

Minimum Authentication Level = 2

SAML Partnership that requires higher level

Name: MyHighApp

Authentication Method: Local

Authentication URL: https://sso.mydomain.com/login/high/

Automatically Detect Authentication Class

AuthnContext Template: MyTemplate

Minimum Authentication Level = 3

=================

- I go to MyLowApp, get redirected to IDP with authnrequest

- I am presented log in form allowing Password or Token (from the /login/low/ auth URL scheme)

- I log in with my Password. My session is created at level=2 and redirected back to MyLowApp SP with assertion containing authncontext=Password

- I successfully access MyLowApp

- I now visit MyHighApp, get redirected to IDP with authnrequest

- My session is not at a high enough level, IDP denies generation of assertion

- IDP redirects me to the login URL for MyHighApp

- I am presented a log in form requesting I stepup to Token (from the /login/high/ auth URL scheme)

- I authenticate with my Token. My session is created at level=3 and redirected back to MyHighApp SP with assertion containing authncontext=TimeSyncToken

- I successfully access MyHighApp

All redirects are using the normal /affwebservices/public/saml2sso, the authentication URL + minimum authlevel on the partnership would be determining the 'step-up' behavior.

Wonderful ! You just elaborated the way we had thought it would be done. Thanks CBertagnolli

Another way we have done it is to make sure that IgnoreQueryData=No on the Redirect.jsp ACO.

Then in the federation setup add a query string to the login redirect.jsp.  e.g. redirect.jsp?Authlevel=High

You can create  sub realm on the redirect.jsp realm and just have it be ?Authlevel=high with the high level auth scheme protecting this realm.