Symantec Access Management

  • Private Community

  • 1.  Adv Authentication AFM customization documentation anywhere?

    Posted Jan 26, 2018 09:22 AM

    I am trying to do some serious AFM customization. I.e. OTP authentication first before LDAP authentication and can't find any documentation. AFM wizard allows to select OTP first followed by LDAP but this flow is not really working,  LDAP get called first anyway. There are other things I would like to customize, like to allow user to select an email of his preference from several available. It looks all customization is only about branding.

     

    Thanks,

    Vlad



  • 2.  Re: Adv Authentication AFM customization documentation anywhere?

    Broadcom Employee
    Posted Jan 26, 2018 02:04 PM

    Hi Vlad,

     

    Looking at the wizard when you select the primary authentication as OTP by email or sms, you don't get the option of LDAP as secondary authentication after risk analysis is invoked. 

    This will require customization of the AFM therefore please reach out to your account team with this request so that they can reach to the respective CA teams. Your account team may reach out to the CA global deliveries team. 

     

    For your question on documentation on afm customization, there is no documentation on that.

     

    Thanks

    Awijit



  • 3.  Re: Adv Authentication AFM customization documentation anywhere?

    Posted Jan 26, 2018 02:21 PM

    Hi Awijit,

     

    I don't need LDAP as the second factor for risk authentication, but only as the second factor for primary authentication. AFM allows me to select OTP over email as the primary authentication followed by LDAP as the primary authentication, but its not working in this order when I start testing. LDAP get checked first.

     

    Thanks,

    Vlad



  • 4.  Re: Adv Authentication AFM customization documentation anywhere?

    Broadcom Employee
    Posted Jan 26, 2018 02:57 PM

    OTP over email is not a multi factor credential like Auth ID and Mobile OTP. OTP over email or sms will not have second factor credential unless Risk is configured.



  • 5.  Re: Adv Authentication AFM customization documentation anywhere?

    Posted Jan 29, 2018 11:31 AM

    I am asking about multiple primary authentication through AFM, not risk authentication. In multiple primary authentication I can select up to three consequential authentication mechanisms. LDAP + OTP over email works fine, but OTP over email + LDAP is not working as expected, it always tries LDAP first. Is this sequence not supposed to work?  I have a use case where LDAP should not be tried until OTP succeeds. AA to take user name, send OTP, validate OTP and validate U/P after this. Is there something I can customize?



  • 6.  Re: Adv Authentication AFM customization documentation anywhere?

    Posted Jan 29, 2018 11:45 PM

    What version are we talking 9.0 ?



  • 7.  Re: Adv Authentication AFM customization documentation anywhere?

    Posted Jan 30, 2018 10:14 AM

    Yes it is 9.0.



  • 8.  Re: Adv Authentication AFM customization documentation anywhere?

    Posted Feb 07, 2018 01:08 AM

    Hi Vlad,

     

    I just tried LDAP (first) + OTP (second) as Primary Authenication as below and it worked as expected.

     

     

    However, I am not getting an option to choose OTP as first and LDAP as second option.

     

     

    How did you even get to choose OTP+LDAP option ? It looks like an unsupported configuration.



  • 9.  Re: Adv Authentication AFM customization documentation anywhere?

    Posted Feb 07, 2018 02:06 PM

    Like this.

     

    Thanks,

    Vlad



  • 10.  Re: Adv Authentication AFM customization documentation anywhere?

    Posted Feb 23, 2018 07:14 AM

    Hi Vlad,

    Were you ever able to find an answer to this issue?



  • 11.  Re: Adv Authentication AFM customization documentation anywhere?
    Best Answer

    Posted Mar 14, 2018 02:34 PM

    I used this

    RiskCheckPosition=PreAuth
    FlowSequence=Risk,LDAP

    SecondaryAuthMechanism=OTP_EMAIL

     

    This way OTP was before LDAP.