One of the strengths of Access Manager is its wide range of support for various means of authentication that goes well beyond simple and commonly used username/password methods including multi-factor and step-up scenarios. Access Manager includes many built-in preconfigured schemes via the combination of classes, methods, and contracts that can be used as is or can be configured to meet your needs. You can assign a contract directly to specific protected resources or federation partners. For more sophisticated security needs, the contract can also be dynamically chosen governed by Access Manager risk policies. Risk policies can allow access, ask for step-up authentication, or deny access based on the risk calculated at the time of the access request.
For more information about the Access Managers risk-based authentication feature, see Risk-based Authentication
in the NetIQ Access Manager 4.3 Administration Guide.
The authentication contract, either assigned directly or determined by risk policies, can come from a variety of sources. Many are included with Access Manager itself. An example of the third-party provider is RADIUS. If you need advance security or you want to focus on both security and mobile users convenience, a variety of single and multi-factor contracts of the Advanced Authentication solution integrated with Access Manager is an ideal option.
For more information configuring the authentication methods, see Configuring Authentication
in the NetIQ Access Manager 4.3 Administration Guide.
For more information about extending the authentication mechanisms, see Identity Server Authentication API
in the NetIQ Access Manager 4.3 Developer Guide.
NOTE:You must not use persistent authentication or social authentication for applications that require high security. If you are using persistent authentication, you should associate the persistent cookie with the client IP address.
For securing the cookies to prevent session replay attacks, enable Advanced session Assurance. For more information, see Setting Up Advanced Session Assurance
in the NetIQ Access Manager 4.3 Administration Guide.
If you have set up Access Manager to require SSL connections among all of its components, delete the Name/Password - Form and the Name/Password - Basic contracts. Deleting the contracts removes them from the list of available contracts to be assigned to protected resources If these contracts are assigned, the user’s password can be sent across the wire in the clear text format. If your system needs this type of contract, you can re-create it from the method. To delete these contracts, go to Administration Console and click Identity Servers > Servers > Edit > Local > Contracts.
If you are using password-based authentication, you can make it more secure by using second-factor authentication methods such as TOTP method or Advanced authentication methods in the contract.
You can configure advanced authentication by using the Access Manager Advanced Authentication plug-in. The following are supported authentication methods:
Email Method
Emergency Password Method
FIDO U2F Method
HOTP Method
Password (PIN) Method
RADIUS Method
Security Questions Method
Smartcard Method Support
Smartphone Method
SMS Method
TOTP Method
Voice Call Method
For more information about this authentication framework, see the product page and the Advanced Authentication Documentation.