This section discusses a Step up Authentication example for the Identity Server initiated SSO.
For more information about Identity Server initiated SSO, see Using the Intersite Transfer Service
in the NetIQ Access Manager 3.2 SP3 Identity Server Guide.
Setup: Let us assume that:
NetIQ Access Manager is acting as the identity provider.
The following three contracts in the identity provider are configured:
name password basic contract with Authentication level as 10
name password form contract with Authentication level as 20
secure name password contract with Authentication level as 30
NOTE:Enable the Satisfiable by a contract of equal or higher level option for contracts with authentication level 10 or 20 to avoid prompting for authentication when a user is already authenticated against the contract with level 30.
The name password form contract for a service provider named SP_A is configured in the identity provider.
For more information about creating and configuring the contracts, see Configuring Authentication Contracts
in the NetIQ Access Manager 3.2 SP3 Identity Server Guide.
Configuration: Complete the following steps:
In the NetIQ Identity Server, configure the service provider as a trusted provider.
For more information, see Managing Trusted Providers
in the NetIQ Access Manager 3.2 SP3 Identity Server Guide.
In the service provider, configure the NetIQ Identity Server as a trusted provider.
For more information, see Managing Trusted Providers
in the NetIQ Access Manager 3.2 SP3 Identity Server Guide.
In the NetIQ Identity Server, configure the service provider with the required authentication contracts.
For information about how to configure a service provider, see Defining Options for Liberty or SAML 2.0 Service Provider
, To Define Options for Liberty Service Provider
andDefining Options for SAML 1.1 Service Provider
in the NetIQ Access Manager 3.2 SP3 Identity Server Guide.
Results: The following are the four possible scenarios:
If the user was authenticated with the name password basic contract before making an Intersite Transfer Service request to SP_A, the identity provider will step up to the name password form authentication.
If the user was authenticated with the name password form contract before making an Intersite Transfer Service request to SP_A, the identity provider will not ask for the authentication.
If the user was authenticated with the secure name password contract before making an Intersite Transfer Service request to SP_A, the identity provider will not ask for the authentication.
If the user is not authenticated while making an Intersite Transfer Service request to SP_A, the identity provider will step up to the name password form authentication.
The following diagram illustrates the workflow:
User tries to authenticate in the identity provider.
User is prompted to authentication using the Name Password Basic contract.
User enters the credentials.
The Name Password Basic contract is authenticated in the identity provider and added to the user session.
The Name Password Basic contract is the default contract in the identity provider.
User logs into the identity provider.
User makes an Intersite Transfer Service request to SP_A.
The identity provider prompts for the authentication using the Name Password Form contract.
User enters the credentials.
The Name Password Form contract is authenticated in the identity provider and added to the user session.
User is redirected to SP_A.