Advanced Authentication methods fail when enabled on CloudAccess Applications

  • 7017859
  • 20-Jul-2016
  • 20-Jul-2016

Environment

NetIQ Cloud Access 2.3
NetIQ Advanced Authentication Framework 5.3

Situation

CloudAccess setup to provision and provide SSO service to a number of SaaS applications. Users see list of available applications once they succesfully login to CloudAccess portal, and simply select the SaaS application to SSO. On SAML application was deemed more secure than others, and two factor authentication was enabled using the Advanced Authentication tool. The advanced authentication methods of Security Questions and SMS were enabled for testing.

After the user logs into the CloudAccess portal and selects the secure application, a popup would appear asking that user for their SMS or security questions. After submitting the correct answers, the user would be reprompted for the same questions again. It was impossible to get this second factor authentication to succeed.

Resolution

Disable 'Last login tracking' on the AAF server. This is done via the AAF admin console by selecting the Policies -> Last logon tracking options (enabled by default).