cancel
Showing results for 
Search instead for 
Did you mean: 

2 "Tier" authentication question... ?

Highlighted
Occasional Contributor

2 "Tier" authentication question... ?

I say tier case while some elements are two form, I'm more after a "choose your own adventure" type server authentication structure...

Under the "User Realm / General / Servers" I want to try to check machines against a cert server...

If they pass the certificate check I would then like to check them against AD / LDAP using the "User Realm / General / Additional Authentication Server"

If the DO NOT pass the certificate check I would like to check them against an RSA server since this user would have a token

It seems to me that this is basically performing a check in a "User Realm", and if that check doesn't pass almost re-directing to another "User Realm" that has "User Realm / General / Server" setup for RSA... Is that possible?

Any insight would be greatly appreciated, thanks.

7 REPLIES 7
Highlighted
Frequent Contributor

Re: 2 "Tier" authentication question... ?

What you are looking for is something like a "realm mapping", which is not an option on SA.

Authentication/authorization are tied to a realm, we cant map or present user dynamicall to different realms based on any condition.

User is mapped to a realm either by the sign in page he hits or the realm that he manually selects.

Highlighted
Occasional Contributor

Re: 2 "Tier" authentication question... ?

I kinda figured this out using HC and enforcement for up front checks before authentication... If this check fails I use a "custom instruction" with a Java re-direct to point to another sign-in-page and can therefore use another authentication / user realm type, in this scenario RSA instead of AD. On the back-end I finally do an evaluation of AV / FW and it seems everything is OK.

The only question I have now is...

On the role mapping...

I have two roles, FULL / Restricted.

The FULL / Restricted rolls have HC setup on them so FULL checks for the AV / FW, and Restiricted checks for nothing.

When a user succesfully authenticatates as FULL, both FULL and Restricted links show up as the users under the realm are AND-ed together so to speak.

The Restricted roll only shows when a user fails AV / FW check so that works as intended but... Is there anyway to not display restricted access links to people when they succesfully authenticate?

Highlighted
Frequent Contributor

Re: 2 "Tier" authentication question... ?

On the role mapping rule ensure that you enable " Stop processing rules when this rule matches", this ensure that your role mapping stops the point this rule is satisfied.

< please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus Smiley Happythanks >

Highlighted
Occasional Contributor

Re: 2 "Tier" authentication question... ?

But the users are not broken out into groups or anything so my criteria on both rules is "*" on user name.

I would like to be able to stop processing the rules based on HC passing or not, not simply the name.

Does that make sense...?

Frequent Contributor

Re: 2 "Tier" authentication question... ?


@colemtb wrote:

But the users are not broken out into groups or anything so my criteria on both rules is "*" on user name.

I would like to be able to stop processing the rules based on HC passing or not, not simply the name.

Does that make sense...?


Ideally HC policies can be applied at role level. Since the criteria is a * on user name you can evaluate appropriate HC for each role.

If the HC check fails they dont get this role.

Since you dont have stop rule processing turned ON in the first rule you will then be assigned to the next rule.

If the user passes HC check on the second role he will be only assigned to role2.

But if you are looking at stopping role mapping at rule1 based on the HC status I am afraid we cant do that.

In the event user gets assigned to role1 after passing HC, he will still be evaluated for role2 HC policy.

Highlighted
Occasional Contributor

Re: 2 "Tier" authentication question... ?

Yeah... so to summarize or just make sure you know where Im at...

In this example my HC policy is either a file is present or not.

Since my usernames are * the second rule, "file NOT present rule"; gets processed cause it's HC criteria, or therefore lack of; is always meet. Its UI options / bookmarks always display.

On the first rule If I "stop processing rules when this rule matches" I can't get to my second rule because "Rule:... If username... is *" is always meet. Like you say, you can't stop rule processing of rule one based on criteria in HC?

So basically I have to display both UI options for the FULL user role since Restricted is always meet?

Highlighted
Frequent Contributor

Re: 2 "Tier" authentication question... ?

Right

Here is how your policy could look:

Rule1: Username=*, HC policy = file check (required), role = FULL

Rule2: Username=*, no HC policy, role= restricted

When User who has full access logs in (he has the file), will be assigned to role=FULL.

Since "Stop rule is not enabled" he will be processed for rule2 and assigned to role=restricted.

When a user who has restricted access logsin (he has no file), he will fail the first rule and goto rule2.

Since rule2 does not need a HC policy he will be assigned to role=restricted.

Hope this is clear.