Knowledge Base

Support Policies

Set Up Multiple Second Factor Authentications

Applicable Versions: SecureAuth IdP 7.0+

Description: In certain client environments, IT Security policies require the use of additional 2FA methods before a user is fully authenticated. This is often used on self-service portals where additional 2FAs are used to help ensure users' identity and deter hijacking attempts. SecureAuth IdP can be configured as such to accommodate these enhanced security requirements using a method called "Realm-Chaining."

Background: Realm-chaining works by forwarding the user to the another realm once they have successfully completed authentication on the current one. A token ("cookie") is passed along with the user to maintain their identity as they traverse the various realms. By linking the realms together, you can in principle have an unlimited amount of 2FA for a single user. Best practice recommendations usually are set to no more than three realms chained together.

The steps below delineate realm-chaining 2 realms, SecureAuth1 and SecureAuth2, using version 8.2.0 of SecureAuth IdP, starting from a minimally-configured web.config file that can connect to an appropriate data store.

Steps:

First Realm - SecureAuth1:

1. In the Workflow tab, set the following:

Public/Private Mode: Public Mode Only

Authentication Mode: Second Factor Only

2. Navigate to the Custom Front End section of the Workflow tab, and configure the following:

Receive Token: Send Token Only

Require Begin Site: False

Token Data Type (Send): User ID

3. Click on the Token Settings link in the same section, and configure the following:

Pre-Auth Cookie: PreAuthToken01

Post-Auth Cookie: PostAuthToken01

4. In the same section, under the Machine Key section, click on the Generate New Keys button.

5. Navigate to the Post Authentication tab, then configure the following:

Authenticated User Redirect: Use Custom Redirect

Redirect to: ../SecureAuth2/SecureAuth.aspx

 

Second Realm - SecureAuth2:

1. In the Workflow tab, set the following:

Public/Private Mode: Public Mode Only

Authentication Mode: Standard

2. Navigate to the Custom Front End section of the Workflow tab, and configure the following:

Receive Token: Token

Require Begin Site: True

Begin Site URL: ../SecureAuth1/SecureAuth.aspx

Token Data Type (Send): User ID

3. Click on the Token Settings link in the same section, and configure the following:

Pre-Auth Cookie: PostAuthToken01

Post-Auth Cookie: PostAuthToken02

4. In the same section, under the Machine Key section, copy the values from SecureAuth1 when you clicked on the Generate New Keys button.

5. Configure the Post Authentication tab however you see fit.

This configuration will essentially:

a. Start the user at SecureAuth1, get prompted for a User ID, then 2FA.

b. Once user is authenticated via 2FA, user will get redirected to SecureAuth2.

c. Once user is in SecureAuth2, they will again be prompted for another 2FA.

d. Once user is authenticated via 2FA, the second time, they will be prompted for their password.

e. Once user supplies the correct password, they will get redirected to the Post Authenticate page configured in SecureAuth2.

 

 

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.