Realm Chaining New Experience Realms to allow multiple MFA

Version Affected:  All

Description:  

There are some use cases where Username | MFA | Password is unsuitable and instead, an extra MFA should replace the need for a password, effectively giving a workflow of Username | 1st MFA | 2nd different MFA

We're considering adding this to our Policy but for now, you can achieve the same through Realm Chaining.

Cause:  

SecureAuth is very flexible and allows you to come up with different workflows through realm chaining. 

Resolution:  

1. Create a Policy for the first realm

• Set this to always prompt for MFA
• Make the Login Workflow "Passwordless"
• Only allow the MFA methods of your choosing
• Save the Policy

2. Create the first realm in the chain

• Click Internal Applications and click Add New Internal Application Manager
• Set the name, datastore and group restrictions as needed
• Set the Authentication Policy to the one we created in Step1
• Set the User Redirect to Custom Redirect and set the redirect to the next realm in the chain
• Click Create Connection

3. Create a 2nd Policy that we'll use for the 2nd realm in the chain and have this always prompt for MFA

• In the Login Workflow, set to Passwordless if you want the chain to do Username | MFA | MFA or set to Username | MFA | Password is you want the chain to do Username | MFA | MFA | Password
• Set the required MFA methods, these should be different to the MFA methods in the first policy to force the User to use 2 different methods

• Save the Policy

4. Go to Application Manager or Internal Application Manager and click Add New

• Select the required Datastore and Realm number and set he Authentication Policy to the one we create in step 3.
• Set the required User Redirect, in my example it is an enrollment realm but could be any realm type.
• Click Create Connection

5. Switch to "Advanced Settings" and navigate to the Post Auth Tab of the realm created in step2 (Realm 450 in my example)

• Click "View and Configure FormsAuth keys/SSO token"
• Click on "Generate New Keys"
• Save these settings over the realm we created in step 4 too (Realm451 in my example)
• On Realm451, change the "Pre-Auth cookie" to the PostAuth cookie name from Realm450. Eg, PostAuthToken450
• Change the "Post-Auth cookie" on Realm451 to PostAuthToken451
• Switch to the Custom Identity Consumer section of the Workflow tab for Realm 451.
• Set Receive Token = Token
• Set Require Begin Site = True
• Being Site = Custom
• Begin Site URl = /SecureAuth450/

Special Considerations :  

With this setup, the User experience will be as follows:

1. They start at SecureAuth450 and type in their Username and perform an MFA.
2. Upon successful login to 451, they'll move automatically to SecureAuth451
3. At this point, they will be presented with more MFA options
4. Once successfully MFA'd to 451, they can either be forced to enter a password or they can be considered authenticated at this point without a password. This behavior is controlled by the Login Workflow settings in the 2nd policy.

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.