Adaptive Authentication Options Explained For User/Group

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth version affected: 8.x+


    This article is to help elaborate a bit more on adaptive authentication options for user/group


    1. At a first glance, we can take a look at the general options here on the adaptive authentication section.  For intense purposes, user/group are interchangeable and function the same with the parameters given.  

      User list:
      - Allow
      - Deny

      Failure Action:
      - Hard stop
      - Redirect
      - Resume auth
      - Post auth
      - Step up auth (only available with 2nd factor enabled)
      - Step down auth (only available with 2nd factor enabled)

    2. The user list is simple and self-explanatory: allow means to allow this user/group and deny means to deny that said user/group.

    3. For failure action, it can be a little tricky: for example, allow TonyStark, but failure action will apply to anyone who is NOT TonyStark.
      Where as, opposingly, if you deny TonyStark, TonyStark will receive the failure action, and then anyone who is not TonyStark will be allowed.

      Allow -> TonyStark
      Failure action -> Everyone NOT Tony Stark

      Deny -> TonyStark
      Failure action -> TonyStark

    4. The failure actions themselves are relatively straight-forward:
      Hard stop -> user/group will be stopped by analyzing engine
      ***Redirect -> Can redirect a user to anywhere: IE, another realm.  
      Resume auth -> user/group continues the workflow, whichever may be set up
      Post auth -> user/group will go directly to post authentication result
      Step up auth -> requires user/group to enter in 2FA information
      Step down auth -> user/group will not be prompted to enter 2FA information 

      ***NOTE: there is also a redirect with token option that can be leveraged for more advance workflow routing.  Please refer to this article to assist in that.

    5. Here are some scenarios of different setups that may be configured.

      So here, we allow Avengers through, but if anyone BUT the Avengers tries to log in, then we will prompt them for a second factor.

      Similarly, if we denied GuardiansoftheGalaxy, then they would just not get prompted for second factor at all by being stepped down.

    6. That concludes adaptive authentication of users/groups; hope this helped!
    0 out of 0 found this helpful



    Please sign in to leave a comment.