Applicable Versions: SecureAuth IdP 7.0+
Description: In certain client environments, IT Security policies require the use of additional 2FA methods before a user is fully authenticated. This is often used on self-service portals where additional 2FAs are used to help ensure users' identity and deter hijacking attempts. SecureAuth IdP can be configured as such to accommodate these enhanced security requirements using a method called "Realm-Chaining."
Background: Realm-chaining works by forwarding the user to the another realm once they have successfully completed authentication on the current one. A token ("cookie") is passed along with the user to maintain their identity as they traverse the various realms. By linking the realms together, you can in principle have an unlimited amount of 2FA for a single user. Best practice recommendations usually are set to no more than three realms chained together.
The steps below delineate realm-chaining 2 realms, SecureAuth1 and SecureAuth2, using version 8.2.0 of SecureAuth IdP, starting from a minimally-configured web.config file that can connect to an appropriate data store.
Steps:
First Realm - SecureAuth1:
1. In the Workflow tab, set the following:
Public/Private Mode: Public Mode Only
Authentication Mode: Second Factor Only
2. Navigate to the Custom Front End section of the Workflow tab, and configure the following:
Receive Token: Send Token Only
Require Begin Site: False
Token Data Type (Send): User ID
3. Click on the Token Settings link in the same section, and configure the following:
Pre-Auth Cookie: PreAuthToken01
Post-Auth Cookie: PostAuthToken01
4. In the same section, under the Machine Key section, click on the Generate New Keys button.
5. Navigate to the Post Authentication tab, then configure the following:
Authenticated User Redirect: Use Custom Redirect
Redirect to: ../SecureAuth2/SecureAuth.aspx
Second Realm - SecureAuth2:
1. In the Workflow tab, set the following:
Public/Private Mode: Public Mode Only
Authentication Mode: Standard
2. Navigate to the Custom Front End section of the Workflow tab, and configure the following:
Receive Token: Token
Require Begin Site: True
Begin Site URL: ../SecureAuth1/SecureAuth.aspx
Token Data Type (Send): User ID
3. Click on the Token Settings link in the same section, and configure the following:
Pre-Auth Cookie: PostAuthToken01
Post-Auth Cookie: PostAuthToken02
4. In the same section, under the Machine Key section, copy the values from SecureAuth1 when you clicked on the Generate New Keys button.
5. Configure the Post Authentication tab however you see fit.
This configuration will essentially:
a. Start the user at SecureAuth1, get prompted for a User ID, then 2FA.
b. Once user is authenticated via 2FA, user will get redirected to SecureAuth2.
c. Once user is in SecureAuth2, they will again be prompted for another 2FA.
d. Once user is authenticated via 2FA, the second time, they will be prompted for their password.
e. Once user supplies the correct password, they will get redirected to the Post Authenticate page configured in SecureAuth2.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products
Comments
Please sign in to leave a comment.