Configuring step-up authentication

The appliance reverse proxy server can be configured to use the authentication service for step-up authentication. The user is required to complete an authentication policy flow when the policy (ACL or POP) dictates that the user steps up to a higher authentication level.

About this task

This task applies to both the Web Gateway appliance and the Security Access Manager appliance.

Procedure

  1. Configure the appliance with the isamcfg tool. See Using the isamcfg tool .
  2. Modify the appliance stepuplogin.html file so that it redirects the authentication request to the Security Access Manager Authentication Service.
    1. Locate the stepuplogin.html file.
      For information about working with reverse proxy pages, see HTML server response page modification.
    2. Edit the file to insert the following code in the JavaScript section of the file. Optionally, to indicate where to send the user agent after successful authentication, pass the Target query string parameters, which is the default.
      For example:
      var authnlevel="%AUTHNLEVEL%"; 
if (authnlevel == "2"){ 
  window.location = "https://<HOST>:<PORT>/<JUNCTION>
     /sps/authsvc?Target=%HTTPS_BASE%%URL_ENCODED%&PolicyId=<POLICY_ID>";
}
      Where:
      HOST

      The host name for the reverse proxy instance.

      PORT

      The port number for the reverse proxy instance.

      JUNCTION
      The Advanced Access Control junction name. For example: mga.
      POLICY_ID
      The authentication policy identifier to execute when the user is requested to step up.
    The following example uses one-time password as the step-up mechanism:
    var authnlevel="%AUTHNLEVEL%"; 
if (authnlevel == "2"){ 
   window.location = "https://example.com/mga/
     sps/authsvc?Target=%HTTPS_BASE%%URL_ENCODED%&PolicyId=urn:ibm:security:
     authentication:asf:otp";
}
  3. Restart the appliance.
  4. Verify the configuration:
    1. Create a test user account.
      For example:
       pdadmin> user create john cn=john, dc=iswga John Doe password
    2. Activate the account.
      For example: 
      pdadmin> user modify john account-valid yes
    3. Create a test resource that is protected with level 2 authentication and place it in the document root of the appliance reverse proxy server.
      For example: 
      /junction-root/test.html
      For information about working with reverse proxy pages, see HTML server response page modification
    4. Try accessing that resource through the appliance reverse proxy server.
      For example: 
      https://mga.example.com/test.html
      A web form is displayed and prompts you to enter the user name and password.
    5. Enter the credential that you created in step 4.a. The contents of the resource is displayed.
    6. Create a Protected Object Policy (POP) with a level 2 authentication.
      For example: 
      pdadmin> pop create level2only 
pdadmin> pop modify level2only set ipauth anyothernw 2
    7. Attach the POP to the protected resource that you created in step 4.c.
      For example: 
      pdadmin> pop attach /WebSEAL/mga.example.com-default/
   test.html level2only
    8. Open a new browser session and try accessing the test resource again. A web form is displayed and prompts you to enter the user name and password.
    9. Enter the credential for the test user. You are forwarded to the extended authentication endpoint. You are now starting the authentication policy.
    10. Enter the required credentials to complete the authentication policy. If you authenticate successfully, you are redirected to back to the test resource and you can access the contents of the resource.