Access policies
You can use access policies to perform step-up and reauthentication during a single sign-on flow based on contextual information.
Access policies can be enforced at a federation or at API Protection for OAuth and OpenID Connect. The following list shows some example scenarios where access policies could be used.
- Restrict single sign-on access to applications based on the user and group membership.
- Restrict single sign-on access to applications based on devices, locations, and time.
- Require more authentication steps for single sign-on access to sensitive applications. Examples include re-authentication through an SMS one-time password, or confirmation of a push notification to a mobile device.
- Enforce user authentication requirements as demanded by an application, through a service provider, to grant single sign-on access.
Access policies can take contextual information as input:
- User information, such as user, groups, attributes
- Request information, such as HTTP headers, HTTP parameters, and cookies
- Single sign-on context, such as federation, partner, and authentication request. For OAuth and OpenID Connect the context includes Client ID, scope, response type, and other attributes.
Based on the contextual information, the administrator can choose from the following actions:
- Allow
- The user is allowed single sign-on access.
- Deny
- The user is denied single sign-on access.
- Challenge
- The user must complete a challenge before single sign-on access can proceed.
Access policies are defined as JavaScript. See Access policy development.
After an access policy is defined, it can be applied, used, and enforced on the following types of deployments.
- SAML 2.0 identity provider federation
- SAML 2.0 service provider partner to an identity provider federation
- OpenID Connect and API Protection Definition
Access policies cannot be applied or used by the following deployments.
- SAML 2.0 service provider federation
- SAML 2.0 identity provider partner to a service provider federation
- OpenID Connect and API Protection Client
- OpenID Connect Relying Party
For more information, see Creating an access policy.