We have an enterprise access management/SSO application (ForgeRock OpenAM) used to protect web applications. We are looking to integrate Advanced Authentication with it in order to use Advanced Auth as the 'strong authentication provider.' Right now OpenAM is represented by a single Event in AA however it is used to protect multiple web applications that have different needs of protection (think of a system configuration viewer vs a banking application where you can see paystubs.)
When a user authenticates to OpenAM, they are provided an authentication level by OpenAM depending on how they authenticate. For example, authenticating with an LDAP password gives you an authentication level of 5. Any other applications that are defined in OpenAM of being authentication level 5 or less (for example, system configuration viewer) do not need any further authentication by the user upon access attempt. Once the user attempts to access an application that requires a higher security level than what the user currently holds (for example: a user who previously authenticated with a password and has an authentication level of 5 now attempts to access a banking application with a defined security level of 15), OpenAM prompts them to step up.
We want to be able to assign authentication levels to chains in AA so that when OpenAM calls the Advanced Authentication API to get a list of a user's available chains for the event type in question, the API returns the assigned authentication level so that OpenAM can implement logic to only present the user a list of chains that meet the appropriate authentication level.
by: Tim S. | over a year ago | Configuration
Comments
Tim, Do you know if ForgeRock have APIs or some way for us to read the Auth Level?