Returning Authentication Methods to the Client After Primary Authentication Verification

Document created by RSA Information Design and Development on Apr 14, 2017Last modified by RSA Information Design and Development on Oct 20, 2017
Version 6Show Document
  • View in full screen mode

After the Cloud Authentication Service receives an Initialize request, it determines which authentication methods to return to the client by evaluating the following factors:

  • Assurance level in the access policy, as described in Assurance Level Evaluation for the Cloud Authentication Service.
  • Verification of the primary authentication method. Users are challenged for primary authentication (for example, username and password) when they initially attempt to access the application. After primary authentication, the access policy determines if additional authentication is required using RSA SecurID, RSA SecurID Authenticate Tokencode, Approve, Fingerprint, or Eyeprint.

    The client might not require primary authentication. If required, the server might return different results depending on whether primary verification succeeds.

  • If the client's access policy contains the primary authentication method in the list of methods required for additional authentication, and if that method is satisfied during primary authentication, the server does not return that method to the client. The SP configuration in the Cloud Administration Console specifies the client's access policy.

The following sections provide scenarios and examples that illustrate server behavior under different circumstances.

Scenario: Access policy does not include the primary authentication method

When the client's access policy does not include the primary authentication method in the list of methods used for additional authentication, the following behavior occurs:

  • If primary method verification is not required, or if it is required and authentication succeeds, the server returns only the methods from the access policy. It does not return the primary method.
  • If primary method verification is required and fails, the server adds the primary method to the list of methods in the access policy and returns all methods to the client.

The following examples illustrate this behavior. In the following table, the assurance level in the access policy specifies (FINGERPRINT) OR (SECURID AND APPROVE).

                            
Server ActionServer Returns These Access Policy Methods to ClientExplanation
No primary authentication.(FINGERPRINT) OR (SECURID AND APPROVE) Returns only methods from the policy.
Password is successfully verified as primary method.(FINGERPRINT) OR (SECURID AND APPROVE)Returns only methods from the policy.
Unsuccessful verification of Password as primary method.(PASSWORD AND FINGERPRINT) OR (PASSWORD AND SECURID AND APPROVE)The server adds Password to the list of methods from the policy.

Scenario: Access policy includes the primary authentication method

When the client's access policy includes the primary authentication method in the list of methods required for additional authentication, the following behavior occurs:

 

  1. The server attempts to validate the credential received from the client for primary authentication.
  2. If validation succeeds, the server removes the primary authentication method from the list of methods in the policy and does not return that method to the client. If validation fails, the server adds the primary method to the list of methods in the policy.
  3. The server eliminates any redundant methods and returns the remaining methods to the client, which are required to satisfy the policy.

The following example illustrates this behavior. In the following table, the assurance level in the access policy specifies (SECURID AND APPROVE) OR (EYEPRINTID).

                             
Server ActionServer Returns These Access Policy Methods to ClientExplanation
No primary authentication.(SECURID AND APPROVE) OR (EYEPRINTID) Returns only methods from the policy.
Successful verification of SECURID as primary method(APPROVE) OR (EYEPRINTID) SECURID is counted as being completed and is removed from the list of methods from the policy and the remaining methods are sent to the client.
Unsuccessful verification of SECURID as primary method(SECURID AND APPROVE) OR (SECURID AND EYEPRINTID) SECURID is added to the list of methods from the policy and that list is returned to the client.

 

 

You are here
Table of Contents > Returning Authentication Methods to the Client After Primary Authentication Verification

Attachments

    Outcomes