Security Access Manager provides user authentication functions that allow for simple and complex authentication scenarios.
The users who want to access your protected resources can be challenged to provide credentials to authenticate with the various authentication technologies that are supported by Security Access Manager. The component responsible for this capability is called the Authentication Service. The Authentication Service consists of a framework you can use to enforce the execution of various supported authentication mechanisms to authenticate users.
Authentication mechanisms are modules that authenticate the user with a specific challenge or authentication technology, such as user name and password and one-time password. The order and conditions on which the authentication mechanisms are run is controlled by an authentication policy. An authentication policy is an XML document that you create with the authentication policy editor. The policy dictates the authentication workflow that is required for accessing a protected resource.
During an authentication event, the Authentication Service manages the execution of the authentication policy that is required for the event. Each authentication mechanism is included on the authentication policy workflow. This workflow is started by the Authentication Service authentication policy. After the user successfully authenticates to all of the authentication mechanisms that are required by the authentication policy, the Authentication Service generates a user credential. This user credential creates an authenticated session for the user at the point of contact.
The administrator can determine what information is included in the credential by configuring the authentication policy. The authentication policy editor provides a credential editor that an administrator can use to specify the attributes to be included in the resulting credential.
A one-time password is a password that is generated for an authentication event and is valid for one use. The one-time password authentication capability in Security Access Manager provides the following features:
| Mechanism | Description |
|---|---|
| One-time password authentication | Users provide a one-use password that is generated for an
authentication event and is typically communicated between the
client and the server through a secure channel. The OTP mechanism
groups all the supported one-time passwords methods in a single
flow and ask the user to select which one-time password method to
use to login. The user can select from the supported one-time
password authentication methods:
|
| MAC One-time password authentication | Users provide a one-use password that is generated for an
authentication event and is typically communicated between the
client and the server through a secure channel. The MAC mechanism
generates one-time passwords by randomly drawing one character at a
time from the configured character set until the configured number
of characters are drawn. The MAC mechanism also stores the
generated one-time passwords in the configured one-time password
store plug-in. Each one-time password is salted and hashed before
it is stored in the configured one-time password store plug-in. The
user can select from the supported MAC one-time password
authentication methods:
This mechanism also supports the one-time password mapping rules. |
| HOTP One-time password authentication | Users provide a one-use password that is generated for an authentication event. The one-time password is generated by the HOTP method. |
| TOTP One-time password authentication | Users provide a one-use password that is generated for an authentication event. The TOTP mechanism generates one-time passwords by using a specified algorithm with a time-based one-time password application. Passwords are not communicated or stored, but are verified as a match between server and client as they are regenerated at regular intervals. |
| RSA One-time password authentication | Users provide a one-use password that is generated for an authentication event. The RSA mechanism works with an RSA SecurID Authentication Manager and passcode generator. You must own the RSA Authentication Manager product to use RSA as a mechanism. The RSA Authentication Manager and passcode generator generates a passcode every 30 - 60 seconds. The user name and passcode are supplied by the user and passed to the RSA Authentication Manager. The RSA Authentication Manager makes a decision and returns it to Security Access Manager, which relays the decision back to the user. |
Through the policy editor, you can group one or more mechanisms into the workflow of an authentication policy. The policy defines which authentication mechanisms your users are required to use to successfully authenticate.
By grouping the provided authentication mechanisms into the workflow of an authentication policy, you can achieve several types of authentication:
Users provide basic identifying information such as a user name and password.
Users provide a specific type of credential usually to access sensitive resources. The users might be challenged to authenticate and provide an extra set of credentials to prove that they are allowed to access sensitive resources.
Users provide more than one type of credential to access a protected resource.
Each authentication policy has a unique identifier that you can use with an access policy or to start the authentication service directly without any prior access policy invocation.