5.10.2 Configuring Advanced Authentication

You must configure the Advanced Authentication server details in Access Manager before creating a class. See Section 2.4.9, Configuring the Advanced Authentication Server.

To configure Advanced Authentication, perform the following steps:

  1. Click Devices > Identity Servers > Edit > Local > Classes.

  2. Click New, then specify the following details:

    Display name: Specify a name for the class.

    Java class: Select Advanced Authentication Generic Class to use OAuth-based authentication class. Select any other class to use Plug-in-based authentication class.

    The Java class path is configured automatically.

  3. Click Next > Finish.

  4. Create a method for this class. If you are creating a method for OAuth-based authentication class, select a chain from Advanced Authentication Chains. If you do not specify any chain, the user will be prompted to select the chain when the user authenticates.

    NOTE:If no chain is listed in Advanced Authentication Chains, create a chain in Advanced Authentication. If a chain is available in Advanced Authentication, but it is not listed in Advanced Authentication Chains, assign the chain to the configured Access Manager OAuth Event in Advanced Authentication. See Creating a Chain.

    NOTE:When you configure a method in both single-method chain and multi-method chain in the Advanced Authentication portal (for example, LDAP Password chain and LDAP Password + Smartphone chain) and assign it to the same group of users and the same Event, Access Manager does not list the less secure chain. LDAP Password is not listed because the more secure LDAP Password + Smartphone chain is available.

    Identifies User: Select this option when you assign Access Manager to perform the first factor authentication. Do not select this option when you create an Advanced Authentication method only for second factor authentication.

    Select this option when you assign Advanced Authentication to perform both first and second factor authentication.

    For information about creating a method, see Configuring Authentication Methods.

  5. Create a contract for the method.

    To use Advanced Authentication as a primary authenticator, the chain in the Advanced Authentication server must contain the Password method along with any Advanced Authentication method.

    For example: If an Email contract is configured to use only the Email method, configure both Password and Email method and then create a chain with these methods in the Advanced Authentication Administration portal. Then, enable the chain to the Access Manager event in the Advanced Authentication Administration portal.

    For information about creating a contract, see Configuring Authentication Contracts.

    If you want the user’s credentials available for Identity Injection policies and you did not select Require Password, add the password fetch method as a second method to the contract. For more information about this class and method, see Password Retrieval.

  6. Update Identity Server.