One of the strengths of Access Manager is its wide range of support for various means of authentication that goes beyond simple and commonly used username/password methods including multi-factor and step-up scenarios. Access Manager includes many built-in preconfigured schemes via the combination of classes, methods, and contracts that can be used as is or can be configured to meet your needs. You can assign a contract directly to specific protected resources or federation partners. For more sophisticated security needs, the contract can also be dynamically chosen by Access Manager risk policies. Risk policies can allow access, ask for step-up authentication, or deny access based on the risk calculated at the time of the access request.
For more information about the Access Managers risk-based authentication feature, see Risk-based Authentication
in the NetIQ Access Manager CE 24.2 (v5.1) Administration Guide.
The authentication contract, assigned directly or determined by risk policies, can come from a variety of sources. Many are included with Access Manager itself. An example of the third-party provider is RADIUS. If you need advance security or you want to focus on both security and mobile users convenience, a variety of single and multi-factor contracts of the Advanced Authentication solution integrated with Access Manager is an ideal option.
For more information about configuring authentication methods, see Configuring Authentication
in the NetIQ Access Manager CE 24.2 (v5.1) Administration Guide.
NOTE:You must not use persistent authentication or social authentication for applications that require high security. When using persistent authentication, associate the persistent cookie with the client IP address.
For securing cookies to prevent session replay attacks, enable Advanced session Assurance. For information, see Setting Up Session Assurance
in the NetIQ Access Manager CE 24.2 (v5.1) Administration Guide.
If you have set up Access Manager to require SSL connections among all of its components, delete the Name/Password - Form and Name/Password - Basic contracts. Deleting the contracts removes them from the list of available contracts to be assigned to protected resources. If these contracts are assigned, the user’s password can be sent across the wire in the clear text format. You can re-create these when required. To delete these contracts, go to Administration Console and click Identity Servers > [cluster name] > Authentication > Contracts.
If you use password-based authentication, you can make it more secure by using second-factor authentication methods such as TOTP method or Advanced Authentication methods in the contract.
You can configure advanced authentication by using Advanced Authentication methods. For information, see Multi-Factor Authentication Using Advanced Authentication.