Advanced Authentication Service › Getting Started with Advanced Authentication › Advanced Authentication Flows › Advanced Authentication Flows › ArcotID PKI-Based Flows › ArcotID PKI Roaming Flow

ArcotID PKI Roaming Flow

For end users who do not have the ArcotID PKI credential present on the device from which they are trying to access a protected resource, the Advanced Authentication service offers roaming capabilities. With this feature, end users first download the ArcotID PKI after successfully completing secondary authentication and then use the ArcotID PKI to authenticate themselves and access the protected resource.

A roaming user can be authenticated using knowledge-based question and answer pairs, or security code through SMS, email, or voice message. Each security code is generated by the Advanced Authentication Server, and it does not require any credential-specific information.

This section describes the steps for the ArcotID PKI Roaming Download flow using security questions, security code, or both for secondary authentication.

Note: For detailed information about the back-end operations that take place when an end user tries to access a protected resource, see How Advanced Authentication Flows Work.

Assumptions:

This flow is based on the following assumptions:

• You have enabled the ArcotID PKI credential in the tenant console and configured the ArcotID PKI Only flow.
• You have configured the Credential Handling Service to protect the resource realm with the CA SiteMinder authentication scheme corresponding to the ArcotID PKI Only flow.
• You have enabled roaming for ArcotID PKI and configured the flow to use security questions, security code, or a combination of the two as the secondary authentication mechanism.
• In the case of security code, you have enabled the preferred credential delivery channels in the User Console.
• The end user’s record in the database contains a valid email address or phone number to which the credential can be delivered.
• The browser used for transactions is capable of supporting Java Applet and Native Client.
• JavaScript is enabled in the browser.
• The end user is enrolled with Advanced Authentication but the ArcotID PKI credential is not present on the end user’s device.

The Flow:

1. In a browser window, the end user attempts to access a protected resource.
2. On the login page, the end user enters their user name and password, and then clicks Submit.
3. CA SiteMinder verifies the end user's login credentials.
4. The ArcotID PKI Client checks for an ArcotID PKI for the provided user name but does not find it on the end user’s device.
5. The Advanced Authentication application invokes the Advanced Authentication Server to retrieve the end user’s ArcotID PKI.
6. If the user name exists in the database but if their ArcotID PKI is not available on the device being used, the user is challenged for secondary authentication. Depending on the secondary authentication mechanism, one of the following sequence of steps takes place:
   • If security question has been set as the secondary authentication mechanism, then:
     1. The Advanced Authentication application invokes IdentityMinder to retrieve the security questions.
        The page with challenge questions is presented to the end user. On the same page, the end user can specify whether the ArcotID PKI must be stored for future sessions.
     2. The end user submits answers to the security questions.
     3. The Advanced Authentication application invokes IdentityMinder to verify the answers.
   • If security code has been set as the secondary authentication mechanism, then:
     1. The Advanced Authentication application invokes the Advanced Authentication Server to generate a security code and fetch the end user’s email address and/or phone number.
     2. If more than one delivery channel has been configured, then the end user selects a preferred channel.
     3. The Advanced Authentication application invokes the delivery channel.
     4. The Advanced Authentication application presents a page challenging the end user for the security code.
        On the same page, the end user can specify whether the ArcotID PKI must be stored for future sessions.
     5. The end user submits the security code.
     6. The Advanced Authentication application invokes the Advanced Authentication Server to verify the security code.
7. If the verification is successful, depending on whether two-step authentication is enabled, either of the following steps take place:
   • If two-step authentication is not enabled:
     1. The ArcotID PKI credential is downloaded to the end user’s device.
     2. The ArcotID PKI Client loads the ArcotID PKI.
   • If two-step authentication is enabled:
     1. The end user is presented with the second form of authentication, and is authenticated as described in Step 6.

     Note: If security question was used the first time, then security code is used in this step. Conversely, if security code was used the first time, then security question is used in this step.

     1. If the verification is successful:
     • The ArcotID PKI credential is downloaded to the end user’s device.
     • The ArcotID PKI Client loads the ArcotID PKI.

   Note: Two-step authentication is not enabled for authentication using the ArcotID PKI mobile client. When a mobile client is used, all configured authentication methods are used one after the other.

8. Upon downloading the credential, the browser displays the login page with the user name and challenges the end user for the password.
9. The end user enters the password and completes the rest of the authentication process.
10. If the authentication is successful, then the browser is redirected to SiteMinder with a success message.