In this use case, the user is given a choice of different credentials to obtain different levels of access when they request access to a protected resource. When the user requests a protected sample application, the user is presented with the following login dialog:
Each login button on the dialog submits different credentials. The user experience depends on the type of credentials that they provide. The user can choose from the following types of authentication:
After the user is successfully authenticated and authorized, the user is permitted access to the sample application, which displays a greeting that informs them of their authentication level and the type of authentication scheme they used to log in.
In the Password And/Or Certificate section of the login dialog, the user can choose one of the following combinations of credentials to provide:
If the user provides only their valid username and password, the following message is displayed:
Greetings, SampleUser! Your authentication level is 5 You have used username/password authentication
If the user selects only the X.509 client certificate check box, they are prompted to select one of the client certificates that are configured with the browser. If the Policy Server recognizes the certificate, the following message is displayed:
Greetings, SampleUser! Your authentication level is 10. You have used X.509 client certificate authentication
The Password And/Or Certificate option offers the flexibility of providing a different authentication level depending on the credentials the user provides. The X.509 Cert Or Form authentication scheme, which can seem similar to the Password And/Or Certificate option, does not distinguish between the types of credentials that the user provides. The protection level is therefore the same regardless of what credentials the user provides.
If both Username and Password are provided and the X.509 client certificate check box is marked, the user is prompted for a client certificate. If the Policy Server recognizes the certificate and the certificate matches the username that the user provides, the following message is displayed:
Greetings, SampleUser! Your authentication level is 15 You have used X.509 client certificate and username/password authentication
If the user is logged in to a Windows domain when they request a protected resource, the following message is displayed:
Greetings, SampleUser! Your authentication level is 5 You have used the Windows domain authentication
If the user is not logged in to a Windows domain, the user is prompted for their Windows domain credentials.
If the user provides a valid Username and SecurID PIN for SecurID authentication when they request a protected resource, the following message is displayed:
Greetings, SampleUser! Your authentication level is 20 You have used the SecurID authentication
If the user provides only their username for SafeWord authentication, a two-step process occurs. CA SiteMinder® passes the username to the SafeWord server and the server determines the credentials for which it challenges the user. SafeWord supports up to four authenticators per login. The authenticators can be fixed (using a password) or dynamic (using a token card pin).
Upon successful access, the following message is displayed:
Greetings, SampleUser! Your authentication level is 20 You have used the SafeWord authentication
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|