Authentication schemes require a protection level. This level ranges from 0 to 1000. A higher number indicates that the scheme provides higher level of protection. Protection levels allow single sign-on for Authentication Schemes of equal or lower protection levels within the same policy domain, while requiring additional authentication to access resources with higher protection level schemes.
Note: Anonymous authentication schemes always have a protection level of zero. A custom authentication scheme may have a protection level of 0-1000. All other authentication schemes may have a protection level of 1-1000.
For example, if you have a set resources that is available to all network users, you can assign a Basic (user name and password) authentication scheme with a low protection level such as 5. For revenue information that is available only to corporate executives, you can assign an X.509 client certificate scheme with a high protection level such as 15.
When users authenticate successfully against a scheme, they can access any resource with a protection level equal to or below the current authentication scheme without being challenged to authenticate a second time. However, users must still be authorized for a resource to gain access.
In the example above, a user who authenticated with a user name and password (protection level 5) would have to authenticate a second time with a digital certificate if he or she attempted to access the revenue information that was assigned the X.509 client certificate authentication scheme with the protection level of 15. However, if the user attempted to access resources for another department, which were also protected by a scheme of level 5, the user would not be challenged to authenticate a second time.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |