Secure Mobile Access 12.4 Administration Guide

Configuring Chained Authentication

For increased security, you can require users to authenticate to a single realm using two different authentication methods. For example, you could set up RADIUS or a digital certificate as the first authentication method, and LDAP or Active Directory as the second one. The local authentication store can be used as either the primary or secondary authentication server. You can require that the user names are the same on the primary and secondary authentication servers. To make the login experience for your users a one-step process you can configure AMC such that users see only one set of prompts.

To configure chained authentication

  1. In the AMC, navigate to User Access > Realms.

  2. Click either:

    • The name of the realm you want to modify.

    • + New realm and then select an entry in the Authentication server drop-down menu.

      This is your primary authentication server.

      If one of your credential types for chained authentication is a digital certificate, the corresponding authentication server must be the primary one: you can’t configure a PKI server as your secondary authentication server.

  3. Click Advanced and scroll to the Chained authentication section.

  4. Select a Secondary authentication server (if none is defined, click New; see Configuring Authentication Servers for the steps involved in setting up an authentication server).
  5. The remaining (optional) settings, listed in the Authentication settings table, can provide more security, help with troubleshooting, and simplify the login process:

    Authentication settings
    Audit username from this serverShow the username from the secondary server in the audit and accounting logs (instead of the username from the primary authentication server).
    Forward credentials from this serverFor single sign-on, one set of credentials must be forwarded to back-end Web resources. Select this checkbox to forward the credentials from this (the secondary) authentication server.
    Usernames must match

    When this checkbox is selected, authentication will fail if the user ID submitted for the first authentication step differs from the user ID submitted in the second step. This option is available when the authentication methods use either a username/password or a token or certificate.

    One use case for this option is when the primary authentication server uses a certificate and the secondary uses a username/password. Without this option enabled, an end user could log in with another user's certificate if the first user had valid credentials. When this setting is turned on, that authentication attempt would fail because the username in the certificate would not match the username in the username/password credentials.

    Combine authenticationprompts on one screen

    When this checkbox is selected, the appliance verifies that the username is the same on both authentication servers. If it is, the prompts for a user’s credentials are combined on a single screen; if the usernames differ, the login is rejected and (for security reasons) there is no error message explaining why.

    Authentication prompts cannot be combined if user credentials involve adigital certificate, though the system still ensures that the username is the same on both servers.

    Customize authentication server prompts

    (Available only when Combine authentication prompts on one screen is selected, and only for Windows clients.)

    When configuring an authentication server, you have the option of customizing the prompts that users see. When two such servers are chained together, you can present the user with a combined authentication prompt that includes customized Title, Message, and Identity fields. The name for the password fields is picked up from each authentication server configuration.

    If this customization setting is not selected, the user sees the prompts that are configured for the two authentication servers.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.