You can use step-up authentication to implement a zero trust environment. Using a per-request
policy with pool assignment and subroutines to perform authorization, you can perform a device
trust check periodically with primary authentication.
When publishing web applications, you may be required to provide different
levels of authentication based on some context. Often, the URL is used to determine which level
of authentication is required, but you can easily use some other contextual information like HTTP
header, hostname, and so on. Step-up authentication provides the ability to prompt users for
credentials to access specific areas of an application.
For example, you can use step-up authentication to protect parts of a web
application that manage sensitive data. This way, you can increase protection by requiring
stronger authentication even after having gained authenticated access to the web application.
Step-up authentication can be a part of the portal access or web application management (reverse
proxy) features of Access Policy Manager (APM).
Here are some typical uses for step-up authentication:
Perform a device trust check every 60 minutes and re-authenticate the user.
authentication from a user periodically or before granting access to sensitive resources.
Revalidate webtop resources using Active
Require SAML authentication for certain URI paths using APM as a SAML identity
authentication (provided by On-Demand Certificate authentication) when going to a specific URI.
After SharePoint anonymous access,
authenticate a user against Active Directory and do a group lookup.