Manual Chapter : How SAML step-up authentication works

Applies To:

Show Versions Show Versions


  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Manual Chapter

How SAML step-up authentication works

This is how SAML step-up authentication works using the per-session and per-request policies you created:
  1. A client accesses
  2. APM provides a session cookie to the client, and redirects the client to the logon page in the per-session policy.
  3. APM authenticates the client using the Windows Active Directory server.
  4. The session reaches the Allow ending in the per-session policy; now it's in the Allow state and moves to the per-request policy.
  5. Since the user request does not contain
    , the URL branching follows the fallback branch and is allowed with no further action.
  6. If the client clicks a link to sensitive info, the per-request policy runs again, but this time the URL branching action follows the
  7. APM calls the SAML Step-Up subroutine. Because there is no previous subsession decision data for the SAML Step-Up subroutine in the database, the subroutine is executed.
  8. The SAML Auth agent redirects the client to the SAML IdP using APM's SAML authentication request (authN), and the IdP authenticates the client. Authentication failures are logged as errors.
  9. The client is redirected back to APM with the SAML assertion.
  10. The SAML Auth agent validates the assertion, sends the client to the SAML Auth Passed branch, and on to the Allow ending.
    APM caches the subroutine data including the SAML response in the database as subsession variables. Additional requests from this client can proceed without additional authentication for the duration of the subsession.