Manual Chapter :
Use cases for step-up authentication
Applies To:
Show VersionsBIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9
Use cases for step-up authentication
You can use step-up authentication to implement a zero trust environment. Using a per-request
policy with pool assignment and subroutines to perform authorization, you can perform a device
trust check periodically with primary authentication.
When publishing web applications, you may be required to provide different
levels of authentication based on some context. Often, the URL is used to determine which level
of authentication is required, but you can easily use some other contextual information like HTTP
header, hostname, and so on. Step-up authentication provides the ability to prompt users for
credentials to access specific areas of an application.
For example, you can use step-up authentication to protect parts of a web
application that manage sensitive data. This way, you can increase protection by requiring
stronger authentication even after having gained authenticated access to the web application.
Step-up authentication can be a part of the portal access or web application management (reverse
proxy) features of Access Policy Manager (APM).
Here are some typical uses for step-up authentication:
- Perform a device trust check every 60 minutes and re-authenticate the user.
- Request additional authentication from a user periodically or before granting access to sensitive resources.
- Revalidate webtop resources using Active Directory credentials.
- Require SAML authentication for certain URI paths using APM as a SAML identity provider.
- Require certificate-based authentication (provided by On-Demand Certificate authentication) when going to a specific URI.
- After SharePoint anonymous access, authenticate a user against Active Directory and do a group lookup.