Manual Chapter : Use cases for step-up authentication
Applies To:Show Versions
- 17.1.0, 17.0.0, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Use cases for step-up authentication
You can use step-up authentication to implement a zero trust environment. Using a per-request policy with pool assignment and subroutines to perform authorization, you can perform a device trust check periodically with primary authentication.
When publishing web applications, you may be required to provide different levels of authentication based on some context. Often, the URL is used to determine which level of authentication is required, but you can easily use some other contextual information like HTTP header, hostname, and so on. Step-up authentication provides the ability to prompt users for credentials to access specific areas of an application.
For example, you can use step-up authentication to protect parts of a web application that manage sensitive data. This way, you can increase protection by requiring stronger authentication even after having gained authenticated access to the web application. Step-up authentication can be a part of the portal access or web application management (reverse proxy) features of Access Policy Manager (APM).
Here are some typical uses for step-up authentication:
- Perform a device trust check every 60 minutes and re-authenticate the user.
- Request additional authentication from a user periodically or before granting access to sensitive resources.
- Revalidate webtop resources using Active Directory credentials.
- Require SAML authentication for certain URI paths using APM as a SAML identity provider.
- Require certificate-based authentication (provided by On-Demand Certificate authentication) when going to a specific URI.
- After SharePoint anonymous access, authenticate a user against Active Directory and do a group lookup.