Manual Chapter : How step-up authentication works

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9

back-action Concepts to know for building step-up authentication policies

Updated Date: 04/30/2026

How step-up authentication works

1

User logs in and authenticates through a per-session policy; Access Policy Manager (APM) creates a session. User starts to use an application that’s available in the enterprise. User can access all but two parts of the application that APM protects with step-up authentication, which requires: - Password-based authentication (

) for access to one part of the application.

  • Certificate-based authentication (
    ) for access to one part of the application.

2

User requests access to part of the application protected with step-up authentication (username and password). APM challenges the user and then starts a subsession; for simplicity, we call it Subsession 1. For the duration of Subsession 1: If the user passed step-up authentication, the user does not need to authenticate again to access that part of the application; If the user failed step-up authentication, the user does not have access and step-up authentication does not run again.

3

User requests access to part of the application protected with step-up authentication certificate authentication. APM challenges the user and then starts another subsession, Subsession 2. If the user passes certificate authentication, for the duration of Subsession 2: If the user passed step-up authentication, the user does not need to authenticate again to access that part of the application; If the user failed step-up authentication, the user does not have access and step-up authentication does not run again.Tip: A subsession ends when its lifetime expires or when the session ends, whichever is sooner.