Chapter 4. Configuration and customization 125
4.4.4 Authentication strength policy (step-up)
WebSEAL supports many authentication methods that are described in 4.3,
“Supported WebSEAL authentication mechanisms” on page 114. WebSEAL
provides a feature that enables administrators to assign a ranking or level to
some of the supported authentication methods. Administrators can define an
ordered list that ranks each authentication method from lowest to highest. This
hierarchical ranking can be arbitrarily tailored to each individual WebSEAL
This set of authentication levels can be used to implement an authentication
strength policy. Authentication strength is sometimes referred to as
. Step-up authentication is not a unique authentication method like
forms-based or certificate-based authentication. Instead, it is a defined process
for requiring users to change their current authentication method to another
authentication method.
There is no absolute ranking between the authentication methods. No one
authentication method is inherently better or stronger than another method. The
ranking is simply a method for an administrator to define a relative level for each
authentication method for use with a specific Tivoli Access Manager WebSEAL
protected object namespace. The only rule governing the assignment of levels is
that the unauthenticated level is always lower than all other authenticated levels.
The following authentication methods can be assigned an authentication level:
򐂰 Unauthenticated
򐂰 Password authentication
Password authentication is limited to forms-based authentication. Basic
authentication is not supported as a step-up authentication level.
򐂰 Token authentication
򐂰 Certificate authentication
򐂰 External authentication interface
Authentication strength is supported over both HTTP and HTTPS, with the
exception of certificate-based authentication. Because certificates are valid only
over an SSL connection, it is not possible to step up to certificates over HTTP.
Note: When a user activates authentication strength by attempting to access
a protected object, the user does not have to log out first. Instead, the user is
presented with a login prompt, and simply logs in again to the higher level.
126 Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0
Administrators apply an authentication level to a protected resource by declaring
and attaching a standard Tivoli Access Manager protected object policy (POP) to
the resource object. Authentication strength policy is set and stored in a POP
attribute called an
IP Endpoint Authentication Method. WebSEAL always checks
for this attribute before it performs the standard algorithm of ACL checking
followed by POP and authorization rule checking.
Configuration of step-up policy
To establish an authentication strength policy, the administrator does the
1. Specify authentication levels.
2. Specify the authentication strength login form.
3. Create a protected object policy.
4. Specify network-based access restrictions.
5. Attach a protected object policy to a protected resource.
6. Enforce user identity match across authentication levels.
7. Control the login response for unauthenticated users.
Specifying authentication levels
To specify authentication levels you need to edit the [authentication-levels]
stanza in the WebSEAL configuration file. For each authentication method to be
used for authentication level step-up, add an entry to the stanza.
The supported authentication methods are described in Table 4-4.
Table 4-4 Authentication methods supported for authentication strength
The default entries are:
level = unauthenticated
level = password
The following entry must always be the first in the list:
level = unauthenticated
Authentication Method Configuration File Entry
None level = unauthenticated
Forms authentication level = password
Token authentication level = token-card
Certificate authentication level = ssl
External authentication interface level = ext-auth-interface

Get Certification Study Guide: IBM Tivoli Access Manager for e-business 6.0 now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.