Chapter 4. Configuration and customization 125
4.4.4 Authentication strength policy (step-up)
WebSEAL supports many authentication methods that are described in 4.3,
“Supported WebSEAL authentication mechanisms” on page 114. WebSEAL
provides a feature that enables administrators to assign a ranking or level to
some of the supported authentication methods. Administrators can define an
ordered list that ranks each authentication method from lowest to highest. This
hierarchical ranking can be arbitrarily tailored to each individual WebSEAL
This set of authentication levels can be used to implement an authentication
strength policy. Authentication strength is sometimes referred to as
. Step-up authentication is not a unique authentication method like
forms-based or certificate-based authentication. Instead, it is a defined process
for requiring users to change their current authentication method to another
There is no absolute ranking between the authentication methods. No one
authentication method is inherently better or stronger than another method. The
ranking is simply a method for an administrator to define a relative level for each
authentication method for use with a specific Tivoli Access Manager WebSEAL
protected object namespace. The only rule governing the assignment of levels is
that the unauthenticated level is always lower than all other authenticated levels.
The following authentication methods can be assigned an authentication level:
Password authentication is limited to forms-based authentication. Basic
authentication is not supported as a step-up authentication level.
External authentication interface
Authentication strength is supported over both HTTP and HTTPS, with the
exception of certificate-based authentication. Because certificates are valid only
over an SSL connection, it is not possible to step up to certificates over HTTP.
Note: When a user activates authentication strength by attempting to access
a protected object, the user does not have to log out first. Instead, the user is
presented with a login prompt, and simply logs in again to the higher level.