Chapter 4. Configuration and customization 127
Additional entries can be placed in any order.
For example, to enable authentication strength levels for certificate authentication
at the highest level, the completed stanza entry would be:
level = unauthenticated
level = password
level = ssl
In this example, SSL authentication needs to be configured in
since the user is not required to authenticate with a
certificate at session start-up. The user can later initiate certificate authentication.
Delayed certificate authentication mode is enabled in WebSEAL by configuring
the following stanza:
accept-client-certs = prompt_as_needed
4.4.5 External authentication interface (EAI)
Tivoli Access Manager provides an external authentication interface that enables
you to extend the functionality of the WebSEAL authentication process. The
external authentication interface allows third-party systems to supply an
authenticated identity to WebSEAL and Web-server Plug-ins. The identity
information is then used to generate a credential. This extended authentication
functionality is similar to the existing custom authentication module capability
provided by the Web security external authentication C API (formerly known as
CDAS). However, the external authentication interface allows the user identity to
be supplied in HTTP response headers rather than through the authentication
module API interface.
EAI is described in more detail in Chapter 5, “Programming” on page 181.
4.4.6 No authentication
Any user who can reach WebSEAL belongs to the group of unauthenticated
users. This group can also get certain permissions.
Important: To successfully perform step-up authentication you need to
disable the use of SSL session IDs to track session state. Verify the default
value for the ssl-id-sessions for the [sessions] stanza entry in the
WebSEAL configuration file. In this case, SSL IDs cannot be used to maintain
user sessions because when the user is prompted for a certificate, the user’s
SSL ID will change.