ChainAuth not honouring the JWT Authscheme generated session protection level

search cancel

ChainAuth not honouring the JWT Authscheme generated session protection level

book

Article ID: 250044

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

Use case:

- JWT Authscheme used to generate a session with Protection Level 5.
- Navigate to a ChainAuth protected realm that has higher Protection Level.

ChainAuth Protection Level 100:
1. HTLM Authentication with Protection Level 5
2. MFA Authentication with Protection Level 100

Expectation:
The SMSESSION generated from JWT has Protection Level 5 so when navigating to ChainAuth realm then the first factor(HTML) which has the same protection level should be bypassed and only the second factor(MFA) should be challenged.

Actual:
First factor (HTML) is presented and not bypassed.

Environment

Release : 12.8

Component : Default-Sym

Cause

When JWT Authentication is used, AMR is expected at the next authentication challenge.

This was not available so the first factor could not be bypassed.

Resolution

1. AMR need to be made available when attempting higher level authentication.
2. SiteMinder component need to be at Jun.01

AuthHub need to be at (Drop8 Jun.04) and SiteMinder(Jun.01) (Build 12.8.6.2824 or higher)

Feedback

thumb_up Yes

thumb_down No