Below describe one way to implement MFA with Siteminder.
Release : 12.8.03
NOTE --> Please note that the JSP files are written by Broadcom Solutiont team and are not supported officially by Broadcom Siteminder Support
############ Steps to implement ##############
- attached 2 JSP files to be used as sample based on the below implementation:
* you can use any existing auth Scheme you have which can be also custom auth Scheme ( we will call it Auth_scheme_2nd_step_login) . You will need to change the AuthLevel and set it to 10.
* create an "HTML form template" Auth scheme with AuthLevel set to 5 (will call it Auth_scheme_1st_step_login in this example ) . This Auth Scheme will be used as first factor , this will be used as a 1st step authentication factor
* create an "HTML form template" Auth scheme with AuthLevel set to 10 (will call it Auth_scheme_MFA in this example ). Fill in the Web server name and port used and set the Target to --> /login/auth_redirect.jsp (attached jsp file) . This auth Scheme will be used to protect your Application Resource
* on your webserver end , create a Directory with the name /mfa
* copy the redirect.jsp (also attached) file under the /mfa directory
* change your application Realm and set the Auth scheme to --> "Auth_scheme_MFA" (AuthLevel 10)
* create a realm to protect /mfa* and set the Auth scheme to --> "Auth_scheme_1st_step_login" (AuthLevel 5)
* create a realm to protect /mfa/redirect.jsp* and set the Auth scheme to --> "Auth_scheme_2nd_step_login" (AuthLevel 10)
*** Flow of transaction
* user access the Application protected resource
* Siteminder redirect the user to /login/auth_redirect.jsp where the Initial Target is preserved and a redirect to /mfa/redirect.jsp is triggered
* Browser follows redirect to /mfa/redirect.jsp where the /mfa* realm will trigger and user us presented by the "Auth_scheme_1st_step_login" auth Scheme logon
* After successful login , SMSESSION with AuthLevel 5 is generated and user is sent to /mfa/redirect.jsp
* as SMSESSION exists , user clears the first Realm and hit the second Realm where the session is determined to have a lower auth Level from what is needed and user is challenged by 2nd auth Scheme (Auth_scheme_2nd_step_login)
* user process Auth through "Auth_scheme_2nd_step_login" and a new SMSESSION is generated with AuthLevel 10
* Browser performs a GET on the /mfa/redirect.jsp* and this time since an SMSESSION with AuthLevel 10 exists , the user is Az to the resource .
* The redirect.jsp read the preserved Initial Target from session and sends the user to it (initial target is the application Resource)
* user attempts to access the application Resource this time with smsession with the needed AuthLevel 10 and is allowed access to app