Implementing Silent Attribute-Based Authentication (ABA) in IDSP
search cancel

Implementing Silent Attribute-Based Authentication (ABA) in IDSP

book

Article ID: 434355

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

An organization wants to implement a "silent" background authentication check using the Attribute-Based Authentication (ABA) factor. Specifically, if a specific claim (e.g., mobile_no) exists in an existingIDToken, the system should verify it against an LDAP attribute silently without user intervention. If the attribute is missing or does not match, the system should fall back to a standard challenge like SMS OTP.

Environment

  • Product: Symantec Identity Security Platform (IDSP) / VIP Authentication Hub
  • Version: all

Cause

The Symantec Identity Security Platform (IDSP) policy engine does not natively automate the execution of authentication factors. It returns "obligations" or required factors based on policy evaluation, but the actual invocation of a "silent" factor must be handled by the calling application or an API gateway.

Resolution

To achieve a silent authentication experience, the authentication flow must be coordinated between the IDSP policies and the client application.

1. Initiate the Authentication Flow

The client application must call the /authenticate API using the existingIDToken that contains the required metadata (e.g., mobile_no). Ensure the amr (Authentication Methods Reference) claim is not populated in this initial token to allow the policy to evaluate the necessary factors.

2. Configure Authentication Policies

Define policies in the IDSP Admin Console to return specific obligations based on the presence and value of the attribute:

  • Condition (Match): If the mobile_no in the ID Token matches the value in the IDPROFILE (LDAP), return the obligation ABA:2 (following PWD:1).
  • Condition (No Match): If there is no match, return the obligation SMSOTP:2.

3. Background Execution

When the application receives the ABA factor as an available requirement from the IDSP response:

  • The application or gateway should immediately invoke the ABA factor API call in the background.
  • Because this occurs without a UI prompt, the user experience remains transparent and uninterrupted.

4. Verification of AMR Values

Upon successful background verification, the final generated token's amr claim will include ABA factor.

 

 

Additional Information

Note on Known Defect: In versions 4.0.1 and earlier, a software defect may prevent the ABA AMR from being correctly mapped into the final Identity Token. This is scheduled for resolution in version 4.0.2. Refer Attribute-Based Authenticator Factor fails to set AMR in ID Token

Powered by Wolken Software