Are Authentication Levels from modules summed?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Are Authentication Levels from modules summed?

Michael B Alexander

On OpenAM 11.0.3 should the authentication levels for two distinct modules in a service be summed?

 

I would like to write a new auth module that uses the AMA in Windows to learn if an account has signed-on to the computer with certain Certificates and increase the AuthLevel for the session based on membership to these groups.  This module would be the service as WDSSO and uses the authenticated user to query AD memberships.

 

I’m using HOTP now and it doesn’t look like they’re summed.

 

I have two modules configured in a service both as Required: LDAP module named vendorPass and HOTP module named HOTP.

 

LDAP auth level is 5.  HOTP is 15.

/app/openam/AdminTools/openam/bin/ssoadm get-auth-instance -u amadmin -f <file>  -e /<realm> -m vendorPass | grep auth-level

iplanet-am-auth-ldap-auth-level=5

 

/app/openam/AdminTools/openam/bin/ssoadm get-auth-instance -u amadmin -f <filke> e  -e /<realm> -m HOTP | grep –I authlevel

sunAMAuthHOTPAuthLevel=15

 

Looking at the session property in the agent debug:

<Property name="AuthType" value="vendorPass|HOTP"></Property>

<Property name="IndexType" value="service"></Property>

 

But the auth level is in the session Property is 15:

<Property name="AuthLevel" value="15"></Property>

 

I would have thought it would be 5 + 15 = 20.

 

 

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are Authentication Levels from modules summed?

Bernhard Thalmayr
Am 09/02/17 um 13:00 schrieb Michael Alexander:
> On OpenAM 11.0.3 should the authentication levels for two distinct
> modules in a service be summed?

No, the level of the last module (in the chain) is set.

-Bernhard

>
>  
>
> I would like to write a new auth module that uses the AMA in Windows to
> learn if an account has signed-on to the computer with certain
> Certificates and increase the AuthLevel for the session based on
> membership to these groups.  This module would be the service as WDSSO
> and uses the authenticated user to query AD memberships.
>
>  
>
> I’m using HOTP now and it doesn’t look like they’re summed.
>
>  
>
> I have two modules configured in a service both as Required: LDAP module
> named vendorPass and HOTP module named HOTP.
>
>  
>
> LDAP auth level is 5.  HOTP is 15.
>
> /app/openam/AdminTools/openam/bin/ssoadm get-auth-instance -u amadmin -f
> <file>  -e /<realm> -m vendorPass | grep auth-level
>
> iplanet-am-auth-ldap-auth-level=5
>
>  
>
> /app/openam/AdminTools/openam/bin/ssoadm get-auth-instance -u amadmin -f
> <filke> e  -e /<realm> -m HOTP | grep –I authlevel
>
> sunAMAuthHOTPAuthLevel=15
>
>  
>
> Looking at the session property in the agent debug:
>
> <Property name="AuthType" value="vendorPass|HOTP"></Property>
>
> <Property name="IndexType" value="service"></Property>
>
>  
>
> But the auth level is in the session Property is 15:
>
> <Property name="AuthLevel" value="15"></Property>
>
>  
>
> I would have thought it would be 5 + 15 = 20.
>
>  
>
>  
>
>  
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are Authentication Levels from modules summed?

oliver austin
In reply to this post by Michael B Alexander
If an authentication chain contains requisite or required modules that were not executed due to the presence of a passing sufficient module in front of them, the session's authentication level is calculated to be whichever is greater: the highest authentication level of any authentication module that passed, or the highest authentication level of requisite or required modules that were not executed.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Are Authentication Levels from modules summed?

Michael B Alexander
Thank you Oliver, and Bernhard.

That explains the behavior I am seeing and answers my question.  I can proceed with our module design based on this information.  

If the WDSSO module in the chains succeeds the auth level will be 2, for example.
If the module we develop for AMA succeeds, we'll set it to 3, otherwise it fails and remains as two.  We'll just need to use it with the normal PAM configuration guidance.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of oliver austin
Sent: Saturday, February 11, 2017 4:39 AM
To: [hidden email]
Subject: Re: [OpenAM] Are Authentication Levels from modules summed?

If an authentication chain contains requisite or required modules that were
not executed due to the presence of a passing sufficient module in front of
them, the session's authentication level is calculated to be whichever is
greater: the highest authentication level of any authentication module that
passed, or the highest authentication level of requisite or required modules
that were not executed.



--
View this message in context: http://openam.27691.n7.nabble.com/Are-Authentication-Levels-from-modules-summed-tp5256p5258.html
Sent from the OpenAM mailing list archive at Nabble.com.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...