This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO to NAAF in the middle of a contract

I have curious case. A contract with the method of Secure Password Form + an NAAF authentication. As the user does not have any method enrolled in NAAF, he is redirected to NAAF to enroll a method. I want to do SSO by injecting the credentials, but the cn does not pick it up, I suppose because the contract was not successfully terminated. What attribute can I use to inject the identity into the NAAF login HTTP header in account/basic?

Regards

  • 0  

    Hi Jose, to help with your query, are you asking how to authenticate into the AAF /account portal so a user can enroll the methods (similar to this older Tip  Using Access Manager to single sign-on to Advanced Authentication enrollment service) or is it another flow you are asking?

  • 0 in reply to   

    Yes, I am following exactly this tip, and it works correctly for the SSO to the enrollment portal. The problem is when the user has not yet successfully completed the authentication as he does not have any NAAF method enrolled and therefore has not been able to complete the second method of the NAM authentication contract.

  • 0   in reply to 

    Can you send me an example of the flow you are trying to configure that is failing. It is not clear. What AA methods in the chain have you configured for the event?

    Do you mean if the Event only requires LDAP PASSWORD for authentication there is not issue, but if a Second Method in the chain is added the authentication is failing?

  • 0 in reply to   

    Hi Shane,

    The problem is not with the configured chains. The flow is as follows:
    - The user authenticates to NAM with a contract made up of two methods:
    - It first successfully authenticates with the Secure Name Password Form method.
    - The NAAF method recognizes that the user has not enrolled any method in NAAF and the message appears indicating "You do not have the double factor enrolled. Please click here (7DC767BE503D83F9)"
    When you click "click here" it takes you to mfa.acme.com/account/basic
    - An Identity Injection policy attempts to inject credentials in the form username:LDAP_PASSWORD:1 plus the password.
    This injection does not work since neither the username nor the password are yet available to the credential injection policy. Furthermore, I think that the virtual attribute with the username has not even been reported as the NAM authentication contract has not been completed.