UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class
755 views

Step-up authentication and fill in username automatically

We have a contract with username and password to protect a resource. If a user is in a specific group then we do a re-authenticate with another contract (step-up authentication).
This another contract is a radius contract with username and Tokencode. This is all working fine.

Now I want to achieve te following. On this second Radius contract I want to fill in the username automatically. Is there a way to auto populated this username in this contract?

I've read the other posts in the form of this certain topic but cannot find a solution.
0 Likes
8 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

On 22-02-2018 3:56 AM, gschouten32 wrote:
>
> We have a contract with username and password to protect a resource. If
> a user is in a specific group then we do a re-authenticate with another
> contract (step-up authentication).
> This another contract is a radius contract with username and Tokencode.
> This is all working fine.
>
> Now I want to achieve te following. On this second Radius contract I
> want to fill in the username automatically. Is there a way to auto
> populated this username in this contract?
>
> I've read the other posts in the form of this certain topic but cannot
> find a solution.


I dont believe its possible unless you are willing to write your own auth class. You rely on the attributes to be 'send' to the login page and the
built in class doesn't do that as far as I know.


--
Cheers,
Edward
0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Thanks for the answer.

I never wrote an authentication class. Is there an example to create a class with the feature? I found the information in official documentation but is hard to read for me.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

On 28-02-2018 10:54 PM, gschouten32 wrote:
>
> Thanks for the answer.
>
> I never wrote an authentication class. Is there an example to create a
> class with the feature? I found the information in official
> documentation but is hard to read for me.
>
>


https://www.netiq.com/documentation/access-manager-44/nacm_enu/data/b8q6tv9.html

There's sample code as well:
https://www.netiq.com/documentation/access-manager-44/nacm_enu/data/b96adnj.html#b9cwkq0

Obviously doing radius would require that you either write your own classes for that or utilize an existing framework out there. My guess is that
NetIQ wrote their own implementation and those classes aren't part of the API documentation so using those will be challenging.

--
Cheers,
Edward
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

On 28-02-2018 10:54 PM, gschouten32 wrote:
>
> Thanks for the answer.
>
> I never wrote an authentication class. Is there an example to create a
> class with the feature? I found the information in official
> documentation but is hard to read for me.
>
>


ok, it seems i was a bit incorrect. If i chain a kerberos method and radius method (radius is 2nd) in a contract, the username is automatically
populated in the radius login page for me. It automatically populates the username but you can't populate the field with specific user attributes.

--
Cheers,
Edward
0 Likes
Absent Member.
Absent Member.

Isn't query string also picked up by the JSP request handler? So could append &name=loginid

Visit my Website for links to Cool Solution articles.
0 Likes
Cadet 2nd Class Cadet 2nd Class
Cadet 2nd Class

Thanks for the replies.

If I configure multiple methods (username/password and username/Radius token) on a contract the username if automatically filled on the second Radius method. So that's fine.
But then I get into another issue. Our design is as follows:

User should first login with username/password. If a user is then in a specific group, the user should authenticate again with a (Radius) token. We implemented this by, if the user is in the specific group, do a re-authenticate with another method (Radius).
So I cannot set on the contract both methods because Radius is only required if the user is in a specific group and so I need a separate Radius contract get our design working.

I also tried the option &name=loginid but unfortunately I do not get this working. Maybe I do something wrong, is there an example for this?
0 Likes
Absent Member.
Absent Member.

User should first login with username/password. If a user is then in a specific group, the user should authenticate again with a (Radius) token. We implemented this by, if the user is in the specific group, do a re-authenticate with another method (Radius).


How are you doing reauthentication? Are you using risk based authentication? With risk based authentication you can have second method (which would be triggered only if conditions are met) in same contract.

Otherwise if you are satisfied with SMS token authentication as second step, you can use authentication class written by Frode Sjovatsen (inspired by https://www.netiq.com/communities/cool-solutions/cool_tools/ba-authentication-modules-novell-access-manager/)
https://github.com/Rogaland/nam-smstoken

This class checks if user is already authenticated (with other contract) and reads current user's mobile attribute, generates OTP and sends SMS, then shows logon page for one time password.
So no check for username.


//s
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

On 08-03-2018 1:46 AM, gschouten32 wrote:
>
> Thanks for the replies.
>
> If I configure multiple methods (username/password and username/Radius
> token) on a contract the username if automatically filled on the second
> Radius method. So that's fine.
> But then I get into another issue. Our design is as follows:
>
> User should first login with username/password. If a user is then in a
> specific group, the user should authenticate again with a (Radius)
> token. We implemented this by, if the user is in the specific group, do
> a re-authenticate with another method (Radius).
> So I cannot set on the contract both methods because Radius is only
> required if the user is in a specific group and so I need a separate
> Radius contract get our design working.


You want to look into risk based authentication. You can do step up auth based on group memberships


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.