Create the Multi Factor Authentication Chain scheme
Complete these steps to create the Multi Factor Authentication Chain scheme.
- In the SiteMinder Administrative UI, navigate toInfrastructure > Authentication > Authentication Schemes.
- ClickCreate Authentication Scheme, selectCreate a new object of type Authentication Scheme, and clickOK.
- Enter aNameandDescriptionfor the authentication scheme.
- SelectProtection Level, and define an additional measure of flexibility in access control (from level from 1 through 1000).
- SelectMulti Factor Authentication Chain Templatefrom theAuthentication Scheme Typedrop-down list.
- Specify the authentication scheme details with which SiteMinder must perform primary authentication inPrimary Authentication Scheme. Select an authentication scheme type from the supported authentication scheme types that can be used for primary authentication, and then select an authentication scheme that is already created for the selected authentication scheme type.
- (Only for Windows or Kerberos authentication scheme)Select a fallback scheme that must be used if primary authentication fails fromPrimary Authentication Fallback Schemedrop-down list.
- Specify the authentication scheme details with which VIP performs secondary authentication inSecondary Authentication Scheme. SelectVIP Authentication Hubas the authentication scheme type and then select the VIP Authentication Hub template that you created in the previous step.The authentication chain expression that is achieved using this authentication scheme type is auto-populated inExpression.Token Issuerdisplays the tokenIssuer value of the OIDC app created in VIP, which is associated with the selected secondary authentication scheme.
- Specify the signing key alias of SiteMinder inSigning Certificate Alias. This value is used for signing id_token_hint that is sent to VIP when SiteMinder performs the secondary user authentication.
- Select the algorithm that SiteMinder must use for signing the ID Token Hint from theSigning Algorithmdrop-down list.
- (Optional) If you uploaded an ID Token Hint Encryption Key Pair in Import certificates into SiteMinder, modify the following values:
- Encryption Certificate Alias: Select the ID Token Hint Encryption Key Pair that you imported earlier.
- Encryption Algorithm: Set this based on your encryption policy.
- Encryption Method: Set this based on your encryption policy.
- Define the user attribute that must be used to look up a user in SiteMinder user store for generating id_token_hint inBasic User Attribute Lookup. The value defined in the user attribute is used in the id_token_hint.The possible values are:
- user_attribute, the name of a physical lookup user attribute that contains the required value
- virtual_attribute, as defined in theAttribute Mappingsection of the user directory
- SM_UNIVID, a SiteMinder reserved word that uses the UniversalID of a user, as configured in the user directory
- SelectEnable Propagation of Extended User Attributes in ID Token Hintto enable SiteMinder to propagate an authentication context and a set of identity attributes to VIP.
- (Optional) To send any custom claims in ID Token Hint, specify the names of the required custom claims inCustom Claims in ID Token Hint. ClickAdd Claimto add another custom claim. For each custom claim, including theemailclaim, the corresponding claim/lookup must be configured in theAttribute Mapping Listsection of the corresponding user directory to retrieve the claim values. All the defined custom claims are part of theurn:iam:authn:userDatasection in a key-multivalue attribute format in an ID Token Hint.
- ClickSave.
To configure Multi Factor Authentication Chain Template authentication scheme using XPSExplorer, use the
AuthChaining
option.Optionally, you can configure the VIP integration with SiteMinder to use OOB authentication. See (Optional) Configure OOB authentication in SiteMinder.
Next: