Create the Multi Factor Authentication Chain scheme

Complete these steps to create the Multi Factor Authentication Chain scheme.
  1. In the SiteMinder Administrative UI, navigate to
    Infrastructure > Authentication > Authentication Schemes
    .
  2. Click
    Create Authentication Scheme
    , select
    Create a new object of type Authentication Scheme
    , and click
    OK
    .
  3. Enter a
    Name
    and
    Description
    for the authentication scheme.
  4. Select
    Protection Level
    , and define an additional measure of flexibility in access control (from level from 1 through 1000).
  5. Select
    Multi Factor Authentication Chain Template
    from the
    Authentication Scheme Type
    drop-down list.
  6. Specify the authentication scheme details with which SiteMinder must perform primary authentication in
    Primary Authentication Scheme
    . Select an authentication scheme type from the supported authentication scheme types that can be used for primary authentication, and then select an authentication scheme that is already created for the selected authentication scheme type.
  7. (Only for Windows or Kerberos authentication scheme)
    Select a fallback scheme that must be used if primary authentication fails from
    Primary Authentication Fallback Scheme
    drop-down list.
  8. Specify the authentication scheme details with which VIP performs secondary authentication in
    Secondary Authentication Scheme
    . Select
    VIP Authentication Hub
    as the authentication scheme type and then select the VIP Authentication Hub template that you created in the previous step.
    The authentication chain expression that is achieved using this authentication scheme type is auto-populated in
    Expression
    .
    Token Issuer
    displays the tokenIssuer value of the OIDC app created in VIP, which is associated with the selected secondary authentication scheme.
  9. Specify the signing key alias of SiteMinder in
    Signing Certificate Alias
    . This value is used for signing id_token_hint that is sent to VIP when SiteMinder performs the secondary user authentication.
  10. Select the algorithm that SiteMinder must use for signing the ID Token Hint from the
    Signing Algorithm
    drop-down list.
  11. (Optional) If you uploaded an ID Token Hint Encryption Key Pair in Import certificates into SiteMinder, modify the following values:
    1. Encryption Certificate Alias
      : Select the ID Token Hint Encryption Key Pair that you imported earlier. 
    2. Encryption Algorithm
      : Set this based on your encryption policy.
    3. Encryption Method
      : Set this based on your encryption policy.
  12. Define the user attribute that must be used to look up a user in SiteMinder user store for generating id_token_hint in
    Basic User Attribute Lookup
    . The value defined in the user attribute is used in the id_token_hint.
    The possible values are:
    • user_attribute
      , the name of a physical lookup user attribute that contains the required value
    • virtual_attribute
      , as defined in the
      Attribute Mapping
      section of the user directory
    • SM_UNIVID
      , a SiteMinder reserved word that uses the UniversalID of a user, as configured in the user directory
  13. Select
    Enable Propagation of Extended User Attributes in ID Token Hint
    to enable SiteMinder to propagate an authentication context and a set of identity attributes to VIP.
  14. (Optional) To send any custom claims in ID Token Hint, specify the names of the required custom claims in
    Custom Claims in ID Token Hint
    . Click
    Add Claim
    to add another custom claim. For each custom claim, including the
    email
    claim, the corresponding claim/lookup must be configured in the
    Attribute Mapping List
    section of the corresponding user directory to retrieve the claim values. All the defined custom claims are part of the
    urn:iam:authn:userData
    section in a key-multivalue attribute format in an ID Token Hint.
  15. Click
    Save
    .
To configure Multi Factor Authentication Chain Template authentication scheme using XPSExplorer, use the
AuthChaining
option.
Optionally, you can configure the VIP integration with SiteMinder to use OOB authentication. See (Optional) Configure OOB authentication in SiteMinder
Next: