Hi Isamers,

I am looking into different solutions for implementing a particular requirement in our IDP.

This IDP authenticates users against our ActiveDirectory. This is done transparently for the user via Kerberos or with a forms auth (user/password) fallback if needed.

We now want to add support for 2FA on this IDP, by requiring user to use an additional authentication method (totp / authenticator app / fido2 / ...).
The main idea was to build an authentication policy consisting on different mecanisms, that will handle the logic needed to prompt the authentication to the user as needed.


I am unable to find any documentation or discussion about how to implement an authentication mechanism allowing some degree of interaction with the kerberos auth method.

What I would like to build is some kind of auth policy like this :
- 1. Kerberos : if any kerberos token is provided by brower, use it to obtain user identity, otherwise fallback to forms auth
- 2. Forms Auth: User/password : if user hasn't authentified via Kerberos, check the posted user/pwd against the ActiveDirectory.
- 3. 2FA step : depending on the requested/needed auth level, user should be forced to use an additional authentication method (it could be any of the 2FA methods supported by ISAM)


Is this something that is even possible ? Or are there technical limitations that make this impossible ?

Thanks a lot for any tips that could lead to a solution for this requirement

------------------------------
André Leruitte
------------------------------

Hi André,

Yes this is possible, I have a client where this scenario is set up. (Wish we could use a Radius server as an additional 2FA method for step 3 though.)
You have to tackle each step 1-by-1.

------------------------------
Peter Gierveld
Security Architect
SecurIT
Amsterdam
------------------------------

Original Message:
Sent: Tue February 18, 2020 02:46 AM
From: André Leruitte
Subject: Using Kerberos + Forms auth + 2FA from Authentication Policy

Hi Isamers,

I am looking into different solutions for implementing a particular requirement in our IDP.

This IDP authenticates users against our ActiveDirectory. This is done transparently for the user via Kerberos or with a forms auth (user/password) fallback if needed.

We now want to add support for 2FA on this IDP, by requiring user to use an additional authentication method (totp / authenticator app / fido2 / ...).
The main idea was to build an authentication policy consisting on different mecanisms, that will handle the logic needed to prompt the authentication to the user as needed.


I am unable to find any documentation or discussion about how to implement an authentication mechanism allowing some degree of interaction with the kerberos auth method.

What I would like to build is some kind of auth policy like this :
- 1. Kerberos : if any kerberos token is provided by brower, use it to obtain user identity, otherwise fallback to forms auth
- 2. Forms Auth: User/password : if user hasn't authentified via Kerberos, check the posted user/pwd against the ActiveDirectory.
- 3. 2FA step : depending on the requested/needed auth level, user should be forced to use an additional authentication method (it could be any of the 2FA methods supported by ISAM)


Is this something that is even possible ? Or are there technical limitations that make this impossible ?

Thanks a lot for any tips that could lead to a solution for this requirement

------------------------------
André Leruitte
------------------------------

Hello André,

we run a similar setup quite long:

1. Client Certificate (Optional)
2. Desktop SSO (Kerberos)
3. Forms Auth. (User/Password or RSA Token)
4. TOTP (Step Up in case required)

We do it like this:

1. - 3. Configure reverse proxy: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_authe_methods.html

4. Configure on AAC/Federation using access policy: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/access_policies.html

Hope this helps,
Juergen

------------------------------
Jürgen Hitt
------------------------------

Original Message:
Sent: Tue February 18, 2020 02:46 AM
From: André Leruitte
Subject: Using Kerberos + Forms auth + 2FA from Authentication Policy

Hi Isamers,

I am looking into different solutions for implementing a particular requirement in our IDP.

This IDP authenticates users against our ActiveDirectory. This is done transparently for the user via Kerberos or with a forms auth (user/password) fallback if needed.

We now want to add support for 2FA on this IDP, by requiring user to use an additional authentication method (totp / authenticator app / fido2 / ...).
The main idea was to build an authentication policy consisting on different mecanisms, that will handle the logic needed to prompt the authentication to the user as needed.


I am unable to find any documentation or discussion about how to implement an authentication mechanism allowing some degree of interaction with the kerberos auth method.

What I would like to build is some kind of auth policy like this :
- 1. Kerberos : if any kerberos token is provided by brower, use it to obtain user identity, otherwise fallback to forms auth
- 2. Forms Auth: User/password : if user hasn't authentified via Kerberos, check the posted user/pwd against the ActiveDirectory.
- 3. 2FA step : depending on the requested/needed auth level, user should be forced to use an additional authentication method (it could be any of the 2FA methods supported by ISAM)


Is this something that is even possible ? Or are there technical limitations that make this impossible ?

Thanks a lot for any tips that could lead to a solution for this requirement

------------------------------
André Leruitte
------------------------------

Hi Jürgen and Peter,

Thank you both for tips.

After looking at your replies and checking the documentation about Federation Access Policies (something we still hadn't used on ISAM), things are now clear on how we need to proceed to implement this.


Thanks again!

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: Wed February 19, 2020 06:06 PM
From: Jürgen Hitt
Subject: Using Kerberos + Forms auth + 2FA from Authentication Policy

Hello André,

we run a similar setup quite long:

1. Client Certificate (Optional)
2. Desktop SSO (Kerberos)
3. Forms Auth. (User/Password or RSA Token)
4. TOTP (Step Up in case required)

We do it like this:

1. - 3. Configure reverse proxy: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/wrp_config/concept/con_authe_methods.html

4. Configure on AAC/Federation using access policy: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/access_policies.html

Hope this helps,
Juergen

------------------------------
Jürgen Hitt

Original Message:
Sent: Tue February 18, 2020 02:46 AM
From: André Leruitte
Subject: Using Kerberos + Forms auth + 2FA from Authentication Policy

Hi Isamers,

I am looking into different solutions for implementing a particular requirement in our IDP.

This IDP authenticates users against our ActiveDirectory. This is done transparently for the user via Kerberos or with a forms auth (user/password) fallback if needed.

We now want to add support for 2FA on this IDP, by requiring user to use an additional authentication method (totp / authenticator app / fido2 / ...).
The main idea was to build an authentication policy consisting on different mecanisms, that will handle the logic needed to prompt the authentication to the user as needed.


I am unable to find any documentation or discussion about how to implement an authentication mechanism allowing some degree of interaction with the kerberos auth method.

What I would like to build is some kind of auth policy like this :
- 1. Kerberos : if any kerberos token is provided by brower, use it to obtain user identity, otherwise fallback to forms auth
- 2. Forms Auth: User/password : if user hasn't authentified via Kerberos, check the posted user/pwd against the ActiveDirectory.
- 3. 2FA step : depending on the requested/needed auth level, user should be forced to use an additional authentication method (it could be any of the 2FA methods supported by ISAM)


Is this something that is even possible ? Or are there technical limitations that make this impossible ?

Thanks a lot for any tips that could lead to a solution for this requirement

------------------------------
André Leruitte
------------------------------