IBM Security Identity and Access Management

Expand all | Collapse all

ISAM force reauthentication

  • 1.  ISAM force reauthentication

    Posted Mon November 04, 2019 02:28 PM

    we have a requirement from your data protection department. 

    The user should be forced to perform reauthentication using client certificate before executing a critical application transaction. This should happen even of the user has a valid session and is already authenticated via client certificate.

    Is there a way to achieve this with ISAM?


    Jürgen Hitt

  • 2.  RE: ISAM force reauthentication

    Posted Tue November 05, 2019 03:33 AM
    Hi Jürgen,

    You can force reauthentication directly before access to a resource by applying a POP with a specific extended attribute
    (name: reauth value: true).  This is documented here:

    I don't see this documented after SAM 7.0.0 but I can't imagine the function was removed.  Worth a try.

    One word of warning, I'm not sure it will work with client certificate authentication because that is negotiated much lower in the stack and re-authentication would require re-initiation of the SSL/TLS session.  You would almost certainly need to have "accept-client-certs = prompt_as_needed".  Use of the secondary port for the client-certificate exchange might be a factor too.


    Jon Harry
    Consulting IT Security Specialist

  • 3.  RE: ISAM force reauthentication

    Posted Tue November 05, 2019 03:38 AM
    We had a similar use case, where we tested the following round trip: You could use an infomap which simply decreases the auth level to 0 (keeping the actual user session), use a target which requires (via classic POP) a cert authentication (like Jon mentioned: prompt_as_needed), using as 2nd target the original URI.

    Frank Thurau

  • 4.  RE: ISAM force reauthentication

    Posted Fri November 08, 2019 09:57 AM