Yes, exactly. I want to change the authentication levels stanza. That should be all that is necessary.
Good news that there is a native way to adapt the configuration.
Original Message:
Sent: Fri October 24, 2025 02:18 AM
From: Scott Exton
Subject: IAG: using AUTHENTICATION_LEVEL with eai
Laurent,
There is a way to modify the WebSEAL configuration file directly using the IAG advanced configuration settings. Are you trying to modify the authentication-levels stanza, or something else? Even if you did modify the WebSEAL configuration file I don't see how that would help.
Thanks.
Scott Exton
IBM Verify platform architect
IBM Master Inventor
1 Corporate Court, Bundall, QLD 4217.
E-mail: scotte@au1.ibm.com
Original Message:
Sent: 10/24/2025 2:13:00 AM
From: Laurent LA Asselborn
Subject: RE: IAG: using AUTHENTICATION_LEVEL with eai
Hi Scott,
Thanks for your answer.
I already know how the new model of IAG works and I like it a lot. It is much more flexible than the legacy one on WebSEAL.
But here I want to migrate an existing eai without touching the part that does the eai as it is used on many WebSEALs and I want to migrate them one by one. That's why it is not an option to just set that AUTHENTICATION_LEVEL always to 1 as that would break the old WebSEALS. The eai will answer with a level 5, which will throw an error on IAG.
So I understand there isn't an option in the yaml file to set configure new levels.
What about changing the WebSEAL conf file? Is this possible or recommended? It is a trivial change to make, but I'm not sure it will be persistent and not just be overwritten by IAG.
Kind regards,
------------------------------
Laurent LA Asselborn
Original Message:
Sent: Thu October 23, 2025 05:09 PM
From: Scott Exton
Subject: IAG: using AUTHENTICATION_LEVEL with eai
Laurent,
IAG uses a completely different authorisation model to WebSEAL and doesn't have the concept of authentication levels. It typically relies on the IDP to handle such things and uses concepts such as ACR values in the authorisation rule to determine when to go back to the IDP for additional authentication.
You can try to mimic authentication levels with an EAI by setting the authentication level as an attribute in the credential and then creating your authorisation rules to check the value of this attribute.
I hope that this helps.
Thanks.
Scott Exton
IBM Verify platform architect
IBM Master Inventor
1 Corporate Court, Bundall, QLD 4217.
E-mail: scotte@au1.ibm.com
Original Message:
Sent: 10/23/2025 5:23:00 AM
From: Laurent LA Asselborn
Subject: IAG: using AUTHENTICATION_LEVEL with eai
Hi,
I want to replace an existing WebSEAL, which uses eai for authentication, with an IAG. But it seems IAG, when using eai, supports only levels 0 and 1. At least I didn't find a configuration entry to add additional levels.
When using OIDC as authentification, the supplied level is accepted without problem
My questions:
1) is there a config entry in the yaml config to add additional levels?
2) if not, what is the best practice to edit the webseal.conf file to add the levels? Is it even possible to adapt the WebSEAL config file or is it recommended to not touch it?
Kind regards,
------------------------------
Laurent Asselborn
------------------------------