How double authentication works
The process of double authentication is as follows:
- After the first level of authentication, the user's browser sends a reauthentication request to Mid Tier URL.
An BMC Helix Single Sign-On ( BMC Helix Single Sign-On ) agent redirects the user to the BMC Helix Single Sign-On server URL for reauthentication.
For SAML authentication, BMC Helix Single Sign-On redirects the user to the SAML IdP for reauthentication. If the SAML IdP supports the ForceAuthn feature on an authentication request, the IdP requests the user for reauthentication.
The BMC Helix Single Sign-On agent identifies a reauthentication request by the query parameter reauth, which is set to true by default. For a reauthentication request, the agent identifies the BMC Helix Single Sign-On server and the application realm the same way that the agent identifies these for any other authentication request.
- For
AR System
authentication, the
BMC Helix Single Sign-On
server prompts the user to confirm the password.
For SAML authentication, the IdP prompts the user for both username and password. If the authentication is successful, the IdP redirects the user back to the BMC Helix Single Sign-On server with a SAML response. The BMC Helix Single Sign-On server checks whether the user in the SAML response is the same user who is currently logged in to BMC Helix Single Sign-On . If they are not the same user, the reauthentication fails. - If the reauthentication process is successful, the
BMC Helix Single Sign-On
server generates a reauthentication token and redirects the user to the
Mid Tier
URL.
The reauthentication token is valid only for a short period and is specific only to the reauthentication process. It cannot be used for the usual authentication process. - The BMC Helix Single Sign-On agent retrieves the reauthentication token and passes it on to Mid Tier servlet.
- The Mid Tier servlet retrieves the reauthentication token and passes it on to the AR System as an authentication string.
- AR System verifies the user's credential, user name, and reauthentication token through the BMC Helix Single Sign-On AREA plugin.
- The BMC Helix Single Sign-On AREA plugin verifies the reauthentication token through an API call to the BMC Helix Single Sign-On server.
Comments
Log in or register to comment.