As a Remedy Single Sign-On administrator, you might need to configure an authentication fallback for a realm to invoke an alternate authentication method in any of the following cases:
- When the primary authentication fails due to some reason, such as user credentials are not accepted by the identity provider (IdP), or the IdP is unavailable due to some reason
- If a user logs in to a system from one domain and then tries accessing the system from another domain.
To enable authentication fallback for a realm, you must configure several authentication methods for a realm and chain them according to the Authentication fallback chaining principles.
How authentication fallback works
When authentication fallback is configured, Remedy SSO invokes a secondary authentication method configured in the authentication chain, and end users are not prompted to log in to applications again.
The following diagram shows a model for enabling authentication fallback in Remedy SSO:
If authentication fails at one IdP in the chain, then the request is redirected to the next IdP in the chain. If authentication fails at all IdPs configured in the chain, the system shows an authentication failure message.
Authentication fallback chaining principles
To enable authentication fallback, add authentication methods into an authentication chain taking into account the following principles:
- If you are using a certificate-based authentication or Kerberos authentication, none of them can be used as the last authentication method in a chain.
If you are using a SAML or OIDC authentication method, none of them can be used as the first authentication in the chain.
You can use SAML as the first authentication and LOCAL/LDAP as the second authentication if you need retrieve user groups from all IdPs in the chain.