Authentication fallback

As a BMC Helix Single Sign-On administrator, you might need to configure an authentication fallback for a realm to invoke an alternate authentication method in any of the following cases:

• When the primary authentication fails due to some reason, such as user credentials are not accepted by the identity provider (IdP), or the IdP is unavailable due to some reason
• If a user logs in to a system from one domain and then tries accessing the system from another domain.

To enable authentication fallback for a realm, you must configure several authentication methods for a realm and chain them according to the authentication fallback chaining principles.  

How authentication fallback works

When authentication fallback is configured, BMC Helix SSO invokes a secondary authentication method configured in the authentication chain, and end users are not prompted to log in to applications again.  

The following diagram shows a model for enabling authentication fallback in BMC Helix SSO:

If authentication fails at one IdP in the chain, then the request is redirected to the next IdP in the chain. If authentication fails at all IdPs configured in the chain, the system shows an authentication failure message. 

Authentication fallback chaining principles

To enable authentication fallback, add authentication methods into an authentication chain taking into account the following principles:

• If you are using a certificate-based authentication or Kerberos authentication, do not set them as the last authentication method in a chain.

• If you are using a SAML or OIDC authentication method, do not set them as the first authentication method in the chain.