Double authentication or reauthentication provides an additional security level to provide stronger protection to business critical actions while accessing BMC applications. Generally, the application can be configured to use double authentication for additional protection. Refer to the appropriate application documentation for the next references.
Remedy Single Sign-On (Remedy SSO) role is to provide a double authentication mechanism for different authentication methods. For example, a realm is configured for an authentication method, such as AR, LDAP, or Local, that prompts users to provide their login name and password. In case the application requires the user for Double Authentication, users are prompted again to provide their credentials on the Remedy SSO page.
If the authentication method is Kerberos or Common Access Card (CAC) that is handled on the browser side transparently for the users, then Double Authentication should be designed in a different way. For this purpose, the administrator can configure the realm to use authentication chaining and configure an alternative authentication method that prompts the user to provide credentials explicitly. The typical scenario is using Kerberos as a primary authentication method and LDAP as a second Identity Provider (IdP) in the chain for re-authentication.
When the authentication method is SAML, the workflow and authentication method is completely under remote Identity Provider control. In this case having been requested for Double Authentication, Remedy SSO sends the SAML request with the
ForceAuthn="true" flag. SAML IdP must be configured to handle this properly and provide the appropriate login page or another way for user re-authentication.
Double authentication is different from Multi-Factor authentication. For more information, see Supporting Multi-Factor authentication.