This documentation supports the 20.02 version of Remedy Single Sign-On.To view an earlier version, select the version from the Product version menu.

Authentication fallback

As a Remedy Single Sign-On administrator, you might need to configure an authentication fallback for a realm to invoke an alternate authentication method in any of the following cases:

  • When the primary authentication fails due to some reason, such as user credentials are not accepted by the identity provider (IdP), or the IdP is unavailable due to some reason
  • If a user logs in to a system from one domain and then tries accessing the system from another domain.

To enable authentication fallback for a realm, you must configure several authentication methods for a realm and chain them according to the authentication fallback chaining principles.  

Related topics

Reauthentication

Single-sign-on-authentication-methods

Realms

Enabling-authentication-chaining-mode

How authentication fallback works

When authentication fallback is configured, Remedy SSO invokes a secondary authentication method configured in the authentication chain, and end users are not prompted to log in to applications again.  

The following diagram shows a model for enabling authentication fallback in Remedy SSO:

Authentication fallback.png

If authentication fails at one IdP in the chain, then the request is redirected to the next IdP in the chain. If authentication fails at all IdPs configured in the chain, the system shows an authentication failure message. 

Authentication fallback chaining principles

To enable authentication fallback, add authentication methods into an authentication chain taking into account the following principles:

  • If you are using a certificate-based authentication or Kerberos authentication, do not set them as the last authentication method in a chain.
  • If you are using a SAML or OIDC authentication method, do not set them as the first authentication method in the chain.