How double authentication works

Double authentication is a security measure where the user's browser sends a re-authentication request. The process of double authentication is as follows:

Related topic

Authentication-and-passwords-in-AR-System


  1. After the first level of authentication, the user's browser sends a re-authentication request to theMid TierURL.

  2. A BMC Helix Single Sign-On agent redirects the user to the BMC Helix Single Sign-On server URL for re-authentication.

    For Security Assertion Markup Language (SAML) authentication, BMC Helix Single Sign-On redirects the user to the SAML IdP for re-authentication. If the SAML IdP supports the ForceAuthn feature on an authentication request, the IdP requests the user for re-authentication.

    The BMC Helix Single Sign-Onagent identifies a re-authentication request by the query parameter reauth, which is set to true by default. For a re-authentication request, the agent identifies the BMC Helix Single Sign-On server and the application realm in the same way that the agent identifies these for any other authentication request. 

  3. For an AR Systemauthentication, the BMC Helix Single Sign-Onserver prompts the user to confirm the password.
    For SAML authentication, the IdP prompts the user for both user name and password. If the authentication is successful, the IdP redirects the user to the BMC Helix Single Sign-Onserver with a SAML response. The BMC Helix Single Sign-On server checks whether the user in the SAML response and the user logged in to BMC Helix Single Sign-On are the same. If they are not same, the re-authentication fails.

  4. If the re-authentication process is successful, the BMC Helix Single Sign-Onserver generates a re-authentication token and redirects the user to the Mid TierURL. 
    The re-authentication token is valid only for a short period and is specific only to the re-authentication process. It cannot be used for the usual authentication process.

  5. The BMC Helix Single Sign-On agent retrieves the re-authentication token and passes it on to the Mid Tierservlet.

  6. The Mid Tierservlet retrieves the re-authentication token and passes it on to the AR Systemas an authentication string.

  7. AR Systemverifies the user's credential, user name, and re-authentication token through the BMC Helix Single Sign-OnAREA plugin.

  8. The BMC Helix Single Sign-OnAREA plugin verifies the re-authentication token through an API call to the BMC Helix Single Sign-Onserver.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*