locked
How can you perform Multiple Authentication Types within one IAG RRS feed

  • Question

  • We have an opportunity to replace a non-Microsoft reverse proxy with an IAG applicace.  However the current device allows for different authentication methods dependant on the resource being accessed.  As an example to get to the OWA the user has to use ID and Password but if they then move to a Finance application they also have to provide a Token (in this case Vasco).  I can see how to get all of the resources to be accessed with an ID and Password or using ID, Password and Token but I really need to provide an or in this.  That way all users can have the IAG security in front of OWA and they do not all need tokens.  When finance then need to access they get asked to provide the Token in addition to the current authentication.  I am not sure if thius can be done with multiple trunks but we need to keep the access URL's the same so that all users "see" the same thing.

    Any ideas ???
    Tuesday, November 24, 2009 9:43 AM

Answers

  • Hi Amigo. I understand you would like to authenticate the users in IAG and not rely on the back-end application server, is that?

    If so, define two different respositories, one for Active Directory (username/password) and another one for Vasco (likely RADIUS server). Authenticate the user in the portal using AD and then, in the Finance appliaction, in the Authorization tab specifiy that AD Users are authorized to "View" and that Vasco Users are authorized to "Allow" and "View". This way, when the user clicks the Finance application he will receive a popup asking for Vasco credentials. If you want to delegate the credentials of AD you can do in the "reply to authentication..." selecting the AD repository. The sso will take place after the authorization

    Hope it helps
    // Raúl - I love this game
    • Marked as answer by Erez Benari Saturday, November 28, 2009 11:54 PM
    Tuesday, November 24, 2009 4:19 PM

All replies

  • You can set the trunk's authentication to be AD based (username/password). For the Finance application you would NOT set backend SSO in the authentication step. When an end-user logs into the trunk and tries to access the Finance application, the authentication challenge from the application would pass through UAG to the client - the user would need to enter credentials, which will be passed to the application.
    Tuesday, November 24, 2009 10:59 AM
  • Hi Amigo. I understand you would like to authenticate the users in IAG and not rely on the back-end application server, is that?

    If so, define two different respositories, one for Active Directory (username/password) and another one for Vasco (likely RADIUS server). Authenticate the user in the portal using AD and then, in the Finance appliaction, in the Authorization tab specifiy that AD Users are authorized to "View" and that Vasco Users are authorized to "Allow" and "View". This way, when the user clicks the Finance application he will receive a popup asking for Vasco credentials. If you want to delegate the credentials of AD you can do in the "reply to authentication..." selecting the AD repository. The sso will take place after the authorization

    Hope it helps
    // Raúl - I love this game
    • Marked as answer by Erez Benari Saturday, November 28, 2009 11:54 PM
    Tuesday, November 24, 2009 4:19 PM
  • Raul,

    This looks like a good way forward.  I will get this put into the test environment and let you know how it goes.

    Thanks
    Dave
    Monday, November 30, 2009 10:00 AM