How to setup a policy to Authorize User by the Authentication level

Document ID : KB000047289
Last Modified Date : 14/02/2018
Show Technical Document Details

Question 

How to setup a Policy Expression to be used to Authorize user per its authentication level .

For Example ,only users with Auth Level 20 should be Authorized .

 

Answer 

Please find below the steps to achive the requested 

** Action 1 --> Under your Domain --> Realm --> Create a rule with OnauthAcept Action 

** Action 2 --> create a Response to return the authentication level as SM_AUTHENTICATIONLEVEL as Follows 

 

Agent Type Attribute Name -->   WebAgent-HTTP-Header-Variable

Value --> AUTHLEVEL=<%userattr="SM_AUTHENTICATIONLEVEL" %>

 

NOTE --> SM_AUTHENTICATIONLEVEL :

When a user is authenticated for a resource, this attribute holds an integer number (of 0 to 1000) that represents the protection level of the authentication scheme under which the user was authenticated.

 

** Action 3 --> Create a policy and tie the OnauthAcept rule created in Action 1 and attach the Response from Action 2 to it . Once done ,Now upon authentication ,you will have the SM_AUTHENTICATIONLEVEL generated at this stage

 

** Action 4 --> Under the Domain ,create 2 Variables as follows : called AuthLevel and another authlevel20 (with authlevel20 is a number set to 20 which is the auth level desired in the session ) as follows **

 

First Variable:

--------------

1) AuthLevel as name 

2) choose the "User Context" in the "variable type"

3) choose "string" in the "Return Type"

4) select "User Property" in the "Item" drop down menu 

5) use the SM_AUTHENTICATIONLEVEL in the "Property"

6) type in 80 in the "Buffer Size"

 

Second Variable:

-----------------

1) AuthLevelNumber as name  for Example "AuthLevel20" 

2) choose the "Static" in the "variable type"

3) choose "Number" in the "Return Type"

4) Key in the desired Authentication level (20 in our example) that the user should have to get Authorized in the "Value" field 

 

** Action 5 --> Now create a new policy to tie it to your "Allow Rule" 

 

** Action 6 --> in the Policy created in Action 5 , setup an Expression to use the AuthLevel variable = the authlevel20 . This means that all the sessions must have an auth level 20 to be able to get Authorized