Authentication chains: Configuration
Authentication chains offer a flexible authentication infrastructure, allowing you to customize the end-user authentication experience. An authentication chain contains authentication methods offered by available authentication modules . Authentication modules can provide a variety of authentication methods, such as password verification, internal/external security questions, or the ability to select specific chains. Using multiple modules can form a stronger authentication process and can offer alternatives to users having difficulty authenticating.
Authentication chains can:
Be specialized for certain user groups
Combine multiple authentication methods for a stronger authentication process
Extend existing authentication measures with the use of plugins
The process of authenticating users can vary dramatically for each implementation. Authentication chains make it easy to adapt Bravura Security Fabric ’s authentication process to match your organization’s business logic, and aid in secure, transparent and efficient integration of Bravura Security Fabric .
You can configure authentication chains to react differently to failures during authentication. The configuration dictates whether all modules are required for a successful and strong authentication, or if additional modules only serve as alternative means of authentication. For example, a user entering his password incorrectly could cause the entire chain to fail, or the user could be given a chance to use some other method instead.
Bravura Security Fabric comes with five built-in authentication chains:
Front-end login | The DEFAULT_LOGIN authentication chain can be configured for use with the Front-end , to determine how users must authenticate. By default, this authentication chain presents authentication methods configured in the Modules > Front-end (PSF) menu. |
Help desk authentication | The HELPDESK_LOGIN authentication chain can be configured for use with the Help users (IDA) module, to configure how help desk users must authenticate on behalf of other users before accessing the user’s profile. |
Generic login failure | The GENERIC_LOGIN_FAILURE authentication chain will simulate a fake user login to fool potential intruders. This authentication chain is activated when the GENERIC LOGIN FAILURE system variable is enabled. |
User identification service | The USER_IDENTIFICATION authentication chain can be configured for use with the Front-end , to configure how users are identified. |
Standard two-phase login flow | The STANDARD_TWO-PHASE_LOGIN_FLOW authentication chain handles the internal logic of when other authentication chains are called, and can be configured to enable use cases where certain chains are not required. |
Best practice
It is recommended that you do not add individual authentication modules to the DEFAULT_LOGIN or HELPDESK_LOGIN authentication chains, but instead add your own custom authentication chains that can be used with a chain selector module.
This helps prevent misconfiguring the default chains, and also helps troubleshoot any potential configuration issues that might occur.
If you misconfigure the DEFAULT_LOGIN or HELPDESK_LOGIN authentication chains, users may not be able to login.
If your environment absolutely requires modifying the default chains, then it is highly recommended that you thoroughly test the configuration before implementation, or do so under the supervision of Bravura Security support staff.