Modifying an existing authentication chain
In order to modify an authentication chain, you must first disable it. On the chain's configuration page click Disable.
Once a chain is disabled, you can:
Once you have modified it, click Enable to make it available.
The rest of this section provides notes on modifying built-in chains.
Disabling built-in chains does not stop users from logging into Bravura Security Fabric . It only restores default identification and authentication settings , including Front-end settings.
If there are any errors in the authentication chain that prevent regular users from logging in to the Front-end , product administrators can still login using their Bravura Security Fabric password. The Bravura Security Fabric password is either a target-specific password or a custom value, depending on how the product administrator was set up. The fail-safe login method is invoked for these cases so that product administrators can still access Bravura Security Fabric to fix or reconfigure the authentication chains to allow access for regular users.
General options
Once a chain is disabled, you can modify the following general options:
Abort login immediately if a module in this chain fails to cause the login process to abort when any authentication module fails.
Allow caching of this chain’s module results to control whether the chain’s results are cached after completion. This is enabled for most chains by default.
Front-end Login – DEFAULT_LOGIN
Modifying the select_chain module settings of the DEFAULT_LOGIN authentication chain changes the authentication methods available to the Front-end. By default, it is set to use the PSFEXT VALUES and PSF EXT settings implicitly, and it can be overridden explicitly when required.
Best practice
It is recommended that you do not add individual authentication modules to the DEFAULT_LOGIN or HELPDESK_LOGIN authentication chains, but instead add your own custom authentication chains that can be used with a chain selector module.
This helps prevent misconfiguring the default chains, and also helps troubleshoot any potential configuration issues that might occur.
If you misconfigure the DEFAULT_LOGIN or HELPDESK_LOGIN authentication chains, users may not be able to login.
If your environment absolutely requires modifying the default chains, then it is highly recommended that you thoroughly test the configuration before implementation, or do so under the supervision of Bravura Security support staff.
Help desk authentication – HELPDESK_LOGIN
Modifying the select_chain module settings of the HELPDESK_LOGIN authentication chain changes the authentication methods available to the Help users (IDA) module for help-desk users to authenticate on behalf of other users (callers) before accessing their profiles.
By default, it is set to use the score based challenge and response (scoreqna.pss) module and is configured to prompt for two questions from the user’s pre-defined question set.
If any errors are encountered in the HELPDESK_LOGIN authentication chain during the authentication process, the help desk user is denied access to the user’s profile. The authentication chain must be fixed before access is possible.
Generic login failure – GENERIC_LOGIN_FAILURE
The GENERIC_LOGIN_FAILURE authentication chain simulates a fake user login to fool potential intruders. This authentication chain is activated when the GENERIC LOGIN FAILURE system variable is enabled.
Normally, when an invalid user or account ID is entered in the login screen Bravura Security Fabric displays a message informing the user that the account could not be found. If you enable the GENERIC LOGIN FAILURE option (Manage the system > Policies > Options), users are allowed to proceed to the Verify password screen and enter a password, despite having entered an invalid ID. Bravura Security Fabric simulates an attempt to verify the password, waiting 10 seconds before returning with the message:
Please verify that you entered your password correctly, otherwise contact your administrator.
This feature is scheduled to be removed in a future release.
User identification service – USER_IDENTIFICATION
Modifying the USER_IDENTIFICATION authentication chain changes the identification methods available in Front-end . By default, it includes the fedidp_ident module, which can capture SAML requests sent by a service provider for federated login or Web single sign-on, and the user_ident module, which captures the standard Bravura Security Fabric login ID.
Standard two-phase login flow chain – STANDARD_TWO-PHASE_LOGIN_FLOW
Modifying the STANDARD_TWO-PHASE_LOGIN_FLOW authentication chain changes the logic through which all other default authentication chains are called. By default, the USER_IDENTIFICATION and DEFAULT_LOGIN chains are always called alongside each other, and the STANDARD_TWO-PHASE_LOGIN_FLOW chain and its modules can be modified or re-ordered to enable authentication methods that only require a portion of this default chain.
The ident_ctrl module of the STANDARD_TWO-PHASE_LOGIN_FLOW authentication chain is called to check whether the user has been successfully identified. If they were successfully identified, this module does nothing; if they were not, this module directs them to the chain specified in the parameter, or fails if the parameter is not set.
The glf_control module of the STANDARD_TWO-PHASE_LOGIN_FLOW authentication chain checks whether the system has generic login failure enabled, and directs users that fail USER_IDENTIFICATION to the GENERIC_LOGIN_FAILURE authentication chain.
The cgijump module of the STANDARD_TWO-PHASE_LOGIN_FLOW authentication chain checks whether the user is allowed to access the page they’re attempting to access, and the check_jump_dst parameter defines whether the results of this check are stored in the user’s session data.
The select_chain module of the STANDARD_TWO-PHASE_LOGIN_FLOW authentication chain initiates the DEFAULT_LOGIN chain by default, directing users to that chain to complete authentication.