Skip to main content

Adding authentication modules to a chain

To add an authentication module to a chain:

  1. From the authentication chain configuration page, under Modules, click Add new....

    Bravura Security Fabric refreshes the page and displays the Module configuration section.

  2. Choose which type of module to use at the start of your authentication chain, as listed in Table 1, “Authentication chain module types .

  3. Select the Control type to use for this module, as described in Table 2, “Authentication chain module control types .

  4. Enter a description for this module.

  5. Click Save.

    Your new module is listed under Modules, highlighted in green.

    You must define question sets before creating an authentication chain which includes security questions.

    Caution

    Ensure that the last module in an authentication chain has its control type set to binding, required, or requisite for maximum security.

    Caution

    Users who select the Mobile authentication option from a mobile device will not be asked for a QR Code. Instead the user will be authenticated without being asked for any further information. Always ensure another authentication option is available to avoid users using the Mobile authentication option on mobile devices.

Next:

Configure authentication modules

Table 1. Authentication chain module types

Option

Description

Password authentication

The user must enter a password.

Security questions

The user must successfully answer a series of questions.

External program

The user must verify against an external plugin.

Security questions with answer scores

The user must successfully answer a series of questions with a passing score for the authentication threshold.

Email/SMSPIN

The user must enter a PIN that is sent to the user via Email or SMS.

Connector package agent

Allows for authentication using either the user verify password or challenge response authentication operations directly on applicable target systems; for example a RADIUS Authentication or RSA Authentication Manager 7.1/8.2 target system may be used for the challenge-response.

Authentication chain selector

Provides features for authentication chain selection:

  • Branching to a specified chain

  • Allowing users to select which chain to use for authentication

  • Using an external plugin to automatically select which chain should be used.

Mobile authentication

The user must scan a QR Code using the Bravura One app registered on their mobile device.

User identification

The user must enter a user ID. This module is included in the built-in ”User identification service” chain. It is not available for selection in a custom chain.

Federated login assertion

This module is used when Bravura Security Fabric is acting as an Identity Provider for another web application (eg. Google, WebEx, Salesforce). It must be the last module of the last authentication chain used for all configured authentication paths, because it is the one that will redirect the user’s browser back to the Service Provider.

SAML Authentication

This module is used when Bravura Security Fabric is acting as a Service Provider , using one or more authentication factors from an external Identity Provider (eg. Google or Okta). The module can be placed anywhere in the authentication path as it will not be available if the user logging in does not have an account on the target configured as the Identity Provider.



Table 2. Authentication chain module control types

Control type

On success…

On failure…

binding

If the request has not failed on any earlier module in the chain, then authentication is considered complete and the user is granted access.

The request proceeds through the chain but is ultimately denied.

required

The request proceeds through the chain and the user is granted access, unless the request fails on another module.

It proceeds through the chain but is ultimately denied.

requisite

The request proceeds through the chain and, unless it fails on another module, the user is granted access.

The chain is immediately terminated and the request is denied.

sufficient

If the request has not failed on any earlier module in the chain, then authentication is considered complete and the user is granted access.

The result, by itself, is ignored and the request proceeds through the chain.

If all modules in a chain are marked “optional” or “sufficient”, at least one of the modules must succeed to clear the authentication.

optional

The result, by itself, is ignored and the request proceeds through the chain.

The result, by itself, is ignored and the request proceeds through the chain.

If all modules in a chain are marked “optional” or “sufficient”, at least one of the modules must succeed to clear the authentication.



In this section: