Satisfying the authentication scheme of a given level provides access to all resources protected at lower levels. Additionally, all authentication schemes of a given level are viewed as equivalent.
This section provides a simple session enforcement example based on a single authentication scheme used in two application domains as well as a more complex example based on multiple authentication schemes used in two application domains.
Consider the following configuration:
A single authentication scheme (S1) defined using Level 2
Application domains D1 and D2
All resources within each domain are protected with a single authentication policy, which uses S1, and a single authorization policy.
Global Session Configuration:
Session Lifetime: 90 minutes
Idle Session Timeout: 0 (session never idles out)
Application Domain Timeout: 30 minutes
Now consider the outcomes in Table 16-5.
Table 16-5 Session Content: Single Authentication Scheme
| Time (Delta) | Action | Access Allowed or Denied | Session Content |
|---|---|---|---|
|
0 |
Access to D1 |
Denied due to no session |
null |
|
1 |
Authentication with S1 and Access to D1 |
Allowed because Authentication scheme is satisfied |
Level 2, authentication time 1 |
|
21 |
Access to D2 |
Allowed |
Level 2, authentication time 1 |
|
66 |
Access to D1 |
Denied due to Application Domain Timeout (based on the parameters configured) |
Level 2, authentication time 1 |
|
67 |
Authentication with S1 and Access to D1 and D2 |
Both Allowed because the Authentication Sceme is satisfied |
Level 2, authentication time 67 |
In previous releases of Access Manager, a session could only have its authentication level reduced in the context of an Oracle Identity Management integration self-service flow (such as forced password reset). In this release, step-down authentication occurs when a session times out as a matter of course--until the user happens to provide new credentials that satisfy a scheme of the same level as the maximum held by the session previously. Otherwise, from the authentication perspective, it is as if the session is new and further step-up is required. Consider this example with two authentication schemes (for step-up and step-down).
Authentication schemes S1 (Level 2) and S2 (Level 3)
Application domains D1 and D2
All resources within each domain are protected with a single authentication policy, and a single authorization policy
D1 uses S1; D2 uses S2
Global Session Configuration:
Session Life: 240 mins
Idle Timeout: 30 mins
Appdomain 2 (D2) Timeout: 15 mins (appdomain setting)
When accessing resources from D1, timeout will occur after 30 minutes (global timeout setting); D2 timeout will happen after 15 mins since its timeout value is overridden at the global level. Table 16-6 shows the resulting outcomes.
Table 16-6 Session Outcomes: Multiple Authentication Schemes
| Time (Delta) | Action | Access Allowed or Denied | Session Content |
|---|---|---|---|
|
0 |
Access D1 resource (RD1) |
Access allowed after successful login |
Timeout for D1 will be set to 0+30=30 (30 is default global timeout as D1 has not overriden timeout at the Application Domain level) |
|
1 (implies after 1 minute) |
Access D2 resource (RD2) |
Access allowed post credential challenge (user will be prompted for credentials since D2 is protected using a higher authentication scheme) |
Timeout of D2 will be set to 1+15=16 |
|
t>16 and t<30 (say t=20) |
Access RD1 and RD2 |
Allowed access to RD1 because timeout of D1=30. Allowed access to RD2 after providing credentials since timeout of D2=16 |
The new timeout of D2 is 16 |
|
40 |
Access RD1 |
Allowed: D1 resource will be allowed since timeout is 50 |
|
|
55 |
Access RD1 and RD2 |
Allowed to access both resources after user is successfully challenged for credentials. |
Timeout of D1 is now 85 (55+30) Timeout of D2 is now 70 (55+15) |
The access order does have an impact on the outcome. For instance, the last D1 access could have been allowed if the user had chosen to first pursue access to the D2 application after credentials had expired. For example:
Authentication S2 with Access to D2 Allowed: L3 scheme satisfied; resulting level of the now (again) active session same as before. Session Content: Level 3, authentication time 51
Access to D1 Allowed: Level 3 credentials also sufficient for Level 2-protected access. Session Content: Level 3, authentication time 51.