56.4 SecurID Authentication Modes

The following scenarios illustrate the three modes of operation:

56.4.1 Standard SecurID Authentication

Here is an overview of the process that occurs when a user attempts to access a resource protected by the SecurID authentication scheme.

For information on Credential Collectors, see Understanding Credential Collection and Login.

Process overview: When the user requests a resource

  1. The WebGate intercepts the resource request and queries the Access Server to determine if and how the resource is protected, and if the user is authenticated.

  2. The OAM SecurId Server queries the directory for the authentication scheme, and receives authentication information from the directory.

  3. The WebGate redirects to the Credential Collector, which presents a form challenging the user for a two-part SecurID Passcode.

  4. The user submits credentials to the Credential Collector

  5. The Credential Collector hands off the credentials to the OAM SecurId Server

  6. The SecurID Authentication API on the OAM SecurId Server performs the authentication dialog and sends an LDAP bind to the Authentication Manager.

  7. The Authentication Manager database matches the SecurID passcode to the user ID and returns a success response to the Authentication Manager, which matches the user's PIN.

  8. The Authentication Manager returns the response to its Agent, the OAM SecurId Server.

  9. When the user's credentials are valid, SecurID authentication is successful. The OAM SecurId Server creates a session for the user and redirects the user to the Webgate, which then queries the OAM SecurId Server for resource authorization:

  10. The OAM SecurId Server evaluates the authorization request, which allows or denies access based upon the authorization rule.

  11. When access is granted, the OAM SecurId Server passes authorization to the WebGate, which presents the resource to the user.

56.4.2 SecurID Next Tokencode Authentication

When Next Tokencode mode is On, the user must supply the next tokencode on their SecurID token.

This mode can be triggered when:

  • An incorrect Passcode was provided repeatedly during login. When a user attempts authentication with incorrect passcodes four consecutive times, the Authentication Manager turns on Next Tokencode mode, as noted in the Authentication Manager's Activity Report. The next time the user successfully authenticates with their correct Passcode, they are challenged for the next tokencode that appears on their SecurID token.

  • The Authentication Manager requires confirmation of, or synchronization with the token. Even with a correct Passcode, the Authentication Manager Administrator might set the Next Tokencode mode On to force the user to confirm that they have the SecurID token or to synchronize the token with the Authentication Manager. When Next Tokencode mode is On, the Next Tokencode challenge form is presented to the user immediately following a successful login.

Process overview: When Next Tokencode is On

  1. The Credential Collector presents a form to challenge the user for the next tokencode on the token following a successful login.

  2. The user enters a username, waits 60 seconds, then enters the next tokencode on the SecurID token.

  3. When the tokencode is correct, the Passcode the user originally entered is accepted and the user is authenticated.

56.4.3 SecurID New PIN Authentication

When the user is required to have a new PIN, the Credential Collector prompts the user with specific forms.

Process overview: When New PIN is required

  1. The Credential Collector presents a form that allows the user to enter the PIN they want.

  2. The user enters the new PIN and then re-enters the new PIN to complete the form.

  3. The OAM SecurID Server forwards the information to the Authentication Manager.

  4. The Authentication Manager registers the new PIN, which becomes part of the Pincode the user must supply during subsequent logins.

  5. The Login Form appears again where the user enters the username and Passcode for a forced re-authentication.