PingAM 8.0.0

Session upgrade

Authenticated sessions can be upgraded to provide access to sensitive resources.

Consider a website for a university. Some resources, such as courses and degree catalogs, are free for anyone to access and don’t need to be protected. The university also provides the students with a portal they can use to access their grades. This portal is protected with a policy that requires users to authenticate. To pay tuition, students are required to present additional credentials to increase their authentication level and gain access to these functions.

Allowing authenticated users to provide additional credentials to access sensitive resources is called session upgrade. Session upgrade is AM’s mechanism to perform step-up authentication.

What triggers a session upgrade?

Session upgrade is triggered in the following situations:

  • An authenticated user is redirected to a URL that has the ForceAuth parameter set to true.

    For example, https://am.example.com:8443/am/XUI/?realm=/alpha&ForceAuth=true#login

    In this case, the user is asked to reauthenticate to the default authentication service in the alpha realm.

    When a new authenticated session is created, the old authenticated session should no longer be valid. For client-side sessions, invalidating the old session depends on the value of the Enable Session Denylisting configuration option:

    • If this option is false (default), both the old and new authenticated sessions are considered valid after the session upgrade.

    • If this option is true, the old authenticated session is no longer valid

  • An authenticated user tries to access a resource protected by a web or Java agent, or a custom policy enforcement point (PEP).

    In this case, AM sends the agent or PEP an advice that the user must perform one of the following actions:

    • Authenticate at an authentication level greater than the current level

    • Authenticate using a specific tree

    The session upgrade flow during policy evaluation is as follows:

    1. An authenticated user tries to access a resource.

    2. The PEP, for example a web or Java agent, sends the request to AM for an authorization decision.

    3. AM returns an authorization decision that denies access to the resource, and returns an advice indicating that the user must present additional credentials to access the resource.

    4. The policy enforcement point sends the user back to AM for session upgrade.

    5. The user provides additional credentials. For example, they might provide a one-time password, swipe their phone screen, or use face recognition.

    6. AM authenticates the user.

    7. The user can now access the sensitive resource.

Session upgrade outcomes

The following outcomes can result from a session upgrade:

Successful

AM performs one of the following actions depending on the type of authenticated session configured for the realm:

  • If the realm is configured for server-side authenticated sessions, the resulting action depends on the mechanism used to perform session upgrade:

    • When using the ForceAuth parameter, AM issues new session tokens to users on reauthentication, even if the current authenticated session already meets the security requirements.

    • When using advices, AM copies the session properties to a new authenticated session and hands the client a new session token to replace the original one. The new authenticated session reflects the successful authentication to a higher level.

  • If the realm is configured for client-side authenticated sessions, AM hands the client a new session token to replace the original one. The new authenticated session reflects the successful authentication to a higher level.

Unsuccessful

AM leaves the authenticated session as it was before the attempt at stronger authentication.

If session upgrade fails because the login page times out, AM redirects the user’s browser to the success URL from the last successful authentication.

Anonymous sessions can be upgraded to non-anonymous sessions by using the Anonymous Session Upgrade node.

Session upgrade prerequisites

  • Configure a PEP, for example, a web or Java agent, that enforces AM policies on a website or application.

    AM web and Java agents handle session upgrade without additional configuration because the agents are built to handle AM’s advices. If you build your own PEPs, you must take advices and session upgrade into consideration.

    Learn more in the Web Agents and Java Agents documentation, and in Request policy decisions over REST (For RESTful PEPs).

  • Configure an authorization policy to protect a resource protected by the Java or web agent, or a RESTful PEP.

    The following example policy allows GET and POST access to the *://*:*/sample/* resource to any authenticated user:

    Only authenticated users can access the resource

To track an authenticated session through a session upgrade, enable the cross-upgrade session reference property, which retains its value throughout the session lifecycle. Enabling this property ensures the session reference is recorded in the audit logs.

Configure AM for session upgrade

  1. Configure an authentication tree that validates a user’s credentials during session upgrade.

    No additional configuration is required to perform session upgrade.

    Because session upgrade is a mechanism that can be used to grant users access to sensitive information, consider configuring a strong authentication method such as multi-factor authentication (MFA). Also consider session lifetime in your environment. For example, if users should only have access to the protected resource to perform an operation, such as checking the balance of an account, consider implementing transactional authorization instead.

  2. Configure at least one of the following environment conditions in the authentication policy that you created as part of the prerequisites:

    • Authentication level (greater than or equal to)

      Use this condition to present a list of authentication trees that provide a greater or equal authentication level to the one specified in the condition. The user can choose a tree if more than one tree meets the criteria of the condition.

      The following policy requires an authentication tree that provides an authentication level of 3 or greater:

      Session upgrade authentication by authentication level environment condition

    • Authentication by service

      Use this condition to specify the authentication tree the user must authenticate through. For example, the following policy requires the user to sign on using the Example tree:

      Session upgrade authentication by service environment condition

      Authentication tree names are case-sensitive.

    You can find more information about configuring policies and environment conditions in Policies.

  3. Test session upgrade using a browser or REST:

Perform session upgrade with a browser

To upgrade an authenticated session using a browser, perform the following steps:

  1. Ensure you have performed the tasks in Session upgrade prerequisites and Configure AM for session upgrade.

  2. In a browser, go to your protected resource.

    For example, http://www.example.com:9090/sample.

    The agent redirects the browser to the AM login screen.

  3. Sign on to AM as the user that should access the resource. For example, sign on as bjensen.

    AM requires additional credentials to grant access to the resource. For example, if you set the policy environment condition to Authentication by Service and Example, you will be required to sign on again as bjensen.

  4. Authenticate as bjensen.

    Providing credentials for a different user will fail.

    You can now access the protected resource.

Perform session upgrade over REST

To upgrade an authenticated session using REST, perform the following steps:

  1. Ensure you have performed the tasks in Session upgrade prerequisites and Configure AM for session upgrade.

  2. Sign on as an administrative user that has permission to evaluate policies, such as amAdmin.

    For example:

    $ curl \
--request POST \
--header "Content-Type: application/json" \
--header "X-OpenAM-Username: amadmin" \
--header "X-OpenAM-Password: password" \
--header "Accept-API-Version: resource=2.0, protocol=1.0" \
'https://am.example.com:8443/am/json/realms/root/realms/alpha/authenticate'
{
    "tokenId":"AQIC5wM…​TU3OQ*",
    "successUrl":"/am/console",
    "realm":"/alpha"
}

    You can also assign privileges to a user to evaluate policies.

  3. Sign on as the user that should access the resources.

    For example, sign on as bjensen:

    $ curl \
--request POST \
--header "Content-Type: application/json" \
--header "X-OpenAM-Username: bjensen" \
--header "X-OpenAM-Password: Ch4ng31t" \
--header "Accept-API-Version: resource=2.0, protocol=1.0" \
'https://am.example.com:8443/am/json/realms/root/realms/alpha/authenticate'
{
    "tokenId":"AQIC5wM…​TU3OQ*",
    "successUrl":"/am/console",
    "realm":"/alpha"
}

  4. Request a policy decision from AM for a protected resource, in this case, https://am.example.com:9090/sample.

    The iPlanetDirectoryPro header sets the SSO token for the administrative user, and the subject element of the payload sets the SSO token for bjensen.

    Example 
    $ curl --request POST \
 --header "Content-Type: application/json" \
 --header "iPlanetDirectoryPro: AQIC5wM2…​" \
 --header "Accept-API-Version:protocol=1.0,resource=2.1" \
 --data '{
 "resources": [
     "http://www.example.com:9090/sample"
 ],
 "application": "iPlanetAMWebAgentService",
 "subject": { "ssoToken": "AQIC5wM…​TU3OQ*"}
}' \
"https://am.example.com:8443/am/json/realms/root/realms/alpha/policies?_action=evaluate"
[
   {
      "resource":"http://www.example.com:9090/sample",
      "actions":{

      },
      "attributes":{

      },
      "advices":{
         "AuthLevelConditionAdvice":[
            "3"
         ]
      },
      "ttl":9223372036854775807
   }
]

    AM returns an advice, which means that the user must present additional credentials to access that resource.

    You can find more information about requesting policy decisions in Request policy decisions over REST.

  5. Format the advice as XML, without spaces or line breaks.

    The following example is spaced and tabulated for readability purposes only:

    <Advices>
    <AttributeValuePair>
       <Attribute name="AuthLevelConditionAdvice"/>
       <Value>3</Value>
    </AttributeValuePair>
</Advices>

    The example shows the XML render of a single advice. Depending on the conditions configured in the policy, the advice may contain several lines. Learn more in Policy decision advice.

  6. URL-encode the XML advice.

    For example:

    %3CAdvices%3E%3CAttributeValuePair%3E%3CAttribute%20name%3D%22AuthLevelConditionAdvice%22%2F%3E%3CValue%3E3%3C%2FValue%3E%3C%2FAttributeValuePair%3E%3C%2FAdvices%3E

    Ensure there are no spaces between tags when URL-encoding the advice.

  7. Call AM’s authenticate endpoint to request information about the advice.

    Use the following details:

    • Add the following URL parameters:

      • authIndexType=composite_advice

      • authIndexValue=URL-encoded-Advice

    • Set the iPlanetDirectoryPro cookie as the SSO token for bjensen.

    Example 
    $ curl --request POST \
--header "Content-Type: application/json" \
--cookie "iPlanetDirectoryPro=AQIC5wM…​TU3OQ*" \
--header "Accept-API-Version: protocol=1.0,resource=2.1" \
'https://am.example.com:8443/am/json/realms/root/realms/alpha/authenticate?authIndexType=composite_advice&authIndexValue=%3CAdvices%3E%3CAttributeValuePair%3E…​'
{
   "authId":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoSW5kZ…​",
   "template":"",
   "stage":"DataStore1",
   "header":"Sign in",
   "callbacks":[
      {
         "type":"NameCallback",
         "output":[
            {
               "name":"prompt",
               "value":"User Name:"
            }
         ],
         "input":[
            {
               "name":"IDToken1",
               "value":""
            }
         ]
      },
      {
         "type":"PasswordCallback",
         "output":[
            {
               "name":"prompt",
               "value":"Password:"
            }
         ],
         "input":[
            {
               "name":"IDToken2",
               "value":""
            }
         ]
      }
   ]
}

    AM returns information about how the user can authenticate in a callback. In this case, providing a username and password. You can find a list of possible callbacks, and more information about the /json/authenticate endpoint in Authenticate over REST.

  8. Call AM’s authenticate endpoint to provide the required callback information.

    Use the following details:

    • Add the following URL query parameters:

      • authIndexType=composite_advice

      • authIndexValue=URL-encoded-Advice

    • Set the iPlanetDirectoryPro cookie as the SSO token for bjensen.

    • Send as data the complete payload AM returned in the previous step, ensuring you provide the requested callback information.

      Provide the username and password for bjensen in the input objects.

    Example 
    $ curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Accept-API-Version: protocol=1.0,resource=2.1" \
  --cookie "iPlanetDirectoryPro=AQIC5wM…​TU3OQ*" \
  --data '{
      "authId": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdXRoSW5kZ…​",
      "template": "",
      "stage": "DataStore1",
      "header": "Sign in",
      "callbacks": [
        {
          "type": "NameCallback",
          "output": [
            {
              "name": "prompt",
              "value": "User Name:"
            }
          ],
          "input": [
            {
              "name": "IDToken1",
              "value": "bjensen"
            }
          ]
        },
        {
          "type": "PasswordCallback",
          "output": [
            {
              "name": "prompt",
              "value": "Password:"
            }
          ],
          "input": [
            {
              "name": "IDToken2",
              "value": "Ch4ng31t"
            }
          ]
        }
      ]
    }' \
'https://am.example.com:8443/am/json/realms/root/realms/alpha/authenticate?authIndexType=composite_advice&authIndexValue=%3CAdvices%3E%3CAttributeValuePair%3E…​'
{
   "tokenId":"wpU01SaTq4X2x…​NDVFMAAlMxAAA.*",
   "successUrl":"/am/console",
   "realm":"/alpha"
}

    AM returns a new SSO token for bjensen.

  9. Request a new policy decision from AM for the protected resource.

    The iPlanetDirectoryPro header sets the SSO token for the administrative user, and the subject element of the payload sets the new SSO token for bjensen:

    Example 
    $ curl --request POST \
--header "Content-Type: application/json" \
--header "iPlanetDirectoryPro: AQIC5wM2…​" \
--header "Accept-API-Version:protocol=1.0,resource=2.1" \
--data '{
   "resources":[
      "http://www.example.com:9090/sample"
   ],
   "application":"iPlanetAMWebAgentService",
   "subject":{
      "ssoToken":"wpU01SaTq4X2x…​NDVFMAAlMxAAA.*"
   }
}' \
"https://am.example.com:8443/am/json/realms/root/realms/alpha/policies/policies?_action=evaluate"

[
   {
      "resource":"http://www.example.com:9090/sample",
      "actions":{
         "POST":true,
         "GET":true
      },
      "attributes":{

      },
      "advices":{

      },
      "ttl":9223372036854775807
   }
]

    AM returns that bjensen can perform POST and GET operations on the resource.