17.4.1.13.2.3. Combination with step-up authentication

After successfully validating the remember-me cookie, the user's session is granted the user's roles (+ optionally some statically configured roles).

This may give the user access to some applications but not all. If 10.4. step-up authentication is configured to access other applications, this results in the following use case:

  • User is automatically logged in and can access some applications, say A and B (but not C).
  • When trying to access application C, strong authentication is required
  • Step-up Authentication ensures that the user only has to enter the second factor (e.g. SMS OTP or challenge response).