Airlock IAM supports many different token types (MTAN, OTP, CrontoSign, Matrixcards, etc.). Token types can be mixed, i.e. be used at the same time, in different ways.
This page lists the different ways to mix authentication token types.
Most of the listed auth method selection methods are applicable for second authentication steps, because the user has to be known.
Some of them are ready to work with the "Main Authenticator", others are not. If using a selection method not compatible with the "Main Authenticator", use the "Meta Authenticator" plugin instead.
Types of authentication token selection
Some of the listed plugins may require special licensing. If a plugin is not available in the ConfigEditor, check the box "Show unlicensed Plugins" in order to find out if it was missing because of licensing. If interested to upgrade the license, please contact order@airlock.com
The table is valid for the Loginapp (JSP) (form-based authentication) and does not apply to the Loginapp REST UI. See separate documentation for the latter.
The following table lists the most important plugins that allow selecting an authentication token type from a set of configured types:
Plugin | Description | As first step? | As the second step? |
Auth Method Based Authenticator Selector | Choose authentication method on the active authentication method stored in the user's profile. The Adminapp allows setting the active authentication method (also via the REST API). This is the by far most frequently used method and supported in conjunction with the "Main Authenticator". Note: The "Meta Authenticator" also implements this type of selection. | ||
Role-Based Authenticator Selector | Chooses authenticator methods based on the user's roles (or group membership). This is useful, if the user schema is given by an external system (e.g. a user directory) which cannot be extended to contain an "authentication method" attribute. Used for example with Active Directory. | ||
Selection Authenticator | Let the user choose the authentication method (at login time). See 17.4.1.11.1. Selection Authenticator: User chooses 2nd Factor | ||
Credential Based Authenticator Selector | Choose authentication method based on user input as response to the active authentication method challenge. Example (configuration example):
| ||
User-Based Authenticator Selector | The authentication method is chosen based on the username (regular expression). Example: All users ending with "@myhost.com" use a hardware OTP token. All others use MTAN/SMS. |