Selection of authn. methods
17.4.1.11. Selection of authentication method (mixing multiple token-types)

Airlock IAM supports many different token types (MTAN, OTP, CrontoSign, Matrixcards, etc.). Token types can be mixed, i.e. be used at the same time, in different ways.

This page lists the different ways to mix authentication token types.

Most of the listed auth method selection methods are applicable for second authentication steps, because the user has to be known.

Some of them are ready to work with the "Main Authenticator", others are not. If using a selection method not compatible with the "Main Authenticator", use the "Meta Authenticator" plugin instead.

Types of authentication token selection

Some of the listed plugins may require special licensing. If a plugin is not available in the ConfigEditor, check the box "Show unlicensed Plugins" in order to find out if it was missing because of licensing. If interested to upgrade the license, please contact order@airlock.com

The table is valid for the Loginapp (JSP) (form-based authentication) and does not apply to the Loginapp REST UI. See separate documentation for the latter.

The following table lists the most important plugins that allow selecting an authentication token type from a set of configured types:

Plugin
Description
As first step?
As the second step?
Auth Method Based Authenticator Selector
Choose authentication method on the active authentication method stored in the user's profile. The Adminapp allows setting the active authentication method (also via the REST API).
This is the by far most frequently used method and supported in conjunction with the "Main Authenticator".
Note: The "Meta Authenticator" also implements this type of selection.
 
check.svg
Role-Based Authenticator Selector
Chooses authenticator methods based on the user's roles (or group membership).
This is useful, if the user schema is given by an external system (e.g. a user directory) which cannot be extended to contain an "authentication method" attribute.
Used for example with Active Directory.
 
check.svg
Selection Authenticator
Let the user choose the authentication method (at login time). See 17.4.1.11.1. Selection Authenticator: User chooses 2nd Factor
 
check.svg
Credential Based Authenticator Selector
Choose authentication method based on user input as response to the active authentication method challenge.
Example (configuration example):
  • User's active authentication method is MTAN/SMS
  • Instead of entering the SMS token, the user enters for example "OTP" to switch to OTP authentication
 
check.svg
User-Based Authenticator Selector
The authentication method is chosen based on the username (regular expression).
Example: All users ending with "@myhost.com" use a hardware OTP token. All others use MTAN/SMS.
check.svg
check.svg