SAML Authentication Methods

Questions and Answers

If you configure an AuthPoint policy to require MFA and select both OTP and Push as authentication options, what happens when a user tries to authenticate to a resource governed by this policy?

The user can choose either OTP or Push authentication, but not both. (correct)

The user is automatically authenticated without any further action required.

The user will be prompted for a password first, then choose either OTP or Push.

The user must complete both OTP and Push authentication for access.

What is the purpose of specifying precedence for authentication policies in AuthPoint?

To determine which policy applies when multiple policies could govern a user's authentication. (correct)

To define the order in which authentication methods are presented to the user.

To prioritize policies based on the user's role or group membership.

To establish a hierarchy of authentication methods, like OTP over Push.

Which authentication method is NOT supported by RADIUS resources in AuthPoint?

Push

QR Code (correct)

MS-CHAPv2

OTP

Which authentication method is only supported by RADIUS client resources that use MS-CHAPv2 in AuthPoint?

Push

When determining which authentication policy to apply, what conditions does AuthPoint consider?

The user's group memberships, the resource they are accessing, and their IP address.

What is the primary function of AuthPoint in relation to access control?

To authenticate users and enforce multi-factor authentication requirements.

Which of the following is a primary concern addressed by AuthPoint's authentication policy precedence system?

Preventing users from accessing resources they are not authorized to use.

What does the statement "AuthPoint uses the highest policy in the list that matches the conditions of the authentication" mean?

The policy that matches the user's specific attributes and the resource they are accessing will take precedence.

What is the primary purpose of specifying whether an authentication policy "allows" or "denies" authentications?

To control which users can access a specific resource.

How does AuthPoint support the concept of "least privilege" in access control?

By limiting users to access only the resources they need to perform their jobs.

Study Notes

Authentication Methods

• Authentication methods are ranked from most secure to least secure: Push notification and QR code, One-time password, and Password.
• When a user is authenticated, they do not need to reauthenticate for SAML resources, RD Web resources, or the IdP portal unless a more secure authentication method is required.

Push Authentication

• Push authentication involves AuthPoint sending a push notification to the user's phone, which they can either approve to authenticate or deny to prevent unauthorized access.

MFA Authentication Methods

• Users install the AuthPoint mobile app on their phone to authenticate using one of three methods: Push Notification, QR Code, or One-Time Password (OTP).
• Push Notification: AuthPoint sends a push notification to the user's mobile device, which they approve or deny.
• QR Code: A QR code appears, which the AuthPoint app uses to scan and display a verification code for the user to type to authenticate.
• One-Time Password (OTP): The user provides a unique, temporary password generated by the AuthPoint app to authenticate.

AuthPoint Components

• AuthPoint Management UI: Where users set up and manage users, user groups, resources, authentication policies, policy objects, corporate applications, external identities, and the AuthPoint Gateway.
• Resources: Applications defined for use with AuthPoint.
• Authentication policies: Specify which resources AuthPoint users can authenticate to and which authentication methods they can use.

AuthPoint Authentication

• Each authentication policy specifies whether the policy allows or denies authentications.
• If MFA is required, the policy chooses whether to require a password and selects allowed authentication options.
• Users can choose one of the available authentication options when they authenticate to a resource.
• For RADIUS authentication, push and OTP authentication methods are available, but not QR code.
• RADIUS client resources that use MS-CHAPv2 only support the Push authentication method.

Policy Precedence

• Precedence determines which authentication policy to use when multiple policies could apply to a user authentication.
• The order of authentication policies determines which policy applies.
• AuthPoint uses the highest policy in the list that matches the conditions of the authentication, including the resource, user group, and IP address.

Description

Learn about the different authentication methods used in SAML, including push notification, one-time password, and password, and how they affect user sessions.