An Authentication Scheme determines for a Service Provider (SP) which authentication methods are available. An Authentication Scheme is applied to a Service Provider (except for API SP's).
Each Authentication Method will determine which Identity Provider(s) (IDP's) can authenticate the user.
Authentication Methods can be more or less secure than the other ones. The Authentication Scheme configuration determines which Authentication Method is considered more secure than another.
Note: Before creating an Authentication Scheme, make sure you have at least 1 appropriate Authentication Method created.
The configuration of an Authentication Scheme consists of three parts:
- Display name: A user defined name for the Authentication Scheme.
- Type: Defines how the user authenticates (see "Authentication Level" and "Multi-Factor Authentication" below)
- Assign Methods: Selecting the Authentication Methods (see "Assign Methods and Method Prioritization" below).
This type provides a choice of Authentication Methods. The end-user has a choice of one or more options of authentication (and a choice of IDP ) with which he can authenticate.
The ranking is used to determine the Comparison level (see Comparison)
This type will force the user to complete all the authentication methods. Each assigned method will have to be completed.
For example: a user needs to log in with a user/password, and then also provide a one-time password (OTP)
Assign Methods and Method Prioritization
After determining an authentication type, you can select which authentication methods can be used within the scheme.
You can add or remove authentication methods by moving them from the "available Authentication Methods'" column to the "Assigned Methods" column.
Assigned Methods can be ranked in order of security, where the most secure method is on the top, and the least secure at the bottom.
Note: it is not possible to assign two Authentication Methods with the same Identity Provider and Authentication Context.