When the end-user uses an authentication method that is below the required authentication level, they must perform step-up. This increases the aforementioned authentication level for the duration of the session.
An authentication level is a quantification of the strength of an authentication mechanism.
There are several authentication mechanisms that allow an end-user to perform step-up authentication:
- Email message
- Time based one time password (like Google authenticator)
- Externally delivered code (e.g. via letter)
- Mobile step-up authentication (provided by the Onegini Token Server)
What is required?
To successfully complete this topic guide you need to ensure following prerequisites:
- Onegini IdP instance must to be running, for the sake of this guide we assume it's available under the http://localhost address
- access to Onegini IdP admin console
Login to the admin console and browse to:
Smart Security ->
On this page you can define the authentication level for every available step-up method. Once the user has completed a specific step-up authentication method the authentication level in their session will have the level of the step-up authentication method that they have completed.
Additionally, you can configure a number of mobile step-up authentication properties. These are explained in the mobile step-up authentication topic guide.
Step-up method priority configuration
Onegini IdP allows to configure priority of supported step up methods.
This configuration can be changed in Admin Panel in
Smart Security ->
Step-up authentication ->
Preferred step-up method handling section.
There are two ways of configuring this priority:
strongest available- step-up authentication method with highest authentication level will be chosen, user's preferred step up method will be ignored
user's preference(default value) - user's preferred step-up method will be chosen, even if other method with higher authentication level is available
In case there are multiple step-up methods with highest authentication level available or user has no preferred step-up method defined, then step-up method is chosen based on the following order:
|2||time based one time password|
|6||externally delivered code|