Enabling step-up authentication, the Remember me cookie, or both on Windows

You can choose to enable either step-up authentication or the Remember me cookie individually or you can choose to use these features together.

Log on to the WebSphere® Integrated Solutions Console and go to Security > Global security > Web and SIP security > Single sign-on (SSO). Verify that both Interoperability Mode and Web inbound security attribute propagation are enabled.
You can use step-up authentication with IBM® Web Services for Remote Portlets (WSRP) extensions. The authentication level defined for portlets on the Producer portal is automatically set on the Consumer portal when it consumes WSRP services. If you apply step-up authentication mechanisms on the Producer, users are also challenged for stronger authentication credentials on the Consumer portal as required.
To use step-up authentication with an IBM WSRP extension, ensure your environment meets the following requirements:
  • The Producer and Consumer portals are WebSphere Portal Express® or later.
  • You enable step-up authentication on both the Producer and Consumer portals.
  • The authentication levels are the same on the Producer and Consumer portals.
    Notes:
    • Portal administrators can change authentication levels on both the Producer portal or Consumer portal at any time.
    • If the authentication level on the Consumer portal is less than the authentication level on the Producer portal, the Producer portal gives the following error message and users cannot access the portlets: AccessDeniedFault EJPWC1118E: User authentication not strong enough.. For this reason, the authentication level on the Consumer portal must be the same as the authentication level on the Producer portal.
Important: The Remember me cookie does not extend the Portal Personalization feature to the public area because a user identified by the Remember me cookie in a public area is still considered anonymous from an access control point of view.
Web Content Manager note: The authoring portlet and the web content viewer do not fully support step-up authentication or the Remember me cookie. However, the user name component is aware of the Remember me cookie. If the Remember me cookie is set on a request and a user not logged in, the user name component does not use the anonymous user design for the response but instead uses the user name design complete with the name or distinguished name of the user specified by the Remember me cookie.
Restriction: Step-up authentication requires the LtpaToken2 for single sign-on; see Implementing single sign-on to minimize web user authentications for details.
Complete the following steps to enable step-up authentication and/or the Remember me cookie:
  1. Choose one of the following configuration options:
    Table 1. Enabling step-up authentication and the Remember me cookie configuration options
    Option Steps
    Enable both step-up authentication and the Remember me cookie
    Note: By default, this task enables the following authentication levels:
    • standard
    • identified
    • authenticated
    		 Complete the following steps to enable step-up authentication and the Remember me cookie:
    1. Use a text editor to open the wkplc.properties file, located in the wp_profile_root\ConfigEngine\properties directory.
    2. Set enable_rememberme to true in the 'StepUp Authentication' properties section.
    3. Save your changes to the wkplc.properties file.
    4. Run the ConfigEngine.bat enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=password -Dsua_user=user_name -Dsua_serversecret_password=password task from the wp_profile_root\ConfigEngine directory.
    Note: You can define the sua_user and sua_serversecret_password parameters either in the wkplc.properties file or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in the wkplc.properties file.
    Enable only step-up authentication
    Note: By default, this task enables the following authentication levels:
    • standard
    • authenticated
    		 Complete the following steps to enable only step-up authentication:
    1. Use a text editor to open the wkplc.properties file, located in the wp_profile_root\ConfigEngine\properties directory.
    2. Set enable_rememberme to false in the 'StepUp Authentication' properties section.
    3. Save your changes to the wkplc.properties file.
    4. Run the ConfigEngine.bat enable-stepup-authentication -DWasUserid=wasuser -DWasPassword=password task from the wp_profile_root\ConfigEngine directory.
    Enable only the Remember me cookie Run the ConfigEngine.bat enable-rememberme -DWasUserid=wasuser -DWasPassword=password -Dsua_user=user_name -Dsua_serversecret_password=password task, from the wp_profile_root\ConfigEngine directory.
    Note: You can define the sua_user and sua_serversecret_password parameters either in the wkplc.properties file or on the command line. If you enter the values in the properties file and on the command line, the values entered on the command line will overwrite the values in the wkplc.properties file.
  2. Check the output for any error messages before proceeding with any additional tasks. If any of the configuration tasks fail, verify the values in the wkplc.properties file.
  3. Stop and restart the appropriate servers to propagate the changes. For specific instructions, see Starting and stopping servers, deployment managers, and node agents.
  4. Complete the following steps to change the authentication level on a page or portlet:
    1. Click Administration.
    2. Click Resource Permissions under Access.
    3. Click either the Pages link or the Portlets link.
    4. Locate the page or portlet you want to change and click the Authentication Level link.
    5. Choose one of the following levels:
      Note: The following Authentication Levels are provided out-of-the-box. If you customized your step-up authentication, you may have different levels.
      Standard
      Set the Authentication Level to Standard if you want anonymous and identified users to view the page or portlet. The Standard level has the following two states based on the access control setting for the page or portlet:
      • If anonymous users have access to the page or portlet, no authentication is required.
      • If only authenticated users have access to the page or portlet, authentication is required.
      Identified (available if enable_rememberme=true)
      Set the Authentication Level to Identified if you want to control whether or not content is displayed to an unauthenticated user based on the existence of a persistent HTTP cookie. This option is intended for pages and portlets that are visible to anonymous users. An example is the Remember me on this computer option during login. This option generates the com.ibm.portal.RememberMe cookie.

      If a user previously authenticated to WebSphere Portal Express and then returns with the com.ibm.portal.RememberMe cookie, the user is "identified" and the content displays without the user having to log in. If a user attempts to access WebSphere Portal Express without the com.ibm.portal.RememberMe cookie, the user is asked to authenticate before the content is displayed.

      CAUTION:
      Do not set the Access level to identified for the Login portlet. This action causes problems when logging into WebSphere Portal Express.
      Authenticated
      Set the Authentication Level to Authenticated if you want anonymous and identified users to login to view the page or portlet.
Parent topic: Windows: Enabling step-up authentication, the Remember me cookie, or both