Idea Details

MFA user PassTicket validation

Last activity 10-20-2017 10:20 AM
david.teeple's profile image
01-27-2017 02:52 PM

We would like to ensure that the PassTicket for an MFA user was generated by a user that logged on using their MFA credentials. We are working on our session managers (TPX) to generate pass-tickets for applications that the user signs onto. We see this as an exposure if the user was not validated via their MFA credentials and accessed an application with that pass-ticket. IBM MFA has an option called MFAFIRST that provides similar function.



10-20-2017 10:20 AM

Whenever you are using an SSO token to log a trusted user into a new application or environment, you need to be careful. This is opening up a possible security hole, so I am glad to see you are asking the correct question.

When I developed a PassTicket generator for CA-SSO, the PassTicket response can be tied to an Auth-Level. Obviously an MFA would be assigned to a higher Auth-Level then ID/Password. I suggest you use a similar methodology, where you require a minimum Auth-Level prior to generating the PassTicket.

I know this is not a direct answer to your question, but I hope it helps as you are developing a solution.