RapidIdentity Product Guides - 2019 Rolling Release


Authentication enables administrators to define and prioritize authentication policies, include policies that incorporate multi-factor authentication. 


Authentication contains four sections:

  1. Authentication Policies

  2. Kerberos Configuration

  3. Authentication Options

  4. FIDO Configuration

Policies allow administrators to create and manage existing policies, while Kerberos Configuration allows licensed Kerberos policy management.

Administrators can configure an authentication policy to always fail by clicking the Always Fail checkbox. When checked, the Authentication Methods tab becomes disabled and administrators can then define criteria (e.g. LDAP filter, Day of Week) to prevent authentication. Users are identified as matching this policy by either entering their username, scanning a QR Code, or through Kerberos. If the Always Fail policy is the highest prioritized authentication policy, a successful match prevents authentication to RapidIdentity. If the Always Fail policy is not the highest prioritized policy, a user matching the Always Fail policy could authenticate successfully if they match a higher priority policy, however, a user matching a lower prioritized policy relative to the Always Fail policy will not be able to authenticate using the lower prioritized policy. Administrators can update the Always Fail error message by navigating to Localization | net.idauto.idp.messages | idp.message.alwaysFail.

Always Fail Use Case

There are three enabled authentication policies and authentication policy choices is configured, allowing users to determine how they authenticate to RapidIdentity. The three policy choices are prioritized as follows.

  1. Policy 1

  2. Always Fail Policy

  3. Policy 3

If a user matches all three policies, the user can authenticate to RapidIdentity successfully using the method(s) defined in Policy 1 only. If the user attempts to authenticate to RapidIdentity using the method(s) defined in Policy 3, the user will not be able to authenticate to RapidIdentity.

The Authentication Options section contains allows administrators to delete four different user settings and toggle Authentication Policy Choices.

  1. TOTP keys

  2. Social IDs

  3. Pictograph Choices

  4. FIDO device registrations