Authentication Chaining in vIDM 2.4.1
VMware Identity Manager 2.4.1 was dropped today with a single publicly documented new feature: Authentication Chaining.For most, this feature alone probably isn't reason enough to upgrade from 2.4.0, but it does offer some pretty granular control over user authentication.
So what is Authentication Chaining?
Authentication Chaining allows you to enable 2-factor authentication from within Identity Manager, or with another Identity Provider (IdP). For example, you could have joe-user first authenticate with an RSA token, and then require joe-user to enter his password after providing the RSA token. If successful, joe-user has double-verfied his identity and can now access Identity Manager, or his entitled application.
The cool thing is you can still have authentication fallback configured so that if joe-user fails to authenticate with the configured authentication chain, there can be a fallback authentication method (let's say RADIUS) to give poor joe-user one last chance.
Where is this configured?
As you might have guessed, this is configured in the Access Policies section of the Identity & Access Management tab in the Admin Portal. You can simply Edit the default_access_policy_set to include the auth chain, or configure a new policy altogether.
For more info on Identity Manager 2.4.1, check out the Release Notes here. Furthermore, there is additional information regarding Authentication Chaining in the Administration Guide and on this blog post.