- 16 May 2022
- 1 Minute to read
- Print
- DarkLight
Preventing Choose Another Policy
- Updated on 16 May 2022
- 1 Minute to read
- Print
- DarkLight
Preventing Users from Choosing Another Authentication Policy
RapidIdentity Authentication Policies can be set with a unique feature referred to as Authentication Policy Choices and, when enabled, allows users that are associated with multiple authentication policies to "Try another method" when presented with an authentication challenge they're unable to meet.
Authentication Policy Choices are enabled for all authentication policies and their associated users and gives users the flexibility to choose an authentication method or methods based on their specific needs and environment. However, there are some use cases where an administrator may want to give some but not all users this ability.
There are several ways an administrator can restrict certain users from choosing a different authentication policy in RapidIdentity, and the following provides instructions for configuring the one recomended by Identity Automation.
Copy the Authentication Policy you want to restrict users to meaning, when the that policy applies to a specific user, they will not have the ability to "Try another method":
Navigate to Configuration > Policies > Authentication Policy.
Highlight the appropriate policy and select the duplicate icon from the menu choices at the bottom of the list of current authentication policies.
You are now editing the configuration of the duplicate policy.
On the General Tab:
- Give your policy a meaningful name such as Authentication Policy to Restrict Compromised Credentials.
- Do not make your policy a Forgot Password policy, leave the check box unchecked.
- Give your policy a meaningful description.
- Check the Always Fail checkbox.
- Leave Insecure QR ID Scans Enabled unchecked.
- Select the Enabled checkbox to Enable the policy.
Save the Policy.
Use the Ordering Icons from the menu choices at the bottom of the list of current authentication policies to move the policy immediately below the policy you want to restrict users to.
Save the order.
That's it! With this new authentication policy and the "Always Fail" option set, all users that are associated with a specific policy will not have the ability to "Try another method" after being denied with that policy.