By: Cu kal user 27 Feb 2020 at 12:22 p.m. CST

3 Responses
Cu kal gravatar
I'm running 3.1.6 and going to upgrade to 4.0.1 if possible. In 3.1.6 I defined an OpenID client to use with Apache mod_openidc as described in the docs. With that config I could login to /myappplication and also in the oxtrust /identity/ app. In case of going to /identity/ I would see the logged-in user's profile. I can no longer do that in 4.0.1 unless I set the Manage Authentication default acr & oxTrust acr to the same value. With 3.1.6 I could set them to different values and was able to go from /myapplication to /identity but now I get prompted to login in again. Is this behaviour as-expected or do I need to change specific settings to get the same behaviour in 4.0.1 as in 3.1.6?

By Cu kal user 27 Feb 2020 at 12:46 p.m. CST

Cu kal gravatar
I think I fixed it by setting the "Level" for both custom scripts to "100".

By Aliaksandr Samuseu staff 27 Feb 2020 at 12:58 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Cu kal. You need to perceive oxTrust as just another app that uses oxAuth for authentication. That's correct - each auth method has its own Level value. If you already have a session at oxAuth which was created with auth method with Level 10, and start a flow from another app that requests another auth method with Level 20 - oxAuth will invalidate current session and ask you to authenticate again. That's by design - apps that require more secure auth methods won't use SSO session that was established with less secure method.

By Cu kal user 27 Feb 2020 at 1:14 p.m. CST

Cu kal gravatar
Hi Aliaksandr, thanks for your reply, it really does clear up the Level value for me. Great to know something like that is possible!