I have an application that is divided in to 2 parts. The first part of the application requires only a simple datastore authentication. The second part has a very limited scope of users and requires 2 factor authentication. Our plan was to divide the authentication between 2 realms, the base realm would require only LDAP authentication and the second realm would have 2 authentication modules in the authentication chain.
What we see with this appoach is that when we move between realms we get the error "You have already logged in. Do you want to log out and then login to a different organization?"
Not all users will have the attributes required for the authentication module used for the 2nd authentication factor, so we cannot require it for all. The users that do have access to the 2 factor part of the application should also have access to the part of the application that requires only 1 factor authentication. We would like the users with the 2 factor authentication to be able to navigate between all parts of the application without continually being forced to logout and login.
We are working with AM7 patch 2 and the apache 2.2 web policy agents.
This was resolved with the use of only a single realm. An authentication chain was created for the second authentication factor. We then created a condition on the policy that required the new auth chain. The behaviour of AM in this case is to first require the default auth chain, then require the auth chain specified in the condition. This is exactly what we were looking for.