6.7 Risk Configuration Policies

The following sections describe how you can configure risk-based authentication rule to evaluate risk of an authentication attempt:

6.7.1 Configuring Risk-Based Authentication

To configure Risk-based authentication, select Policies > Risk Configuration.

Steps to Configure Risk-Based Authentication

The following illustration depicts the different steps involved in configuring risk-based authentication:

  1. Select a type of rule and configure it.

  2. Add the rule to a new or existing rule group and assign a risk score for the rule. For more information, see Configuring Rule Group, Risk Score, and Risk Levels.

  3. Select the rule group and define the risk level for this rule group. For more information, see Configuring Rule Group, Risk Score, and Risk Levels.

  4. Create a risk-based authentication class.

  5. Assign the risk-based authentication class to a rule group and define actions to execute when the risk levels exceed. Also, determine whether you want to record user login details. For more information, see Configuring an Authentication Class and Defining Actions.

  6. Create a method for the risk-based authentication class. For more information, see Configuring a Method for an Authentication Class.

  7. Create a contract for the risk-based authentication class. For more information, see Configuring a Contract for the Authentication Class.

Configuring the Rules

To configure a rule, perform the following steps:

  1. Click Policies > Risk Configuration > Rules.

  2. Specify a name for the rule.

  3. From the Rule Definition screen, select Rule Type. Specify the following details.

    Rule Type

    Procedure

    IP Address

    1. Specify whether you want to track login attempts from a single IP address, IP address range, or IP address subnet, and select Add to List.

    2. Specify how the conditions for the rule should match. The available options are Is and Is Not. For more information about Is and Is Not conditions, see Table 5-1, Risk-Based Authentication Terms.

    3. To validate the user history against the entries recorded in the database, select Check user history. You can use this option only when Record user history is enabled in the User History tab.

      IMPORTANT:You cannot specify the IP subnet in the IPv6 format. Instead, you can use the IP range condition and define it in the IPv6 format.

    Cookie

    1. Specify the name of the cookie.

    2. Specify the value of the cookie. The different search criteria that you can use are Is and Is Not. For more information about Is and Is Not condition, see Table 5-1, Risk-Based Authentication Terms.

    3. [Optional] If the cookie is not found, but you want to create a cookie after the user authenticates, select Create cookie if the user authenticates successfully.

      1. Specify the validity of the cookie in days.

      2. Specify the path for the cookie.

        IMPORTANT:A cookie is set only when the user is authenticated by using second-factor authentication. The cookie is not created if the risk is assessed to be low and the user authenticates by using primary authentication method.

    HTTP Header

    1. HTTP Header Name: Use this option to search for an HTTP header with a specific name.

    2. HTTP Header Value: Use this option if you want to search for an HTTP header that includes a specific value. For example, if you want to search for an HTTP header that includes the value NetIQ, you can use the search criterion Equals. Whereas, if you want to query for an HTTP header that does not include the value NetIQ, you should use Does Not Contain.

    User Profile

    1. Select an LDAP attribute from the list. If you want to define a custom LDAP attribute, select New.

    2. Specify how the conditions for the rule should be matched.

    3. Specify the value of the attribute to be searched. For example, if you have selected LDAP attribute birthDate for rule creation, specify the birth date to be searched.

    User Last Login

    1. Specify the name of the last login cookie.

    2. Specify the path for the cookie.

    3. Specify the validity of the cookie in days.

    4. If you want the cookie to be secured by HTTPS, enable Secure Cookie.

    5. Specify the number of days the cookie can be accessed from the same device or system.

    6. Specify the crypto key to encrypt the cookie.

      IMPORTANT:A User Last Login cookie is set only when the user is authenticated by using second-factor authentication. A User Last Login cookie is not created if the risk is assessed to be low and the user authenticates by using primary authentication method.

    User Time of Login

    1. Select Is/Is not condition based on your requirements. This determines how the conditions for the rule should be matched.

    2. Specify the date and time of the user login.

    3. To validate the user history against the entries recorded in the database, select Check user history. To use this option, enable Record User History in the User History tab.

    Device ID

    1. Specify a name to identify the cookie.

    2. Specify a path where the cookie has to be stored.

    3. Specify the validity of the cookie in days.

    4. If you want the cookie to be secure, select Secure Cookie. This ensures that the cookie is protected by HTTPS.

    5. Specify the value that the cookie should contain. Select a value(s) from the list of cookie parameters.

      The different search criteria you can use are Is and Is Not. For more information on how Is and Is Not condition can alter the search criteria, see Table 5-1, Risk-Based Authentication Terms

      IMPORTANT:A Device ID cookie is set only when the user is authenticated by using second-factor authentication. A Device ID cookie is not created if the risk is low and the user authenticates by using the primary authentication method.

    Geolocation

    1. Specify the geolocation details.

    2. Select Is/Is not condition based on your requirements. This determines how the conditions for the rule are matched.

    3. To validate the user history against the entries recorded in the database, select Check user history. To use this option, select Record User History in the User History tab.

    Custom Rule

    1. Specify a fully qualified name of the custom class for which you want to create a custom rule. For example: com.Company.test.MyCustomclass.

    2. Select Check user history to check the user history details if the rule execution fails.

    3. Select Negate Result if you want to reverse the results of rule execution. For example: if you have defined a rule to track authentication attempts from a specific geolocation, you can use the Negate option to define a rule to allow authentication if the user logging in is not from that geolocation.

    4. Click Add Property to add custom properties and values.

  4. Proceed with Configuring Rule Group, Risk Score, and Risk Levels.

Configuring Rule Group, Risk Score, and Risk Levels

To configure a rule group, assign risk scores, and specify risk levels, perform the following steps:

  1. Click Policies > Risk Configuration > Rules.

  2. Select the Rule Group to which you want to add the rule. You can also create a new rule group and add the rule to it.

  3. Specify a Risk Score for the new rule. The risk score indicates the value that is stored in the database after rule evaluation fails.

  4. If you want the rule to be executed first before the other rules are executed, select Add as Privileged Rule.

  5. The Risk Score on Rule Failure field displays the risk score assigned to the rules. This risk score indicates the value that must be stored in the database if the rule evaluation fails. You can change the risk score if required.

  6. To check the final risk score, select the rules to be considered as failed, and click Validate. The validation result indicates the final risk score, risk level and the action for this risk score. For more information about using Validate to test the risk scores and the action, see Understanding How to Use the Validate Tool to Emulate Total Risk Score and Risk Levels

  7. Define risk levels for the rule group:

    1. Click Add. Select a Risk Level to be associated with the risk score. If you select Other, specify a name to identify the custom risk level.

    2. Specify a risk score to be associated with the risk level.

    3. Click OK.

  8. Click OK.

Configuring User History

Recording user history involves three configuration steps:

  1. Enabling recording of user history details while configuring [Policies > Risk Configuration > Enable User History]

  2. Enabling recording of user history while configuring a rule. [Policies > Risk Configuration > Rule Type > Check user history]

  3. Enabling recording of user history details for a rule group that is linked to an authentication class.[ Devices > Identity Server > Edit > Local > Classes > RiskBasedAuthClass > Record User History]

    When you choose to record user history details for a rule group that is linked to an authentication class, you get the flexibility to segregate the history details as per your requirement.

    Consider a situation where you have a two rule groups configured: One rule group is configured to assess authentication requests from internal users in an organization and another rule group is configured to assess authentication requests from users external to the organization.

    You may decide to record the history details for internal users only. You can do so by enabling the recording of user history at the risk-based authentication class that is used to authenticate the internal users.

To configure user history settings, perform the following steps:

  1. Click Policies > Risk Configuration > User History.

  2. Select Enable User History to save the user session details in the database.

  3. Specify the number of history entries to consider during rule execution. For example, if you specify 10, it indicates that the last 10 session details should be considered during rule execution.

  4. (Conditional)To store details in eDirectory, select Built-in Data Store.

    NOTE:In a production environment it is strongly recommended to not use eDirectory as the data store.

  5. (Conditional) If you choose to save the session details in an external database, select External Database.

    1. Specify the name to identify the driver.

    2. Select the Database Driver. The driver path and dialect are displayed. You can change the driver and dialect details if required.

    3. Specify the Username and Password to access the database.

    4. Specify the URL to access the database.

      NOTE:To configure MySQL as the database, ensure that the database URL is specified as mysql://db_user:db_user@localhost/netiq_risk?autoReconnect=true.

      For details about configuring MySQL or Oracle databases, see Configuring an External Database to Store User History.

  6. Click OK.

    Proceed with Configuring an Authentication Class and Defining Actions.

Configuring Geolocation Profiling

To configure Geolocation Profiling, perform the following steps:

  1. Click Policies > Risk Configuration > Geolocation.

  2. Select Enable Location Profiling to fetch location data from a geolocation database. This helps to identify the location of the user based on the IP address details.

  3. Select a Geolocation Provider. The available options are:

    Database

    Details

    Neustar Service

    • Specify the API Key and API Secret.

    • Specify the Web Service URL.

    Custom Provider

    • Specify a name to identify the provider.

    • Specify the fully qualified name of the JAVA class.

    • Click Add Property to add properties to the custom class.

  4. Click OK.

Configuring an Authentication Class and Defining Actions

To associate a risk-based class with a rule group and assign actions for the risk levels, perform the following steps:

  1. Select Local > Classes > New to create a new risk-based authentication class.

  2. Specify the name to identify the class, Click Next.

  3. Select RiskBasedAuthClass from the Java class option, Click Next.

  4. Select the Rule Group to associate with the authentication class.

  5. Select Record User History to record the user’s login details. Before enabling this option, ensure that you have configured a data store using the Policies > Risk Configuration > User History option.

  6. From the Risk Handler option, select the action for the specific risk score. If you choose to configure additional authentication, select an authentication class to configure step-up authentication.

  7. (Optional) Under Properties, click New.

    1. Specify the property name.

    2. Specify the property value.

      For more information about properties, see Step 6

  8. Click Finish.

Configuring a Method for an Authentication Class

To configure a method for the risk-based authentication class, perform the following steps:

  1. Select Local > Method > New to create a new method for the risk based authentication class.

  2. Specify a name to identify the method.

  3. Select the risk-based authentication class from Class.

  4. Deselect Identifies User.

  5. Select a user store from the list of Available User Stores.

  6. Click Finish to save the data.

    IMPORTANT:In a risk-based class, properties configured for the risk-based authentication method are ignored. So, if you want to configure additional properties, add the property to the risk-based authentication class.

Configuring a Contract for the Authentication Class

To configure a contract for the risk-based authentication method, perform the following steps:

  1. Select Local > Contract > New to create a new contract for the risk based authentication class.

  2. Specify a name to identify the contract.

  3. You can either use an existing authentication contract or create a new authentication contract. For example, you can add the default Name/Password – Form method as the first method and risk-based authentication method as the second method.

  4. Click Next to configure a card for the contract. For more information about configuring contracts, see Section 5.1.4, Configuring Authentication Contracts.

Configuring NAT Settings

To configure how the Identity Server retrieves IP addresses in a NAT environment, perform the following steps:

  1. Click Policies > Risk Configuration > NAT Settings.

  2. Specify the name of the field to use for fetching the IP address of the client.

  3. Specify the regular expression to retrieve the client IP address from the HTTP header value.

    If you use the regular expression .* , even if the client IP address exists in the list of multiple IP addresses, the rule execution fails.

    So, if you want to retrieve IP address from a list of multiple IP addresses, modify the regular expression accordingly.

    For example: If you specify regular expression as .*?(?=,), the Identity Server considers the first IP address in the list to calculate risk.So, if the list of IP addresses are similar to 10.20.20.1,10.30.30.1,10.40.40.1, using the regular expression .*?(?=,) will return IP address 10.20.20.1.

  4. Click OK to save the configuration.

6.7.2 Configuring an Authorization Policy to Protect a Resource

You can define a condition group as part of the authorization policy that uses the risk score from Identity Server to protect a resource.

Defining a Condition Group and Assigning Actions

To define a risk condition group and assign actions on rule execution, perform the following steps:

  1. Select Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the policy, then select Access Gateway: Authorization for the type of policy.

  4. From the Condition Group, select Risk Score. Refer to Risk Score for more information about Comparison, Value, and Result on Condition Error.

  5. Select an action. For more information about action, see Step 7.

  6. Click OK to save the changes.

6.7.3 Enabling Auditing for Risk-Based Authentication Events

Access Manager logs the following Risk-based authentication audit events:

  • Risk-Based Authentication Succeeded

  • Risk-Based Authentication Action Involved

  • Risk-Based Authentication Failed

For details about how to configure Access Manager to send these events to a Novell Auditing Server, see Enabling Identity Server Audit Events.

6.7.4 Enabling Logging for Risk-Based Authentication

To enable logging for Risk-based authentication, perform the following steps:

  1. In the Administration Console, click Devices > Identity Servers > Edit > Logging.

  2. Select Enabled under File Logging.

  3. In the Component File Logger Levels section, specify any one of the following options for Application logs:

    • Severe: Logs serious failures that can stop system processing

    • Warning: Logs potential failures that have minimal impact on execution.

    • Info: Logs informational events.

    • Verbose: Logs static configuration information.

      The system logs any configuration errors under one of the primary three levels: Severe, Warning, and Info.

    • Debug: Logs events for all of the preceding levels (Severe, Warning, Info, and Verbose)

  4. Click OK.

For more details, see Identity Server Logging.