Configuring risk-based authentication involves the following steps:
Create a risk policy. See Configuring a Risk Policy.
Create a method for the risk-based authentication class. See Configuring a Method for an Authentication Class.
Create a contract for the risk-based authentication class. See Configuring a Contract for an Authentication Class.
You must consider the following points while configuring the risk-based authentication:
A rule must be included in a risk policy. A rule can exist in multiple risk policies.
A risk-based authentication class maps to only one risk policy and vice versa.
If a rule condition is not met, the score associated with that rule is added to the risk score. If the rule condition is met, the specified action is executed.
The risk level is determined based on the total risk score, that is the sum of the scores of all rule conditions that are not met.
If a rule is configured to allow or deny access and exit the policy when a condition is met, the risk score is zero as other rules in the group are not evaluated.
Before creating a risk-based policy, determine the following criteria for defining a rule:
The application or resource you want to protect.
The parameters you want to assess during a login attempt.
The risk score for each parameter.
The risk levels for risk scores.
The action for the risk levels.
If you want to record the details of risk assessment.
If you want to store history details from the risk assessment in MySQL, Microsoft SQL Server, or Oracle database.
If you want to perform profiling on user login events based on the geolocation of the user.
If you want to assess the risk before a user attempts to login.
Configuring a risk policy includes the following three parts:
Adding a Risk Policy
Click Policies > Risk-based Policies > Risk Policy.
Click the Create Risk Policy icon.
NOTE:To create an identical copy of any existing risk policy:
Click Policies > Risk-based Policies > Risk Policy.
Locate the policy you want to clone and click the Clone Risk Policy icon. All rules and risk levels configured for the existing policy are copied to the new policy.
Specify a name for the new policy and assign a cluster and an authentication class.
Under Add Risk Policy, specify the following details:
Risk Policy Name: Specify a name for the policy.
Policy Description: Describe the purpose of this policy.
Assign Policy To: Select Identity Server cluster and then select an authentication class. You can select the class from the list of existing classes or you can create a new class.
NOTE:If you select an existing class, settings of the selected class are overwritten with values of this policy.
For creating a new class, perform the following steps:
Select one of the following options:
Calculates the risk score after authentication. For more information, see Risk Assessment and Risk Mitigation after Authenticating a Login Attempt.
Calculates the risk score before authentication. For more information, see Risk Assessment and Risk Mitigation before Authenticating a Login Attempt.
NOTE:To modify an existing class, go to Identity Server > cluster > Edit > Local > Classes.
Specify a name for the class.
Select Record User History to record the user’s login details.
Before enabling this option, ensure that you have enabled recording user history in Policies > Risk Configuration > User History and configured a database. For more information, see History:.
NOTE:The Record User History option is available only for Risk-based Auth Class.
Select Use Cumulative Risk Score to add current risk score of the session to this evaluation.
If you select this option, ensure that you have defined appropriate risk levels in this class to accommodate the cumulative value. For more information, see Cumulative Scoring:.
To send the user name, risk score, and risk level of a specific login attempt to an external REST interface, click Score Sharing URLs and specify the URL of the interface. The external REST interface uses this score information to perform additional actions on the user’s identity.
(Optional) Specify the REST endpoint authentication credential. Whenever the risk score is sent to the REST endpoint, the endpoint sends these credentials as a basic authentication header. If the REST endpoint is protected by using basic authentication, this credential is used.
If Reduce Score is enabled, the reduced risk score is sent to the REST endpoint for a successful additional authentication.
After enabling Score Sharing URLs, you must enable the identified risk scores for sharing.
You can enable two Score Sharing URLs. If the REST endpoint is down, a warning message is logged in the log file (Linux: catalina.out; Windows: stdout.log). If the REST endpoint is down during risk score sharing, the risk is not cached and is not be shared later.
NOTE:The Score Sharing URLs option is available only for Risk-based Auth Class.
Continue with Configuring Policy Rules.
Configuring Policy Rules
You can select an existing rule or create a new rule. You can assign multiple rules to a policy. Rules are executed in the top to bottom sequence. You can drag and drop to change the priority and sequence of rules. Rules for which the action is defined as Allow Access, Deny Access, or Exit with Risk Level as specified risk level are executed as specified in the rule irrespective of the risk score accumulated for other rules that previously failed.
To create a new rule, perform the following actions:
Click Actions > Create Rule.
Specify a rule name.
Select a rule definition. For details, see Step 2 in Configuring Rules.
Click OK.
Define actions for the rule.
Condition |
Action |
---|---|
If rule condition is met |
Select any of the following options: Proceed to Next Rule: The next rule in the sequence is executed. Allow Access and Exit Policy: No other rules of this policy are executed and the user gets access to the resource. Deny Access and Exit Policy: No other rules of this policy are executed and the user is denied access. Exit with Risk Level as: Select or create a risk level and then assign it to the rule. For information about creating a new risk level, see Configuring Risk Levels. No other rules in this policy are executed. The action specified for that risk level is executed. |
If rule condition is not met, add risk score |
Specify the risk score that will be stored when the rule evaluation fails. |
NOTE:You can also create a rule here Policies > Risk-based Policies > Rules > New. See Configuring Rules.
To select a rule from the existing list, perform the following actions:
Under Policy Rules, click Actions > Add Existing Rule.
In Risk Rule, select the rule you want to add from the list.
Define actions for the rule. For details, see Step 1.e.
NOTE:To validate the rule configuration and view the result when a condition is met, click Actions > Toggle Validate. See Understanding How to Use the Validate Tool to Emulate Total Risk Score and Risk Levels.
Continue with Configuring Risk Levels.
Configuring Risk Levels
Under Risk Levels, click Actions > Add Risk Level.
Specify the following details:
Field |
Description |
---|---|
Risk Level |
Select a risk level to associate with the risk score. If you select Other, specify a name to identify the custom risk level. |
Risk Score |
Specify a risk score to be associated with the risk level. The risk score indicates a value that is stored in the database after rule evaluation fails. |
Action |
Select an action for this risk score. If you select Additional Authentication under Action, you can select multiple classes and methods to configure additional authentication. Use a method for additional authentication when branding, overwriting of users, or a change of userstore is required. If the userstore of the additional authentication is same as the risk-based authentication class and no additional branding is needed, then use a class. The following are examples when you can configure multiple classes and methods:
|
Reduce Score |
After a successful additional authentication, you can configure to reduce the associated risk score. Specify the value that you want to reduce from the risk score. See Risk Score Reduction After a Successful Additional Authentication:. |
Share Score |
Select this option to send the risk score of this risk level to the URL specified in Score Sharing URLs in the associated authentication class. You can share risk scores only for the risk levels configured for Risk-based Auth Class. This option is available only if at least one Share Score URLs is configured for the authentication class. |
Continue with Configuring a Method for an Authentication Class.
Click Local > Method > New to create a new method for the risk-based authentication class.
Specify a name to identify the method.
Select the risk-based authentication class from Class.
Deselect Identifies User.
NOTE:If the policy is using Risk-Based Pre-Auth Class, this options must be selected at least in one method of the contract.
Select a user store from the list of Available User Stores.
IMPORTANT:In a risk-based authentication class, properties configured for the risk-based authentication method are ignored. So, if you want to configure additional properties, add the property to the risk-based authentication class.
Continue with Configuring a Contract for an Authentication Class.
Click Local > Contract > New to create a new contract for the risk based authentication class.
Specify a name to identify the contract.
You can use an existing authentication contract or create a new one. For example, for Risk-based Auth Class, you can add the default Name/Password – Form method as the first method and risk-based authentication method as the second method. For Risk-based Pre-Auth Class, the risk-based authentication method must be configured as the first method.
Click Next to configure a card for the contract. For more information, see Section 4.1.4, Configuring Authentication Contracts.
NOTE:To use this contract in federation, ensure to assign this contract to a protected resource.
Click Policies > Risk-based Policies > Rules > New.
Specify a name for the rule and select a rule type in Rule Definition based on your requirement.
Configure the required rules as follows:
Rule Type |
Procedure |
---|---|
Cookie |
IMPORTANT:A cookie is set only when the user is authenticated by using second-factor authentication. The cookie is not created if the risk is assessed to be low and the user authenticates by using primary authentication method. |
Rule Type |
Procedure |
---|---|
Custom Rule |
|
Rule Type |
Procedure |
---|---|
Device Fingerprint |
|
Rule Type |
Procedure |
---|---|
External Parameters |
|
Rule Type |
Procedure |
---|---|
Geolocation |
|
Rule Type |
Procedure |
---|---|
Geo-Velocity Tracker |
IMPORTANT:You must enable to record the user history, configure a history database, and configure a geolocation provider for this rule to work. See Configuring User History and Configuring Geolocation Profiling. |
Rule Type |
Procedure |
---|---|
HTTP Header |
|
Rule Type |
Procedure |
---|---|
IP Address |
|
Rule Type |
Procedure |
---|---|
User Profile |
|
Rule Type |
Procedure |
---|---|
User Last Login |
IMPORTANT:This cookie is set only when a user is authenticated by using second-factor authentication. The cookie is not created if the risk is low and the user authenticates by using the primary authentication method. |
Rule Type |
Procedure |
---|---|
User Time of Login |
|
NOTE:Access Manager 4.5 Service Pack 3 onwards, this rule considers Coordinated Universal Time (UTC) in calculations. Access Manager versions earlier to 4.5 Service Pack 3, used the local time. If you want to use the local time instead of UTC, perform the following steps:
Open /opt/novell/nam/idp/conf/tomcat.conf.
Comment out the following java option by adding #:
JAVA_OPTS="${JAVA_OPTS} -Duser.timezone=UTC"
Restart Identity Server.
However, these steps will change the time standards for OAuth logs from UTC to local time.