Let us assume that you want to associate the user's distinguished name with the device. So, that anyone else other than the registered user must provide additional authentication to log in. Also, if the user DN matches, but other parameters do not match as expected, you want to perform additional authentication. This can be achieved by configuring a risk policy with the Device Fingerprint rule. For the first time after implementing the policy, the intended user needs to provide additional authentication. Afterward, if the rule matches, the user does not need to authenticate twice.
This example is applicable only for risk-based post-authentication scenarios.
You can create a risk policy for this example as follows:
Click Policies > Risk-based Policies > Risk Policy.
Click the Create Risk Policy icon.
Under Add Risk Policy, specify example-DFP-class as the name of this policy.
In the Assign Policy To, select Identity Server cluster, and then select an authentication class. You can select the class from the list of existing classes, or you can create a new class.
NOTE:If you select an existing class, settings of the selected class are overwritten with values of this policy.
To create a new Device Fingerprinting rule, perform the following actions:
NOTE:You cannot have more than one Device Fingerprint rule in an Access Manager setup. If a rule is already configured, use the existing rule or modify it based on the requirement.
Under Policy Rules, click Actions > Create Rule.
Specify a name for the rule and select Device Fingerprint Rule.
Specify the number of days for which you want the fingerprint to be valid.
In Store Fingerprint in, select Browser.
Click Parameter Settings, move the required parameters from Available Parameters to Enabled Parameters - Evaluate Individually and to Enabled Parameters - Evaluate as a Groups as follows:
|
Parameter |
Evaluation Type |
|---|---|
|
User DN |
Evaluate Individually To meet the rule criteria, this parameter must match 100%. |
|
Language Set |
Evaluate as a Group Specify 80%. To meet the rule criteria, at least four out of Language Set, Screen Resolution, TimeZone Offset, User Agent, and Operating System Parameters must match. |
|
Screen Resolution |
|
|
TimeZone Offset |
|
|
User Agent |
|
|
Operating System Parameters |
NOTE:For information about these parameters, see Understanding Device Fingerprint Parameters.
Click OK.
Under Action to Perform, select If rule condition is met, then Exit with Risk Level as.
Select Risk Level as Low.
NOTE:You can also create a risk level here, and then assign it to the rule. See Step 11.
In If rule condition is not met, add risk score, specify 30.
Click Save.
Under Risk Levels, click Actions > Add Risk Level and configure the risk levels with the following details:
|
Risk Level |
Risk Score |
Action |
|---|---|---|
|
Low |
Less than 30 |
Allow Access |
|
Medium |
Greater than or equal to 30 |
Additional Authentication. Select a class to configure step-up authentication. Use the step-up to a method when branding, overwriting of users, or a change of user store is required. If the user store for the additional authentication is same as the risk-based authentication and no additional branding is needed, use a class. |
Configure a method for example-DFP-class as follows:
Click Devices > Identity Servers > Edit > Local > Methods > New.
Specify the name as example-DFP-method.
In Class, select example-DFP-class.
Deselect Identifies User.
Select a user store from the list of Available User Stores and move it to User stores.
Configure a contract for example-DFP-method as follows:
Click Local > Contracts > New.
Specify the name as example-DFP-contract.
Select example-DFP-method in Available methods and move it to Methods. You must select one more method and list example-DFP-method as a second method.
Click Next to configure a card for the contract.
For more information, see Configuring Authentication Contracts.
For more information about risk-based policies, see Risk-based Authentication.
After you implement this risk policy, the following are possible scenarios:
|
Scenario |
Risk Level |
Result |
|---|---|---|
|
When a user logs in the first time |
Medium |
Prompt for additional authentication because no fingerprint exists to match. |
|
When the fingerprint matches completely |
Low |
Allow Access |
|
When individual parameters match, but a parameter in the group does not match the specified percentage. |
Medium |
Prompt for additional authentication |
|
When individual parameter does not match, but parameters in the group match completely |
Medium |
Prompt for additional authentication |
|
When both individual parameter and parameters in the group do not match |
Medium |
Prompt for additional authentication |
|
When the fingerprint is expired |
Medium |
Prompt for additional authentication |