You want to configure a policy to restrict the HR portal access beyond working hours. You are also concerned about bot attacks and unusual suspicious access requests from throughout the world. This policy should prompt for an additional authentication to the user if the user meets any one of the followings conditions:
The device is not recognized
A login attempt is made from a different geolocation than the user’s registered location
An unrealistic consecutive login attempt is made within a short time from a very far location than the user’s last login location. For example, a user logs in at 4 PM MST in the USA. A login is requested from the same user account at 5 PM MST from another country, which cannot be reached within an hour.
To meet these requirements, create a policy and configure the following rules as a combination rule:
User Time of Login: To verify the login time and restrict the access beyond office hours.
Device Fingerprint: To recognize the device.
Geolocation: To recognize the location of login.
Geo-Velocity Tracker: To determine the velocity from the last login time and to help prevent man-in-the-middle, brute force, and DDoS attacks.
Video explaining how to create the policy:
Configuration Steps:
Go to Policies > Risk-based Policies > Risk Policy.
Click the Create Risk Policy (+) icon.
Under Add Risk Policy, specify a name and description of this policy.
Risk Policy Name: Specify a name.
Policy Description: Specify the purpose of this policy.
Select an Identity Server cluster in Assign Policy To and select an authentication class that will use this policy. You can also create a new class here.
For information about how to create a new class, see Adding a Risk Policy.
Create a combination rule as follows:
Under Policy Rules, click Actions > Create Rule, and specify a name for this rule.
Select User Time of Login Rule under Rule Definitions and specify the following values:
User Time of Login: is
Day: Monday to Friday
Time: 9 AM to 5 PM
Click Combine with > Device Fingerprint Rule and specify the following values:
Valid for (in days): 30
Store Fingerprint in: Browser
Parameter Settings: Keep the default parameters or select the required ones. See Section 5.9.2, Understanding Device Fingerprint Parameters.
Click Combine with > Geolocation Rule and specify the details of the region which you want to accept all login requests from without additional authentication.
For example, if you select the is condition and specify USA as the Country Code, Access Manager will prompt for additional authentication to all users who try to login from any other country.
Click Combine with > Geo-Velocity Tracker Rule and specify the following details:
Specify the interval in hours after which you want to check the user’s location.
Select the Negate Results option.
Add a condition to prompt for an additional authentication if any of these rules fails.
In Combination Rule Definition > Condition Group, click Assign Rules and then select all four rules. Select AND in Group Operator. For information about how these operators work, see Combination Rule
in Table 5-1, Risk-based Authentication Terms.
Click OK.
In Add Rule to Policy, specify the following values:
If rule condition is met, then: Allow Access and Exit Policy.
If rule condition is not met, add risk score: 10
Click OK.
Under Risk Levels, click Actions > Add Risk Level and create the following risk level:
Field |
Value |
---|---|
Risk Score |
Greater than or Equal to 10 |
Risk Level |
Medium |
Action |
Additional Authentication > X509 |
This policy evaluates all four rules and if any rule fails, the user is prompted for an additional X509 authentication.