Let us assume that you want to associate the user's distinguished name with the device. So, that anyone else other than the registered user must provide additional authentication to log in. Also, if the user DN matches, but other parameters do not match as expected, you want to perform additional authentication. This can be achieved by configuring a risk policy with the Device Fingerprint rule. For the first time after implementing the policy, the intended user needs to provide additional authentication. Afterward, if the rule matches, the user does not need to authenticate twice.
This example is applicable only for risk-based post-authentication scenarios.
You can create a risk policy for this example as follows:
On the Home page, click Risk-based Policies > Plus icon.
Under New Risk Policy, specify example-DFP-class as the name of this policy.
In the Assign Policy To, select Identity Server cluster, and then select an authentication class. You can select the class from the list of existing classes, or you can create a new class.
NOTE:If you select an existing class, settings of the selected class are overwritten with values of this policy.
To create a new Device Fingerprinting rule, perform the following actions:
NOTE:You cannot have more than one Device Fingerprint rule in an Access Manager setup. If a rule is already configured, use the existing rule or modify it based on the requirement.
Under Rule Evaluation Order, click Plus icon > Add New Rule.
Specify a name for the rule and select Device Fingerprint Rule.
Specify the number of days for which you want the fingerprint to be valid.
In Store Fingerprint in, select Browser.
Click Parameter Settings, move the required parameters from Available Parameters to Enabled Parameters - Evaluate Individually and to Enabled Parameters - Evaluate as a Groups as follows:
|
Parameter |
Evaluation Type |
|---|---|
|
User DN |
Evaluate Individually To meet the rule criteria, this parameter must match 100%. |
|
Language Set |
Evaluate as a Group Specify 80%. To meet the rule criteria, at least four out of Language Set, Screen Resolution, TimeZone Offset, User Agent, and Operating System Parameters must match. |
|
Screen Resolution |
|
|
TimeZone Offset |
|
|
User Agent |
|
|
Operating System Parameters |
NOTE:For information about these parameters, see Understanding Device Fingerprint Parameters.
Click Next.
Under Action to Perform, select If rule condition is met, then Exit with Risk Level as.
Select Risk Level as Low.
NOTE:You can also create a risk level here, and then assign it to the rule. See Step 10.
In If rule condition is not met, add risk score, specify 30.
Click Finish.
Under Risk Levels, click Plus icon and configure the risk levels with the following details:
|
Risk Level |
Risk Score |
Action |
|---|---|---|
|
Low |
Less than 30 |
Allow Access |
|
Medium |
Greater than or equal to 30 |
Additional Authentication. Select a class to configure step-up authentication. Use the step-up to a method when branding, overwriting of users, or a change of user store is required. If the user store for the additional authentication is same as the risk-based authentication and no additional branding is needed, use a class. |
Configure a method for example-DFP-class as follows:
On the Home page, click Identity Servers > [cluster name] > Authentication > Methods > Plus icon.
Specify the name as example-DFP-method.
In Class, select example-DFP-class.
Turn off Identify Users.
Select a user store.
Configure a contract for example-DFP-method as follows:
On the Home page, click Identity Servers > [cluster name] > Authentication > Contracts > Plus icon.
Specify the name as example-DFP-contract.
Select example-DFP-method in Authentication Methods. You must select one more method and list example-DFP-method as a second method.
Click the Plus icon under Authentication Card to configure a card for the contract.
For more information, see Configuring Authentication Contracts.
For more information about risk-based policies, see Risk-based Authentication.
After you implement this risk policy, the following are possible scenarios:
|
Scenario |
Risk Level |
Result |
|---|---|---|
|
When a user logs in the first time |
Medium |
Prompt for additional authentication because no fingerprint exists to match. |
|
When the fingerprint matches completely |
Low |
Allow Access |
|
When individual parameters match, but a parameter in the group does not match the specified percentage. |
Medium |
Prompt for additional authentication |
|
When individual parameter does not match, but parameters in the group match completely |
Medium |
Prompt for additional authentication |
|
When both individual parameter and parameters in the group do not match |
Medium |
Prompt for additional authentication |
|
When the fingerprint is expired |
Medium |
Prompt for additional authentication |