If SecureLogin is installed with Advanced Authentication, you can use the risk policy configured in Advanced Authentication to login using SecureLogin kiosk and re-authenticate users when they access applications containing sensitive data. The risk policy evaluates the risk level during each access attempts using contextual information. For example, contextual information can be IP address and device information.
You can define an appropriate action for each risk level in the policy, such as granting access or asking for additional authentication. In case of high risk, you can configure to deny access.For more information about how to configure a risk policy in Advanced Authentication, see Configuring Risk Settings in the Advanced Authentication - Administration guide.
Configuring context-aware multi-factor reauthentication for an application involves the following steps:
In Advanced Authentication: Perform the following actions:
Configure a risk policy with required rules.
Configure chains for each risk level.
Configure or modify the event for SecureLogin, and map the risk policy and chains to the event. This event must be the same one that is selected while enabling Advanced Authentication for SecureLogin. By default, the Windows Logon event is used.
In SecureLogin: Configure to use the default method for reauthentication in the Application Definition Wizard for the identified application.
Let’s use the following example to understand the configuration:
Your organization provides a Human Resources portal to all employees. Inside the corporate network and within business hours, all employees can access the Human Resources (HR) portal using only SSO.
However, you want the employees to reauthenticate when it is accessed beyond business hours and from an external network.
To achieve this scenario, perform the following steps:
In Advanced Authentication:
Configure a risk policy with IP Address Rule and User Time of Login Rule.
Click Risk Settings > Create a Risk Policy icon.
Specify the following details:
Policy Name: Specify the name as SecureLoginPolicy.
Description: Specify the purpose of this policy.
Configure IP Address Rule and User Time of Login Rule in the same sequence as follows. The rules are executed in the top to bottom sequence.
Rule |
Configuration Steps |
---|---|
IP Address Rule |
|
User Time of Login Rule |
|
Set up the risk levels:
Move the blue slider to 1 to indicate that if one rule fails, the risk is medium.
Move the green slider to 0 to indicate when no rules fail, the risk is low.
If both rules fail, then the risk is high.
Click Save.
Configure chains.
Create the following chains:
Chain |
Steps |
---|---|
For the low-risk level |
|
For the medium risk level |
|
For more information about chains, see Creating a Chain in the Advanced Authentication Administration Guide.
Click Save.
Modify the Windows logon event.
Click Events > Windows logon.
Select MediumRisk and LowRisk chains that you created in Step 2.
In Risk Policy, select SecureLoginPolicy.
Click Save.
For more information about events, see Configuring Events in the Advanced Authentication Administration Guide.
In SecureLogin:
Right-click the SecureLogin icon in the notification area, and then click Manage Logins.
In Applications, select the application for which you want to enable reauthentication.
Select the Definition tab.
Click Edit Wizard > Re-authenticate.
Click Yes. Enforce re-authentication before accessing this application.
In Select from the methods detected, select <Default>.
Click OK.