Mitigating “Super Human login” with Risk Based Authentication ( NAM )

1 Likes
over 4 years ago
Current Access Manager Risk Based Authentication ( RBA ) mitigates risk of a login based on geo location of the user. For example if a user logs in from a known location A, one could configure to ask for X509 authentication instead of simple form based authentication. Another example, if a user logs in from an unknown location, one could configure to request for an OTP or DENY the request to mitigate this risk.

Let us say a user tries to log in from two different countries within a short time. This may not be valid considering the travel time, unless there is a valid reason from the user for sharing the credentials. For example, user A logs in from Germany at 10AM and triggers another login from US at 11AM. Such scenarios can be detected and mitigated by this cool solution.

This solution checks the user's last login time and the country against the current. Last login details are picked from the historical database. Here are the steps to configure this solution




  • Make sure Geo location configuration is working by configuring and testing a Geo location rule




 

Geo


  • Configure User history

    • You can choose either built in data store or an external SQL datastore

  • NOTE: Built in data store work with NAM 4.3 and above. External SQL works starting from 4.3 SP1.





history


  • Download the attached file and extract "risk-custom-rule-examples.jar" to IDP lib folder.

    • Linux: "/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib/risk-custom-rule-examples.jar"

  • Windows: "C:/Program Files (x86)/Novell/Tomcat/webapps/nidp/WEB-INF/lib/risk-custom-rule-examples.jar"

  • Restart IDP server

    • Linux: /etc/init.d/novell-idp restart

  • Windows: Enter the following commands:

    • net stop Tomcat

    • net start Tomcat









    • Configure Custom Rule

      • Under Policies->Risk-based Policies->Rules create rule with Plus sign.

    • Provide any name to the rule and select Custom Rule

    • Input the Custom Class name as "com.novell.nam.nidp.risk.customRule.examples.CustomRuleForLoginLocationAgainstTime"

    • Check the "Check user history"

    • Click on "Add Property" and add the following




    Property Name: TIMEOUT Value: 4

    4 is the number of hours to be checked at the next login of a user against a country. That means, if a user logs in from different country within this 4 hours this rule would fail.




    • Click OK

    • Rule configuration is shown below.



    customRule


    • Assign this to a Risk policy and then to a Post Authentication RBA class as shown below.


     

    RiskPolicy

     

    • Assign the Post auth RBA to your existing contract as second method.



    RBA class Creation

    AuthClass

    RBA class properties

    AuthClassProperties

     

    RBA Method configuration

    Method

    Assign to a contract as second method

    Contract


    • Apply the changes to IDP server.


    NOTE: Built in data store work with NAM 4.3 and above. External SQL works starting from 4.3 SP1.

    Troubleshooting:

    Once Contract is executed you should be able to see the below log entries in case failure.

    First login request


     
    Client Ip address for this request is = 147.1.24.24

    ##################### init .....##3#########

    DB file path: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db

    IPAddress ... : /147.1.24.24

    $$$$$$$$$$$$$$$$$$ file: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db {PROVIDER_TYPE=CUSTOM, customClassName=com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDB, citydbfile=/opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db}

    Loc ....... com.maxmind.geoip.Location@6e5b2273

    geoloc check: country: US city : San Francisco postalCode: 94105 region code: CA region name: California metro code: 807 area code: 415

    Country code would be = us


    Second login request


     
    Client Ip address for this request is = 1.7.255.25

    ##################### init .....##3#########

    DB file path: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db

    IPAddress ... : 1.7.255.25

    $$$$$$$$$$$$$$$$$$ file: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db {PROVIDER_TYPE=CUSTOM, customClassName=com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDB, citydbfile=/opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db}

    Loc ....... com.maxmind.geoip.Location@3810699d

    geoloc check: country: IN city : Taramani postalCode: null region code: 25 region name: Tamil Nadu metro code: 0 area code: 0

    Country code would be = in Rule failed.

    User logged in from the different country within 4 hour/s

    Labels:

    How To-Best Practice
    Collateral
    Comment List
    Anonymous
    Related Discussions
    Recommended