Current Access Manager Risk Based Authentication ( RBA ) mitigates risk of a login based on geo location of the user. For example if a user logs in from a known location A, one could configure to ask for X509 authentication instead of simple form based authentication. Another example, if a user logs in from an unknown location, one could configure to request for an OTP or DENY the request to mitigate this risk.

Let us say a user tries to log in from two different countries within a short time. This may not be valid considering the travel time, unless there is a valid reason from the user for sharing the credentials. For example, user A logs in from Germany at 10AM and triggers another login from US at 11AM. Such scenarios can be detected and mitigated by this cool solution.

This solution checks the user's last login time and the country against the current. Last login details are picked from the historical database. Here are the steps to configure this solution

• Configure Geo Location
  
  
  
  • You can look at standard documentation
    
    
    
    • https://www.netiq.com/documentation/access-manager-43/admin/data/b1fk6hx4.html#riskgeolocation
    
    
  
  

• Or follow one of the cool solutions
  
  
  
  • https://www.netiq.com/communities/cool-solutions/maxmind-geolocation-provider-risk-based-authentication-nam-4-1/
  
  

• Make sure Geo location configuration is working by configuring and testing a Geo location rule

 

• Configure User history
  
  
  
  • You can choose either built in data store or an external SQL datastore
  
  
• NOTE: Built in data store work with NAM 4.3 and above. External SQL works starting from 4.3 SP1.

• Download the attached file and extract "risk-custom-rule-examples.jar" to IDP lib folder.
  
  
  
  • Linux: "/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib/risk-custom-rule-examples.jar"
  
  
• Windows: "C:/Program Files (x86)/Novell/Tomcat/webapps/nidp/WEB-INF/lib/risk-custom-rule-examples.jar"

• Restart IDP server
  
  
  
  • Linux: /etc/init.d/novell-idp restart
  
  
• Windows: Enter the following commands:
  
  
  
• net stop Tomcat

• net start Tomcat

• Configure Custom Rule
  
  
  
  • Under Policies->Risk-based Policies->Rules create rule with Plus sign.
  
  
• Provide any name to the rule and select Custom Rule

• Input the Custom Class name as "com.novell.nam.nidp.risk.customRule.examples.CustomRuleForLoginLocationAgainstTime"

• Check the "Check user history"

• Click on "Add Property" and add the following

Property Name: TIMEOUT Value: 4

4 is the number of hours to be checked at the next login of a user against a country. That means, if a user logs in from different country within this 4 hours this rule would fail.

• Click OK

• Rule configuration is shown below.

• Assign this to a Risk policy and then to a Post Authentication RBA class as shown below.

 



 

• Assign the Post auth RBA to your existing contract as second method.

RBA class Creation



RBA class properties



 

RBA Method configuration



Assign to a contract as second method

• Apply the changes to IDP server.

NOTE: Built in data store work with NAM 4.3 and above. External SQL works starting from 4.3 SP1.

Troubleshooting:

Once Contract is executed you should be able to see the below log entries in case failure.

First login request

 
Client Ip address for this request is = 147.1.24.24

##################### init .....##3#########

DB file path: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db

IPAddress ... : /147.1.24.24

$$$$$$$$$$$$$$$$$$ file: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db {PROVIDER_TYPE=CUSTOM, customClassName=com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDB, citydbfile=/opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db}

Loc ....... com.maxmind.geoip.Location@6e5b2273

geoloc check: country: US city : San Francisco postalCode: 94105 region code: CA region name: California metro code: 807 area code: 415

Country code would be = us

Second login request

 
Client Ip address for this request is = 1.7.255.25

##################### init .....##3#########

DB file path: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db

IPAddress ... : 1.7.255.25

$$$$$$$$$$$$$$$$$$ file: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db {PROVIDER_TYPE=CUSTOM, customClassName=com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDB, citydbfile=/opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db}

Loc ....... com.maxmind.geoip.Location@3810699d

geoloc check: country: IN city : Taramani postalCode: null region code: 25 region name: Tamil Nadu metro code: 0 area code: 0

Country code would be = in Rule failed.

User logged in from the different country within 4 hour/s