Mitigating “Super Human login” with Risk Based Authentication ( NAM )

Mitigating “Super Human login” with Risk Based Authentication ( NAM )

Current Access Manager Risk Based Authentication ( RBA ) mitigates risk of a login based on geo location of the user. For example if a user logs in from a known location A, one could configure to ask for X509 authentication instead of simple form based authentication. Another example, if a user logs in from an unknown location, one could configure to request for an OTP or DENY the request to mitigate this risk.

Let us say a user tries to log in from two different countries within a short time. This may not be valid considering the travel time, unless there is a valid reason from the user for sharing the credentials. For example, user A logs in from Germany at 10AM and triggers another login from US at 11AM. Such scenarios can be detected and mitigated by this cool solution.

This solution checks the user's last login time and the country against the current. Last login details are picked from the historical database. Here are the steps to configure this solution


 

Geo


  • Configure User history

    • You can choose either built in data store or an external SQL datastore

    • NOTE: Built in data store work with NAM 4.3 and above. External SQL works starting from 4.3 SP1.





history


  • Download the attached file and extract "risk-custom-rule-examples.jar" to IDP lib folder.

    • Linux: "/opt/novell/nam/idp/webapps/nidp/WEB-INF/lib/risk-custom-rule-examples.jar"

    • Windows: "C:/Program Files (x86)/Novell/Tomcat/webapps/nidp/WEB-INF/lib/risk-custom-rule-examples.jar"

    • Restart IDP server

      • Linux: /etc/init.d/novell-idp restart

      • Windows: Enter the following commands:

        • net stop Tomcat

        • net start Tomcat









  • Configure Custom Rule

    • Under Policies->Risk-based Policies->Rules create rule with Plus sign.

    • Provide any name to the rule and select Custom Rule

    • Input the Custom Class name as "com.novell.nam.nidp.risk.customRule.examples.CustomRuleForLoginLocationAgainstTime"

    • Check the "Check user history"

    • Click on "Add Property" and add the following




Property Name: TIMEOUT Value: 4

4 is the number of hours to be checked at the next login of a user against a country. That means, if a user logs in from different country within this 4 hours this rule would fail.




  • Click OK

  • Rule configuration is shown below.



customRule


  • Assign this to a Risk policy and then to a Post Authentication RBA class as shown below.


 

RiskPolicy

 

  • Assign the Post auth RBA to your existing contract as second method.



RBA class Creation

AuthClass

RBA class properties

AuthClassProperties

 

RBA Method configuration

Method

Assign to a contract as second method

Contract


  • Apply the changes to IDP server.


NOTE: Built in data store work with NAM 4.3 and above. External SQL works starting from 4.3 SP1.

Troubleshooting:

Once Contract is executed you should be able to see the below log entries in case failure.

First login request


 
Client Ip address for this request is = 147.1.24.24

##################### init .....##3#########

DB file path: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db

IPAddress ... : /147.1.24.24

$$$$$$$$$$$$$$$$$$ file: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db {PROVIDER_TYPE=CUSTOM, customClassName=com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDB, citydbfile=/opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db}

Loc ....... com.maxmind.geoip.Location@6e5b2273

geoloc check: country: US city : San Francisco postalCode: 94105 region code: CA region name: California metro code: 807 area code: 415

Country code would be = us


Second login request


 
Client Ip address for this request is = 1.7.255.25

##################### init .....##3#########

DB file path: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db

IPAddress ... : 1.7.255.25

$$$$$$$$$$$$$$$$$$ file: /opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db {PROVIDER_TYPE=CUSTOM, customClassName=com.netiq.custom.risk.core.geoloc.providers.MaxMindLocalDB, citydbfile=/opt/novell/nam/idp/webapps/nidp/GeoLiteCity.db}

Loc ....... com.maxmind.geoip.Location@3810699d

geoloc check: country: IN city : Taramani postalCode: null region code: 25 region name: Tamil Nadu metro code: 0 area code: 0

Country code would be = in Rule failed.

User logged in from the different country within 4 hour/s
Labels (2)

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
This feature (Geo-Velocity) has been added to Access Manager v4.4:
https://www.netiq.com/documentation/access-manager-44/accessmanager44-release-notes/data/accessmanager44-release-notes.html#t43xsw6j2ltz

-Paul
Top Contributors
Version history
Revision #:
5 of 5
Last update:
‎2020-01-31 22:10
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.