Troubleshooting Risk Rule Configuration
How to Use the Validate Tool to Emulate Total Risk Score and Risk Levels
After configuring a risk policy and the corresponding risk scores and actions, use to emulate total risk score, risk level, and action when a rule fails. The result indicates the total risk score and action. Based on these details, adjust the risk score and risk levels depending on your needs.
Let us consider a case where you have configured a risk policy that includes five rules. The rules and the corresponding risk scores are as follows:
Table 5-8 Sample Risk Policy Configuration: Rules
|
Risk Policy Name |
Rule |
Risk Score |
|---|---|---|
|
Demo_RiskPolicy |
Demo_InNetworkAtOfficeHours |
20 |
|
Demo_InternalUser |
20 |
|
|
Demo_KnownDevice |
20 |
|
|
Demo_PayrollSiteCookie |
20 |
|
|
Demo_UserProfile |
20 |
Table 5-9 Sample Risk Policy Configuration: Risk Scores and Risk Levels
|
Risk Score |
Risk Level |
Action |
|---|---|---|
|
Less than 30 |
Low |
Allow access |
|
Between 30 to 60 |
Medium |
Authenticate with class Trust Levels |
|
Greater than 60 |
High |
Deny access |
Now, open the risk policy for which you want to emulate total risk score, risk level, and action in event of rule failure. In the risk policy page, click > . Specify the rules as pass or fail to see the result along with a graphical representation.
For example, specify pass and fail for rules as follows:
|
Rule |
Condition |
|---|---|
|
Demo_InNetworkAtOfficeHours |
Failed |
|
Demo_InternalUser |
Failed |
|
Demo_KnownDevice |
Failed |
|
Demo_PayrollSiteCookie |
Passed |
|
Demo_UserProfile |
Passed |
In this case, the validation result is as follows:
You can similarly specify any other rule as failed or passed to emulate the risk score and risk levels.
How To Use the Risk Rule Validation Utility to Troubleshoot Rule Configuration
To determine the best way to implement risk levels and actions for your business needs, use Risk Rule Validation Utility and test different risk rules and risk scores.
During rule evaluation, if a match to the values configured for the rules is found, the evaluation is successful. If no match is found, the rule evaluation is failed.
-
In the browser address bar, type the following URL:
https://<identity-server-base-url>:port/nidp/test/risk
For example: https://10.1.1.1:8443/nidp/test/risk
-
Specify the credentials to log in.
-
Select a risk policy for evaluation. Click . The risk score, risk category evaluation results and HTTP request header and related information are displayed.
-
[Optional] If you have logged in with administrator privileges, click to view details about risk configuration.
NOTE:The Risk Rule Validation utility does not display details if is enabled and a user profile rule is configured.
How to Use the Log File to Understand Rule Evaluation Details
If you encounter any error during risk-based authentication, check the log files to review the error code. The log file is located in /opt/novell/nam/idp/logs/catalina.out.
Ensure that you have enabled logging at the application level. For more information, see Enabling Logging for Risk-based Authentication.
By using the following rules as examples, let us try to understand how to use the details in the catalina.out file and how rules are evaluated:
|
Rule |
Risk Score |
|---|---|
|
User Profile |
30 |
|
IP Address |
25 |
|
HTTP Header |
20 |
The following are possible scenarios:
Scenario 1: User Profile Rule Fails
The User Profile rule fails to evaluate successfully. All other rules in the policy evaluate successfully. The following tracelist from catalina.out provides information about rule evaluation, risk score, and action:
Description of details recorded in the catalina.out file:
|
Entry |
Indicates that |
|---|---|
|
user-profile~result~false |
The User profile rule failed and the risk score of 30 is added to the total score. |
|
http-header~result~true |
The HTTP header rule evaluated successfully. |
|
ip-rule~result~true |
The IP address rule evaluated successfully. |
Figure 5-4 Tracelist providing information about risk level and action
This log entry indicates that the as per the risk level/action configuration, the action taken is to allow authentication to the user and the risk score is 30.
Scenario 2: User Profile Rule Evaluates Successfully
In this scenario, the User Profile rule evaluates successfully. As this rule is a configured to exit when the condition is met, all other rules in the risk policy are not considered for evaluation.
The following tracelist detail from catalina.out file provides more information about the rule evaluation, risk score, and action:
Figure 5-5 Tracelist providing information about rule evaluation
Table 5-10 Description of details recorded in the catalina.out file
|
Entry |
Description |
|---|---|
|
user-profile~result~true |
Indicates that user profile rule evaluated successfully. |
Figure 5-6 Tracelist providing information about risk level and action
This log entry indicates that the as per the risk level/action configuration, the action taken is to allow authentication to the user and the risk score is 0.
Scenario 3: Two rules fail and the user is asked to authenticate using additional authentication
In this scenario, the User Profile rule and the IP address rule fail to evaluate successfully. The HTTP Header rule evaluates successfully.
The following tracelist detail from the catalina.out file provides more information about the rule evaluation, risk score, and action:
Figure 5-7 Tracelist providing information about rule evaluation
Table 5-11 Description of details recorded in the catalina.out file
|
Entry |
Description |
|---|---|
|
user-profile~result~false |
Indicates that user profile rule failed and the risk score of 30 is added to the total risk score. |
|
http-header~result~true |
Indicates that the HTTP header rule evaluated successfully. |
|
ip-rule~result~false |
Indicates that the IP address rule failed and the risk score of 25 is added to the total risk score. |
Figure 5-8 Tracelist providing information about risk level and action
This log entry indicates that the as per the risk level/action configuration, the action taken is additional authentication and the risk score is 55.
Scenario 4: All Rules Fail
In this scenario, all rules fail to evaluate successfully. The following tracelist detail from the catalina.out file provides more information about the rule evaluation, risk score, and action:
Figure 5-9 Tracelist providing information about rule evaluation
Table 5-12 Description of details recorded in the catalina.out file
|
Entry |
Description |
|---|---|
|
user-profile~result~false |
Indicates that user profile rule failed and the risk score of 30 is added to the total risk score. |
|
http-header~result~false |
Indicates that the HTTP header rule failed and the risk score of 20 is added to the total risk score. |
|
ip-rule~result~false |
Indicates that the IP address rule failed and the risk score of 25 is added to the total risk score. |
Figure 5-10 Tracelist providing information about risk level and action
This log entry indicates that as per the risk level/action configuration, the action is to deny access to the user and the risk score is 75.