Scenario: Calculating Risk Based on the HTTP Header Value

If the user is an employee and is not located in a specific region, grant the access. If the user is an employee, but accessing from a specific region, deny the access. If the user is an employee and accessing from the specified location, but the HTTP header contains a specified email ID, grant the access.

You can configure a risk policy for this scenario by using the combination rule. A combination rule assesses more than one parameter to validate an authentication request from a user.

The rule must assess the user profile and geolocation first and consider the HTTP header condition only when the first condition evaluation fails.

You can configure risk-based authentication in this scenario by using Risk-based Auth Class.

Configuration Steps:

  1. Go to Policies > Risk-based Policies > Risk Policy.

  2. Click the Create Risk Policy icon.

  3. Under Add Risk Policy, specify the following details:

    Risk Policy Name: Specify a name.

    Policy Description: Specify the purpose of this policy.

    Assign Policy To: Select Identity Server cluster and then configure an authentication class.

    • Select Create Risk-based Auth Class.

    • Specify Class Name.

    • Click Save.

  4. Create a Geolocation rule and a User Profile rule as a single rule.

    1. Under Policy Rules, click Create Rule and specify the following values:

    2. Rule Name: Specify example_combination_rule.

    3. Configure the geolocation rule.

      NOTE:You must configure a geolocation provider in the Geolocation user interface for this rule to work.

      1. Rule Definitions: Select Geolocation Rule.

      2. User Location: Select Is not.

      3. Specify the following geolocation details of the region which you want to deny all login requests from:

        • Country Code
        • State Name
        • State Code
        • City Name
        • Zip Code
        • Metro Code
        • Area Code
        • Region Code
        • Region Name

    4. Click Combine with to add the user profile rule.

      1. Select User Profile Rule.

      2. Under User Attributes, Select employeeType and Equals, and specify Employee.

    5. Click Combine with to add the HTTP Header rule.

      1. Select HTTP Header Rule.

      2. Specify the HTTP header Name and the specific HTTP header value that you want to search for an HTTP header.

    6. In Combination Rule Definition > Condition Group, click Assign Rules and then select user profile and geolocation rules. Select AND in Group Operator. For information about how these operators work, see Combination Rule in Table 5-1.

    7. Click Add Condition Group and select HTTP Header Rule.

    8. Select the OR operator for Condition Group 1 and Condition Group 2.

    9. If rule condition is met, then: Allow Access and Exit Policy.

    10. If rule condition is not met, add risk score: 50

    11. Click OK.

  5. Under Risk Levels, click Actions > Add Risk Level, and create the following risk levels:

    You can define actions for a risk score or for a range of risk score. When evaluation of all conditions in a risk policy fail, the action is taken based on the accumulated risk score. For more information, see Risk Score in Table 5-1.

    • Low

      Field

      Value

      Risk Score

      Less than 30

      Risk Level

      Low

      Action

      Allow Access

    • Medium

      Field

      Value

      Risk Score

      Between 30 and 50

      Risk Level

      Medium

      Action

      Authenticate using Trust levels

    • High

      Field

      Value

      Risk Score

      Equals to or greater than 50

      Risk Level

      High

      Action

      Deny Access

  6. Click OK.

  7. Create an authentication method. See Configuring a Method for an Authentication Class.

  8. Create a contract. See Configuring a Contract for an Authentication Class.

  9. Assign the contract to the protected resource.