Scenario: Calculating Risk Based on the Location from Where an Access Request Originates

You want to grant access only to employees. You want to deny access for any request from a specific region even if the user is an employee of your organization. you can create a policy to identify the following conditions and calculate the risk score for each condition:

  • Access request by an employee, not from a specific location

  • Access request by an employee from a specific location

  • Access request by a person who is not an employee

This scenario requires to create two separate rules: one for geolocation named example_geolocation and another for user profile named example_user_profile.

You can configure risk-based authentication for this scenario by using Risk-based Auth Class.

Configuration Steps:

  1. Go to Policies > Risk-based Policies > Risk Policy.

  2. Click the Create Risk Policy icon.

  3. Under Add Risk Policy, specify the following details:

    Risk Policy Name: Specify a name.

    Policy Description: Specify the purpose of this policy.

    Assign Policy To: Select Identity Server cluster and then configure an authentication class.

    • Select Create Risk-based Auth Class.

    • Specify Class Name.

    • Click Save.

  4. Create a Geolocation rule and a User Profile rule.

    • Geolocation Rule

      Under Policy Rules, click Create Rule and specify the following values:

      NOTE:You must configure a Geolocation provider for a geolocation rule to work.

      • Rule Name: Specify example_geolocation.

      • Rule Definitions: Select Geolocation Rule.

      • User Location: Select Is not.

        Specify the following geolocation details of the region which you want to deny all login requests from:

        • Country Code
        • State Name
        • State Code
        • City Name
        • Zip Code
        • Metro Code
        • Area Code
        • Region Code
        • Region Name

      • If rule condition is met, then: Allow Access and Exit Policy

      • If rule condition is not met, add risk score: 60

      • Click OK.

    • User Profile Rule

      Under Policy Rules, click Create Rule and specify the following values:

      • Rule Name: Specify example_user_profile.

      • Rule Definitions: Select User Profile.

      • Select employeeType.

      • Select Equals.

      • Specify Employee.

      • If rule condition is met, then: Proceed to Next Rule

      • If rule condition is not met, add risk score: 60

      • Click OK.

        To evaluate example_user_profile first, drag it up before example_geolocation in the rules list in Administration Console.

  5. Under Risk Levels, click Actions > Add Risk Level and create the following risk level:

    For more information, see Risk Score in Table 5-1.

    Field

    Value

    Risk Score

    Equals to or greater than 50

    Risk Level

    High

    Action

    Deny Access

  6. Click OK.

  7. Create an authentication method. See Configuring a Method for an Authentication Class.

  8. Create a contract. See Configuring a Contract for an Authentication Class.

  9. Assign the contract to the protected resource.