11.4 Using the Risk Policy of Advanced Authentication

If SecureLogin is installed with Advanced Authentication, you can use the risk policy configured in Advanced Authentication to login using SecureLogin kiosk and re-authenticate users when they access applications containing sensitive data. The risk policy evaluates the risk level during each access attempts using contextual information. For example, contextual information can be IP address and device information.

You can define an appropriate action for each risk level in the policy, such as granting access or asking for additional authentication. In case of high risk, you can configure to deny access.For more information about how to configure a risk policy in Advanced Authentication, see Configuring Risk Settings in the Advanced Authentication - Administration guide.

Configuring context-aware multi-factor reauthentication for an application involves the following steps:

  1. In Advanced Authentication: Perform the following actions:

    1. Configure a risk policy with required rules.

    2. Configure chains for each risk level.

    3. Configure or modify the event for SecureLogin, and map the risk policy and chains to the event. This event must be the same one that is selected while enabling Advanced Authentication for SecureLogin. By default, the Windows Logon event is used.

  2. In SecureLogin: Configure to use the default method for reauthentication in the Application Definition Wizard for the identified application.

Example

Let’s use the following example to understand the configuration:

Your organization provides a Human Resources portal to all employees. Inside the corporate network and within business hours, all employees can access the Human Resources (HR) portal using only SSO.

However, you want the employees to reauthenticate when it is accessed beyond business hours and from an external network.

To achieve this scenario, perform the following steps:

In Advanced Authentication:

  1. Configure a risk policy with IP Address Rule and User Time of Login Rule.

    1. Click Risk Settings > Create a Risk Policy icon.

    2. Specify the following details:

      • Policy Name: Specify the name as SecureLoginPolicy.

      • Description: Specify the purpose of this policy.

    3. Configure IP Address Rule and User Time of Login Rule in the same sequence as follows. The rules are executed in the top to bottom sequence.

      Rule

      Configuration Steps

      IP Address Rule

      1. Click Add Rule.

      2. Specify the rule name and the description.

      3. Select IP Address Rule from Choose a Rule Type.

      4. Select Is from Allow if IP address in the list.

      5. Select IP address range in Manually enter the Data source.

      6. Specify the range of the IP address.

        For example, 10.0.0.0 to 10.255.255.255

      7. Click Save.

      User Time of Login Rule

      1. Click Add Rule.

      2. Specify the rule name and the description.

      3. Select User Time of Login Rule from Choose a Rule Type.

      4. Select Is from User time of login.

      5. Select the date range from Monday to Friday.

      6. Select the time range from 9:00 AM to 6:00 PM.

      7. Click Save.

    4. Set up the risk levels:

      • Move the blue slider to 1 to indicate that if one rule fails, the risk is medium.

      • Move the green slider to 0 to indicate when no rules fail, the risk is low.

      • If both rules fail, then the risk is high.

    5. Click Save.

  2. Configure chains.

    1. Create the following chains:

      Chain

      Steps

      For the low-risk level

      1. Click Chains > Add.

      2. Specify a name for the chain in Name. For example, LowRisk.

      3. Specify a Short name.

      4. Set Is enabled to ON to enable the chain.

      5. Select Methods you want to add to the chain. For example, Password.

      6. Specify the groups that will use the authentication chain in Roles and Groups.

      7. Expand Risk Settings by clicking +.

      8. In Minimum Risk Level, select Low.

      9. Click Save.

      For the medium risk level

      1. Click Chains > Add.

      2. Specify a name for the chain in Name. For example, MediumRisk.

      3. Specify a Short name.

      4. Set Is enabled to ON to enable the chain.

      5. Select Methods you want to add to the chain. For example, Password and SMS OTP.

      6. Specify the groups that will use the authentication chain in Roles and Groups.

      7. Expand Risk Settings by clicking +.

      8. In Minimum Risk Level, select Medium.

      9. Click Save.

      For more information about chains, see Creating a Chain in the Advanced Authentication Administration Guide.

    2. Click Save.

  3. Modify the Windows logon event.

    1. Click Events > Windows logon.

    2. Select MediumRisk and LowRisk chains that you created in Step 2.

    3. In Risk Policy, select SecureLoginPolicy.

    4. Click Save.

    For more information about events, see Configuring Events in the Advanced Authentication Administration Guide.

In SecureLogin:

  1. Right-click the SecureLogin icon in the notification area, and then click Manage Logins.

  2. In Applications, select the application for which you want to enable reauthentication.

  3. Select the Definition tab.

  4. Click Edit Wizard > Re-authenticate.

  5. Click Yes. Enforce re-authentication before accessing this application.

  6. In Select from the methods detected, select <Default>.

  7. Click OK.