Cybersecurity
DevOps Cloud
IT Operations Cloud
How to Integrate Advanced Auth, Risk-Based Auth, and SSPR with an Authorization Policy
Micro Focus - Cool Solution
by Gary L. Gilbert
Use Case
Users of an organization are required to have an email address before allowing access to a protected resource. If the authenticated user does not have an email address, then the user is redirected to SSPR to fill out their missing profile information. Otherwise, if the authenticated user already has an email address, they’re required to perform second-factor authentication on their initial access to the protect resource and again every 60 days going forward.
Technical Overview
Prerequisites
This solution assumes NetIQ Access Manager (NAM 4.5 or later) is installed and protected resources are behind the Access Gateway (AG). The Identity Provider (IDP) is integrated with Advanced Authentication Framework (AAF), and Self-Service Password Reset (SSPR) is installed.
Solution Process Flow
The solution diagram below illustrates the process flow between components involved in setting up a combined Authorization Email Check, Risk-Based Authentication, and Advanced Authentication integrated solution.
The following steps will guide you through the setup of policies and configuration of the components shown in the process flow above. The basic premise is to prompt for second-factor authentication (if needed) using the Email OTP method provided within AAF. AAF is configured to auto-enroll the user with the Email OTP authenticator if they have an email address. If the user does not have an email address, they are not allowed access and can’t proceed with second-factor authentication until they update their profile in SSPR with an email address. If the user has a valid email address, then a risk-based policy is invoked that will determine if the user needs second-factor authentication before allowing access.
Integrating Advanced Authentication Framework (AAF) with Access Manager (NAM)
Overview
The Advanced Authentication Framework will provide second-factor authentication when invoked by Access Manager. The solution involves a basic setup of AAF integrated with NAM using either the OAUTH2 or NAM AA Plugin Methods. For this solution, the user is auto-enrolled with the Email OTP method. If the user does not have an email address, they will not be enrolled until they update their profile with a valid email address.
Proceed with integrating Advanced Authentication with Access Manager by using any one of the following approaches:
Create a new OAuth2 event in AAF for integration to Access Manager
In the Advanced Authentication administration console, perform the following steps to configure an event:
NOTE: You need to notate the Client ID and Client secret while configuring the Advanced Authentication server in Access Manager. You cannot view the Client secret later, therefore you must make a note of this value.
Configure the Advanced Authentication Server Details in Access Manager
Configure a Second-Factor Authentication Method in Access Manager (NAM)
This solution allows Access Manager to perform the first factor authentication when protecting a resource using the standard Secure Name/Password Contract. For second-factor authentication, we will use Advanced Authentication using the Email OTP that we already setup above.
The following steps show how to setup second-factor authentication:
Note: For this solution, we only need to create a class and method for the AAF second-factor authentication. The method will be called from a risk-based authentication policy (see below).
Create a new Class
Create a new Method
Configure a Risk-Based Authentication Method and Contract in Access Manager (NAM)
Now that we setup a second-factor authentication class and method, we also need to setup a Risk-Based Authentication class, method, and contract.
The following steps show how to setup the Risk-Based Authentication class, method, and contract:
Create a new Class
Create a new Method
Create a new Contract
Configure a Risk-Based Authentication Policy in Access Manager (NAM)
Now that we setup second-factor authentication class, we need to call it from a Risk-Based Authentication policy.
The following steps show how to setup the Risk-Based Authentication policy:
Add a Risk Policy
Configure an AG Authorization Policy in Access Manager (NAM)
Now that we setup both the second-factor authentication and risk-based authentication, we need to trigger the process flow by invoking from an AG Authorization policy on a protected resource.
The following steps show how to setup the Authorization policy:
Add an Authorization Policy
Test Scenarios
To test the solution, login with a user that does not have an email address. You should be redirected to SSPR to fill out profile information. Next, test with the same user again. This time you should be prompt for an Email OTP for second-factor authentication. After entering the Email OTP, verify that the Last Login Cookie was created in the browser. Now login with the user again. Since the Last Login cookie exists and is not expired, you should be allowed access to the protected resource without being prompt for second-factor authentication:
Scenario #1: Test User has no Email Address
Scenario #2: Test User has Email Address and accessing protected resource for first time
Scenario #3: Test User has Email Address and accessing protected resources again.
This article can be downloaded as a PDF: