Powered by Algolia

    Adaptive Authentication

    The Adaptive Authentication functionality in OpenIAM allows organizations to create authentication flows which go beyond direct authentication options such as password, OTP, certificate, etc. These flows can be used to evaluate other factors such as IP address, Role, etc during the authentication process.

    The rest of this section describes how to use the adaptive authentication functionality.

    Authentication rules

    Configure authentication rules

    webconsole → Policy → Authentication Rule

    alt text

    List of default authentication rules consist of rules for each type of authentication

    alt text

    1 One step authentication

    All default authentication rules consist of one type authentication.

    Add authentication type into rule field :

    1. Select authentication type from list of types.

    2. Push button “Add Authentication Level“.

    3. Authentication type will be added into rule field.

    alt text

    2 Two or more steps authentication

    Configure authentication steps and order :

    1. Select authentication type from list of types.

    2. Push button “Add Authentication Level“.

    3. Authentication type will be added into rule field.

    4. Repeat from point 1 (if need).

    5. Using mouse cursor add link between authentication types.

    alt text

    3 Select one authentication type from list of allowed

    If need to allow several types of authentication for selecting one of them you have to use next authentication rule type.

    alt text

    In this case, after success login with password, user will be redirected to select page with authentication type list

    alt text

    4 Authentication rule with adaptive authentication

    Adaptive risks can be used in authentication rule. According to the situation may be used extra authentication step or decline access.

    Example of extra authentication step if use new device on login:

    alt text

    Example of accept access for selected role:

    alt text

    Adaptive risks All adaptive risks have result value true or false. Next step of authentication rule calculate according risk result. There are two types of adaptive risks : IS_NEW and other.

    ISNEW.... adaptive risk need not any additional value in "Adaptive risk value" field. This is :

    • IS_NEW_IP

    • IS_NEW_DEVICE

    • FORGOT_PHONE

    • IS_NEW_CITY (allowed if used DB with geolocation by ip)

    • IS_NEW_COUNTRY (allowed if used DB with geolocation by ip)

    Other types of adaptive risks used value from "Adaptive risk value" field for calculate result :

    • MEMBER_OF_ROLES

    • MEMBER_OF_GROUPS

    • HAS_APPROVED_AUTH_TYPE

    • CUSTOM_ADAPTIVE_RISK

    Previous
    AppleID Social Login
    Next
    Managing Access