Adaptive Authentication

The Adaptive Authentication functionality in OpenIAM allows organizations to create authentication flows which go beyond direct authentication options such as password, OTP, certificate, etc. These flows can be used to evaluate other factors such as IP address, Role, etc during the authentication process.

The rest of this section describes how to use the adaptive authentication functionality.

Authentication rules

Configure authentication rules

webconsole → Policy → Authentication Rule

alt text

List of default authentication rules consist of rules for each type of authentication

alt text

1 One step authentication

All default authentication rules consist of one type authentication.

Add authentication type into rule field :

  1. Select authentication type from list of types.

  2. Push button “Add Authentication Level“.

  3. Authentication type will be added into rule field.

alt text

2 Two or more steps authentication

Configure authentication steps and order :

  1. Select authentication type from list of types.

  2. Push button “Add Authentication Level“.

  3. Authentication type will be added into rule field.

  4. Repeat from point 1 (if need).

  5. Using mouse cursor add link between authentication types.

alt text

3 Select one authentication type from list of allowed

If need to allow several types of authentication for selecting one of them you have to use next authentication rule type.

alt text

In this case, after success login with password, user will be redirected to select page with authentication type list

alt text

4 Authentication rule with adaptive authentication

Adaptive risks can be used in authentication rule. According to the situation may be used extra authentication step or decline access.

Example of extra authentication step if use new device on login:

alt text

Example of accept access for selected role:

alt text

Adaptive risks All adaptive risks have result value true or false. Next step of authentication rule calculate according risk result. There are two types of adaptive risks : IS_NEW and other.

ISNEW.... adaptive risk need not any additional value in "Adaptive risk value" field. This is :

  • IS_NEW_IP

  • IS_NEW_DEVICE

  • FORGOT_PHONE

  • IS_NEW_CITY (allowed if used DB with geolocation by ip)

  • IS_NEW_COUNTRY (allowed if used DB with geolocation by ip)

Other types of adaptive risks used value from "Adaptive risk value" field for calculate result :

  • MEMBER_OF_ROLES

  • MEMBER_OF_GROUPS

  • HAS_APPROVED_AUTH_TYPE

  • CUSTOM_ADAPTIVE_RISK