Adaptive Authentication with nevisAuth - nevisAdapt direct integration
To configure a standalone nevisAdapt instance for adaptive authentication, the following requirements must be met:
- nevisAuth, nevisProxy and nevisIDM instances are already present and configured. For more information, see the chapter Base Setup.
- The "userNotification20" email template message of nevisIDM is configured. nevisAdapt sends an email based on this template to users in case of suspicious authentications (see Creating a new template in the nevisIDM reference guide and nevisIDM notifications for nevisAdapt in the nevisAdapt reference guide).
You need none of the nevisDetect Instance patterns in this case.
Perform the following steps:
Configure a nevisAdapt Instance pattern:
- Database Connector property/field: Add a nevisAdapt Database Connector pattern that points to a nevisAdapt schema. For instructions on how to create the schema, see the chapter Database schema section in Installing nevisAdapt in the nevisAdapt reference guide.
- IP Geolocation tab: Set the file code of the database, the update schedule and the download token. Alternatively, you could upload a small file. But in this case, you cannot configure the update.
- IP Reputation tab: In this tab, you set the update schedule and the URL for the IP reputation. We recommend keeping the defaults.
- Advanced Settings tab: If downloading updates requires a forward proxy to be configured, you do that in this tab. Feedback configuration can also be added on this tab.
Create a nevisAdapt Authentication Connector pattern (see the next steps). This pattern will be used as the "on success" step for an existing authentication step.
- nevisAdapt property/field: Specify the nevisAdapt Instance you created above.
- On Success: The next authentication step, if needed.
- On Timeout: The next authentication step, if needed. It is mandatory to set in case of "event" Profile (but optional for all other Profiles).
- On Untrained: The next authentication step, if needed. It is mandatory to set in case of "event" Profile (but optional for all other Profiles).
- Risk Profiles properties/tab: if the profile is based on risk weights, you can set the thresholds, the weights and next authentication steps to perform when reaching those thresholds.
- Advanced Settings properties/tab: All advanced properties are optional. Do not change the default settings, as modifying the defaults can severely affect the behavior of nevisAdapt. If you need to change them anyway, get in touch with your Nevis contact. For further information about the behavior of authentication profiles (risk weight or event-based), see the chapter Profiles in the nevisAdapt reference guide.
(Optional) Configure a nevisAdapt Feedback Configuration pattern. This pattern collects all the properties related to the distrust feedback mechanism:
- nevisAuth Instance property/field: Add a nevisAuth Instance pattern reference to allow deletion of untrusted sessions.
- nevisProxy Instance property/field: Specify the nevisProxy Instance to generate feedback addresses.
- Feedback Token Encryption Key: Set a Base64 encryption key for the feedback tokens.
- Feedback Token Behavior: Select which data will be cleaned on receiving a distrust token.
- Feedback Token Lifetime: The validity timespan for each new token.
- Feedback Redirect URL (optional): Enter a URL to redirect to when pressing the link.
(Optional) Configure a User Notification (Adaptive Authentication) pattern (as a follow-up to the nevisAdapt Authentication Connector pattern):
- nevisIDM property/field: The IDM instance that contains the required message template.
- On Success: The next authentication step, if needed.
(Optional) Configure Remember Me functionality (as a follow-up to the nevisAdapt Authentication Connector pattern):
- Replace the realm's first authentication step with nevisAdapt Remember Me Step
- nevisAdapt property/field: Specify the nevisAdapt Instance you created above.
- On Success: Set the same authentication step that you replaced in step one (it leads to full authentication if the token is missing or invalid).