Authentication using PIN/code verification in VIP Authentication Hub
search cancel

Authentication using PIN/code verification in VIP Authentication Hub

book

Article ID: 376348

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

How can we use PIN/code attribute value saved in LDAP User Store as a factor during authentication?

Environment

VIP Authentication Hub 3.2.x

Resolution

We are working on adding support for customer defined authenticators (custom Authentication Factor) based on user attributes. Currently it is targeted in VIP AuthHub (AH) 3.3 release. The source of the user attributes can be Identity Store or Identity Token in the case of ZFP (Zero Foot Print) flow. Below is the screenshot of user attributes based authenticator where the user is validated using user attributes DOB, DOJ  

A new resource will be supported by AH that helps in configuring a attribute based Authentication Factor.

Authentication policies API would be enhanced to support the AuthenticationFactor as one of the authenticators or obligations in the authentication flow. All active AuthenticationFactors defined at the tenant level should be allowed to be added as obligations in the Authentication Policies. Below is the sample Authentication policy using the AuthenticationFactor

{
    "description": "Policy using user attributes authenticator (FACTOR)",
    "status": "active",
    "policyName": "FACTOR POLICY",
    "apps": [
        {
            "id": "xxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
        }
    ],
    "rules": [
        {
            "conditions": {
                "principal": {
                    "group": {
                        "operator": "in",
                        "value": [
                            "HR"
                        ]
                    }
                }
            },
            "result": {
                "effect": "allow",
                "obligations": [
                    "FACTOR/xxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx:1",
                    "EMAILOTP:2",
                    "SMSOTP:2"
                 ],
                "msg": "MFA Rule with user attributes authenticator as primary factor"
            }
        }
    ]
}

However, in AH 3.2 release we can workaround it by doing the following
   - Run /authenticate API call with clientContext containing PIN data and "action" set to "access" in the payload
   - Create Rule in the Policy with Context condition with the following expression
           ${clientContext.pin} eq ${idProfile.given_name}

1. Here is the /authenticate API call's payload

'{
    "subject": "nbruce",
    "channel": "web",
    "ipAddress": "nn.nn.nn.nn",
    "action":"access",
    "clientContext": [
       {
         "key": "pin",
         "value": "Nina"
       }  
    ],
    "acrValues": ["urn:iam:acr:aal:pin"]
}'

2. Create the following "Post Authentication Access" Authentication Policy's rule

3. Set Context condition with the following expression. We assume PIN data is contained in givenName attribute in LDAP Store.

   ${clientContext.pin} eq ${idProfile.given_name}

4. Select "Allow Access"

5. Here is the summary of the Authentication Policy's rule

5. With this Policy's rule the above /authenticate API call results AUTH_ALLOWED.

 

Powered by Wolken Software