Risk based authentication doc (#2593)
This commit is contained in:
parent
0dc995e411
commit
2decb33e57
|
@ -4,11 +4,14 @@ Advanced features
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
|
rbac
|
||||||
|
ssoaas
|
||||||
|
servertoserver
|
||||||
|
riskbased
|
||||||
smtp
|
smtp
|
||||||
notifications
|
notifications
|
||||||
passwordstore
|
passwordstore
|
||||||
cda
|
cda
|
||||||
rbac
|
|
||||||
customfunctions
|
customfunctions
|
||||||
extendedfunctions
|
extendedfunctions
|
||||||
resetpassword
|
resetpassword
|
||||||
|
@ -16,8 +19,6 @@ Advanced features
|
||||||
logoutforward
|
logoutforward
|
||||||
securetoken
|
securetoken
|
||||||
handlerauthbasic
|
handlerauthbasic
|
||||||
ssoaas
|
|
||||||
servertoserver
|
|
||||||
safejail
|
safejail
|
||||||
loginhistory
|
loginhistory
|
||||||
fastcgi
|
fastcgi
|
||||||
|
|
77
doc/sources/admin/riskbased.rst
Normal file
77
doc/sources/admin/riskbased.rst
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
Risk-based Authentication
|
||||||
|
=========================
|
||||||
|
|
||||||
|
Our definition
|
||||||
|
--------------
|
||||||
|
|
||||||
|
Risk-based authentication is the ability to take into account the context of
|
||||||
|
the authentication process, and react accordingly, by increasing the
|
||||||
|
authentication challenge (second factor, email confirmation) or trigger out of
|
||||||
|
band actions (email notifications, alerts..).
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
All the features presented on this page are not natively supported by
|
||||||
|
LemonLDAP::NG but can be added through custom plugins or configuration
|
||||||
|
|
||||||
|
The authentication context can include:
|
||||||
|
|
||||||
|
* Source IP address
|
||||||
|
* Access time
|
||||||
|
* Previous authentications (history)
|
||||||
|
* Using the same browser as previous logins
|
||||||
|
|
||||||
|
Reactions can include:
|
||||||
|
|
||||||
|
* Triggering or skipping the second factor
|
||||||
|
* Sending an email to warn the user of a suspicious login
|
||||||
|
* Denying attempt if the suspicion level is too high
|
||||||
|
|
||||||
|
Implementation in LemonLDAP::NG
|
||||||
|
-------------------------------
|
||||||
|
|
||||||
|
LemonLDAP::NG uses the ``_riskLevel`` and ``_riskDetails`` session variables to
|
||||||
|
keep track of the risk associated to the current authentication.
|
||||||
|
|
||||||
|
Detection plugins will raise or lower the risk level, and store fine-grained
|
||||||
|
details in the risk details object.
|
||||||
|
|
||||||
|
Action plugins may use the risk level to trigger certain actions, and can
|
||||||
|
translate the risk detail items into user-friendly messages.
|
||||||
|
|
||||||
|
|
||||||
|
Compatible plugins
|
||||||
|
------------------
|
||||||
|
|
||||||
|
Detection
|
||||||
|
~~~~~~~~~
|
||||||
|
|
||||||
|
New location warning
|
||||||
|
^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
.. versionadded:: 2.0.14
|
||||||
|
|
||||||
|
The :doc:`New Location warning <newlocationwarning>` plugin will increase the risk level by 1 when triggered, and will store the **Session attribute to display** in ``$_riskDetail->{newLocation}``.
|
||||||
|
|
||||||
|
Action
|
||||||
|
~~~~~~
|
||||||
|
|
||||||
|
Forbidding/triggering second factors
|
||||||
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
You can use the following activation rule to trigger second factors if the risk level is high::
|
||||||
|
|
||||||
|
$_riskLevel > 0
|
||||||
|
|
||||||
|
Or, if you use self registration::
|
||||||
|
|
||||||
|
has2f('TOTP') and $_riskLevel > 0
|
||||||
|
|
||||||
|
Denying login
|
||||||
|
^^^^^^^^^^^^^
|
||||||
|
|
||||||
|
You can use :doc:`session opening conditions <grantsession>` to deny access if the risk level is too high with a rule like this ::
|
||||||
|
|
||||||
|
$_riskLevel < 2
|
||||||
|
|
||||||
|
This will forbid sessions from being opened if the risk level is greater or equal to 2
|
|
@ -43,7 +43,7 @@ Registration on first use
|
||||||
If you want to force a 2F registration on first login, you can use the *Force
|
If you want to force a 2F registration on first login, you can use the *Force
|
||||||
2FA registration at login* option.
|
2FA registration at login* option.
|
||||||
|
|
||||||
You can use a `rule<writingrulesand_headers>` to enable this behavior only for
|
You can use a :doc:`rule <writingrulesand_headers>` to enable this behavior only for
|
||||||
some users.
|
some users.
|
||||||
|
|
||||||
Session upgrade through 2FA
|
Session upgrade through 2FA
|
||||||
|
|
Loading…
Reference in New Issue
Block a user