Documentation

 

 

Introduction

Use this guide to allow SecureAuth IdP to continue the Adaptive Authentication workflow when unable to communicate with the datastore that provides the userRisk score.

When User Risk is enabled in the Adaptive Authentication tab, SecureAuth IdP communicates with an external datastore to retrieve the userRisk score. If the user is not found in the datastore, or the user has a null value (i.e. no score recorded) for userRisk, then SecureAuth IdP will take the action configured in the No Score Returned field.

In cases where SecureAuth IdP is unable to reach the datastore, however, the default behavior is to stop performing the authentication workflow, clear the user profile request, and display "Error retrieving contact information" on the admin screen. This may not be the desired behavior in all cases.

A change to the Web Config Editor in the Web Admin will allow the allow authentication workflow to continue on error as if a No Score Returned result was given.

Prerequisites

1. Have an existing on-premises installation of a product (e.g. Exabeam UEBA, Sailpoint IdentityIQ) that provides User Risk information and analysis.

2. Configure the User Risk section in the Adaptive Authentication tab of the SecureAuth IdP Web Admin.

Configuration Steps

 

1. On the realm providing User Risk Adaptive Authentication, open Web Config Editor.

a. Open the System Info tab.
b. In the Links section, select Click to edit Web Config File.

 

2. Find the <provider> section of the data provider type being used to provide the userRisk score.

3. Modify the ClearProfile attribute of the provider so that it reads ClearProfile="False"

4. Click Save.

From now on, if SecureAuth IdP is unable to contact the data store, it will perform the No Score Returned Action rather than stopping workflow and clearing the user profile information.

  • No labels