Device Recognition Best Practices Guide

Similar documents
OAM 2FA Value-Added Module (VAM) Deployment Guide

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

.NET SAML Consumer Value-Added (VAM) Deployment Guide

IdP High Performance and Optimization Best Practices Guide

VAM. Epic epcs Value-Added Module (VAM) Deployment Guide

VAM. CAS Installer (for 2FA) Value- Added Module (VAM) Deployment Guide

Health Analyzer VAM Best Practices Guide

SecureAuth IdP Realm Guide

Java SAML Consumer Value-Added Module (VAM) Deployment Guide

VAM. PeopleSoft Value-Added Module (VAM) Deployment Guide

VAM. Radius 2FA Value-Added Module (VAM) Deployment Guide

VAM. Java SAML Consumer Value- Added Module (VAM) Deployment Guide

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Introduction to application management

Five9 Plus Adapter for Agent Desktop Toolkit

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Instructions for Configuring Your Browser Settings and Online Security FAQ s

Five9 Plus Adapter for NetSuite

How to Configure Authentication and Access Control (AAA)

Integration Guide. SecureAuth

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Introduction. SecureAuth Corporation Tel: SecureAuth Corporation. All Rights Reserved.

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Republicbank.com Supported Browsers and Settings (Updated 03/12/13)

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Cloud Access Manager Configuration Guide

Application / Document Management. MaaS360 e-learning Portal Course 3

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

Instructions For Configuring Your Browser Settings and Online Banking FAQ's

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Guest Access User Interface Reference

Sign in and Meeting Issues

Integration of the platform. Technical specifications

SelectSurveyASP Advanced User Manual

Session 9. Deployment Descriptor Http. Reading and Reference. en.wikipedia.org/wiki/http. en.wikipedia.org/wiki/list_of_http_headers

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

OneLogin SCIM. Table of Contents. Summary... 2 System Requirements... 2 Installation & Setup... 2 Contact Us... 6

Integrating AirWatch and VMware Identity Manager

Recommended Browser Settings

Sophos Mobile as a Service

Cisco Finesse Desktop Interface

Add OKTA as an Identity Provider in EAA

CA SiteMinder Federation

Penetration Testing. James Walden Northern Kentucky University

Device Fingerprinting

SAS Agent for Microsoft SharePoint

BEST PRACTICES GUIDE RSA MIGRATION MODULE

Detects Potential Problems. Customizable Data Columns. Support for International Characters

Google SAML Integration

Sophos Mobile SaaS startup guide. Product version: 7.1

McAfee Cloud Identity Manager

Cisco Finesse desktop interface

User Directories. Overview, Pros and Cons

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

McAfee Cloud Identity Manager

Single Sign-On Showdown

RingCentral Office. New Admin Setup

More than just being signed-in or signed-out. Parul Jain, Architect,

Browser Guide for PeopleSoft

How to Troubleshoot Panopto Viewing Issues

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

Report Exec Dispatch System Specifications

One Identity Active Roles 7.2. Web Interface Administrator Guide

SelfService Portal. Step By Step Documentation. This document will show you how to enroll your user account to the SelfService Portal

Workspace ONE Chrome OS Platform Guide. VMware Workspace ONE UEM 1811

Five9 Plus Adapter for Microsoft Dynamics CRM

Coveo Platform 7.0. Oracle UCM Connector Guide

Web Application Penetration Testing

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

Google Apps Integration

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

Google Authenticator Guide. SurePassID Authentication Server 2017

VMware Horizon View Deployment

User Management: Configuring User Roles and Local Users

WAM!NET Submission Icons. Help Guide. March 2015

Mobile Iron Core - Setup Guide 1

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Administering Jive Mobile Apps for ios and Android

BEC. NetScaler Unmanaged VPN. Installation Guide. and. User Guide. Version

Nuance. PowerMic Mobile. Installation and Administration Guide

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

McAfee Cloud Identity Manager

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

BIDMC Multi-Factor Authentication Enrollment Guide Table of Contents

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

Oracle Access Manager Configuration Guide

BIG-IP Access Policy Manager : Portal Access. Version 12.1

web.xml Deployment Descriptor Elements

McAfee Cloud Identity Manager

4.2. Authenticating to REST Services. Q u i c k R e f e r e n c e G u i d e. 1. IdentityX 4.2 Updates

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Sophos Mobile Control SaaS startup guide. Product version: 6.1

Setting Up the Server

Transcription:

Copyright Information 2017. SecureAuth is a copyright of SecureAuth Corporation. SecureAuth s IdP software, appliances, and other products and solutions, are copyrighted products of SecureAuth Corporation. May, 2017 For information on supporting this product, contact your SecureAuth sales representative: Email: support@secureauth.com Phone: +1.949.777.6959 or +1-866- 859-1526 Website: https://www.secureauth.com/support.aspx

Contents Introduction 1 Getting There 2 Best Practices for Weighing FP Components 10

Introduction SecureAuth IdP can collect client-unique information (digital fingerprints) from the end-user's device or browser in order to authenticate the end-user. Digital fingerprints are a profile of a specific device or browser comprising fourteen distinct attributes. Each of these attributes is given a weight or degree of importance within the whole and only those devices matching the weighted components in the profile are allowed access without additional authentication. Once the digital fingerprint is collected after a successful Multi-Factor Authentication (MFA), it will be accepted and stored in the user profile in the directory. When the end-user utilizes the same device or browser to log into SecureAuth IdP again, the current client-unique information (a new digital fingerprint) is collected and compared with the previously registered fingerprint(s) for authentication. If a requesting digital fingerprint matches the currently stored digital fingerprint (with an acceptable Authentication Threshold score), the end-user will not be required to undergo additional 2-Factor Authentication (2FA). Device recognition or digital fingerprinting includes the following elements: + First-time authentication register the device or browser digital fingerprint + Subsequent authentications validate the device against a stored digital fingerprint + Digital fingerprints include characteristics about a device or browser such as these: Web browser configuration Language Installed fonts Browser plug-ins Device IP address Screen resolution Browser cookie settings Time zone HTML local storage User agent Content-Types Character sets Encodings NOTE: In the next version of SecureAuth IdP, many references to digital fingerprinting will be changed to Device/Browser Recognition. Introduction 1

Getting There Before we focus on the device recognition parameters, let s review the steps we take to get there. 1. In SecureAuth IdP Web Admin, create a realm that will be used to handle device recognition. 2. On the Data tab, scroll down to the Membership Connection Settings section and map a directory field to the Fingerprints property. FIGURE 1. Membership Connection Settings Section In a typical AD deployment, the Data Format is Plain Binary and the audio directory field is utilized as shown in Figure 1. 3. Check the Writable box. 4. Click Save to confirm changes to the Data page. 5. Click the Workflow tab. 6. Scroll down to the Product Configuration section and select Certification Enrollment and Validation from the Integration Method drop-down list. Getting There 2

7. Select Device/Browser Fingerprinting from the Client Side Control drop-down list. FIGURE 2. Product Configuration Section 8. Scroll down to the Public/Private Mode field and the fields that follow like the example in Figure 3 on page 4. Getting There 3

FIGURE 3. Product Configuration Section (Continued) 9. Select options or enter information for the following fields: Field Public/Private Mode Default Public/Private Description Select Private and Public Mode or Private Mode Only. Selecting Private and Public Mode or Private Mode Only generates a digital fingerprint in this realm and checks for device recognition. Select the option designated by default on the client-side page SecureAuth recommends selecting Default Private to ensure that digital fingerprints are generated and checked in the realm. Getting There 4

Field Remember User Selection Authentication Mode Invalid Persistent Token Redirect Mobile Identifiers Description Select True. Select the preferred workflow from the drop-down list. If you select the Valid Persistent Token option, a persistent token, such as a device/browser digital fingerprint, is required to access the target resource. The Invalid Persistent Token Redirect field is activated. If you select the Valid Persistent Token option above, provide the URL to another SecureAuth IdP realm in which a digital fingerprint is generated (/secureauth#) to appropriately redirect end-users to enroll for a persistent token to gain access in this realm. Provide keywords with a comma delimiter to identify mobile devices or browsers with the user-agent string. 10.Scroll down to the Browser/Mobile Device Digital Fingerprinting section that looks like the example in Figure 4. FIGURE 4. Weights of FP Components 11. Set the Weights of each component to indicate the significance of that element The weights of each HTTP Headers and System Components setting together must equal 100%. For more on this, refer to the next section Best Practices for Weighing FP Components on page 10. Getting There 5

12. Scroll down to the Settings section which looks like the example in Figure 5. FIGURE 5. FP Settings Select options or enter information for the following fields: Field Description Normal Browser Settings FP Mode Cookie name prefix Cookie length Match FP in cookie Select Cookie from the drop-down field to enable SecureAuth IdP to deliver a cookie to the browser after authentication. If this option is selected, the Cookie name prefix and Cookie length are activated. Select No Cookie if no cookie is to be used. If the Cookie option is selected in FP Mode, either enter a desired prefix or keep the default value. The cookie name format appears as Cookie Name Prefix + company name + hashed value of user ID. If the Cookie option is selected in FP Mode, specify how many hours the cookie is valid, such as 72 hours. Select True to require the digital fingerprint ID to be presented and then matched to a digital fingerprint ID in the directory, with an acceptable Authentication Threshold score. Select False to not require ID matching between the cookie and the stored digital fingerprint. Getting There 6

Field Authentication Threshold Update Threshold Description Determines whether additional 2FA is required (OTP). Set in the range 90-100% based on preference. This value must be greater than the Update Threshold value. For example, if the Authentication Threshold is set to 95 and the Update Threshold is set to 85, then the following evaluation would be done on subsequent authentications: + <FP-Score> represents the score of the presented digital fingerprint + If <FP-Score> > 95, then no additional 2FA is required + If <FP-Score> < 95, but > 85, then additional 2FA is required and the existing digital fingerprint is updated with the presented fingerprint information + If <FP-Score> < 85, then additional 2FA is required, and a new digital fingerprint will be created Determines whether an existing digital fingerprint is to be updated with new information from the presented digital fingerprint, or if a new digital fingerprint must be created. Set to the range 80-90% based on preference. This value must be less than the Authentication Threshold value. Mobile Settings FP Mode Cookie name prefix Cookie Length Match FP ID in cookie Skip IP Match Select Cookie to deliver a cookie to the mobile device. The Cookie name prefix, Cookie Length, and Match FP ID to cookie fields are activated. Select App Mode to utilize the DR App for further device recognition. The App Mode option requires the SecureAuth Device Recognition (DR) App for ios and Android. If the Cookie option is selected in FP Mode, leave as the default or set it to a preferred name. The cookie name format appears as Cookie Name Prefix + company name + hashed value of user ID. If the Cookie option is selected in FP Mode, set to the amount of hours during which the cookie is valid, such as 72 hours. If the Cookie option is selected in FP Mode, select True to require the digital fingerprint ID to be presented and then matched to a digital fingerprint ID in the directory, with an acceptable Authentication Threshold score. Select False to not require ID matching between the cookie and the stored digital fingerprint. Select True if an exact IP Address match for device recognition comparison is not required. Select False to require an exact match for device recognition comparison. Getting There 7

Field Authentication Threshold Update Threshold FP expiration length FP expiration since last access Total FP max count When exceeding max count Description Determines whether additional 2FA is required (OTP). Set in the range 90-100% based on preference. The Authentication Threshold value must be greater than the Update Threshold. For example, if the Authentication Threshold is set to 95 and the Update Threshold is set to 85, then the following evaluation would be done on subsequent authentications: + <FP-Score> represents the score of the presented digital fingerprint + If <FP-Score> > 95, then no additional 2FA is required + If <FP-Score> < 95, but > 85, then additional 2FA is required and the existing fingerprint is updated with the presented digital fingerprint information + If <FP-Score> < 85, then additional 2FA is required, and a new digital fingerprint will be created Determines whether an existing digital fingerprint is to be updated with new information from the presented digital fingerprint, or if a new digital fingerprint must be created. Set in the range 80-90% based on preference. The Update Threshold value must be less than the Authentication Threshold. Set to the number of days the digital fingerprint is valid. Set to 0 for no expiration. For example, if this field is set to 10 days, then the user's fingerprint expires in 10 days, no matter how often it is used. Set to the number of days the digital fingerprint is valid since the last usage. Set to 0 for no expiration. For example, if this field is set to 10 days, then the user's digital fingerprint expires if it is not used during the 10 days since it was last employed. Set to the maximum number of digital fingerprints that can be stored at a given time. Set to -1 for no maximum entries. If a maximum is to be set, a typical configuration would limit digital fingerprint storage to 5-8. If a maximum value is specified in Total FP max count, select Allow to replace to enable the replacement of an existing digital fingerprint with a new one, or select Not allow to replace if the digital fingerprints cannot be automatically replaced. If Not allow to replace is selected, the user or administrator must manually remove stored fingerprints from the user profile on the Selfservice Account Update Page or Account Management (Help Desk) Page. Getting There 8

Field Replace in order by FP s access records max count Description If a maximum is specified in Total FP max count and Allow to replace is selected above, select Created Time to enable the replacement of the oldest stored digital fingerprint with the new one; or select Last Access Time to enable the replacement of the least recently used digital fingerprint with the new one. Set to the number of access history entries per digital fingerprint stored in the profile. SecureAuth recommends set this value to 5. 13. Click Save to confirm changes to the Workflow page. 14.Click the System Info tab. 15. In the Plugin Info section, select False from the Java Detection field drop-down list. Select False FIGURE 6. Plugin Info Section 16. Click Save to confirm changes to the System Info page. For more information on deploying and configuring for digital fingerprinting, refer to https:// docs.secureauth.com/pages/viewpage.action?pageid=40045162. Getting There 9

Best Practices for Weighing FP Components In order to create unique digital fingerprints for a device or browser, you must specify the number of components on which the profile is based and how each component is weighed. The Weights for FP Profiles are configured on the Flow page under the Weights of FP Components section as shown in the following example. FIGURE 7. Weights of FP Components As explained in the previous section, the total values designated in these fourteen fields must add up to 100%. It is the way in which these values are prioritized that determines how SecureAuth treats them during the detection process and how the program algorithm Best Practices for Weighing FP Components 10

computes the score that determines the profile assigned. This section provides you with recommendations on what weights are best assigned to each component. Weighted Field Description/Recommendations HTTP Headers User Agent Accept Accept Charset Accept Encoding Accept Language The user agent string (identification) of the user agent. This field is a highly important value, indicating the identity of the device to a high degree, and should be assigned up to 30% of the total. The Content-Types that are acceptable for the response. This field is one of the least important values you will assign. Recommended value for this is 2-3%. The character sets that are acceptable. The weight you assign to this field depends on the importance you place on the character sets that this device utilizes. For the most part, this cannot be used as an important indication of identity. In general, we recommend assigning this field between 0-2%. The list of acceptable encodings. This field cannot normally be used as a fair judge of identity. Normally, this field can only be weighted to 0-2%. The list of acceptable human languages for response. Most devices use an unvarying assortment of languages. Therefore, this is field can be reliably assigned a value of 0-2%. System Components Weight for Plugin list Weight for flash font Hostaddress/IP Require exact match The list of plug-ins on the user s browser. This value might change frequently on a person s browser since plugins are frequently added, so it is not a particularly good indication of identity. We recommend setting this to 5%. The fonts inside of a flash application. This value can change frequently, depending on the flash application being used, so this is not a sensitive detector of identity. We recommend setting this to 5%. The Host address or IP address for this device. This is a very important factor in detecting identity. We recommend setting this weight to 35-40%. Click to check this box to require an exact match of the address. If enabled, the user will have to perform a different 2FA without an exact match, even if the Authentication Threshold percentage is met. In general, we do not require that this component be checked. Best Practices for Weighing FP Components 11

Weighted Field Timezone Screen resolution HTML localstorage HTML sessionstorage IE userdata support Cookie enabled/ disabled Description/Recommendations The time zone of the user s browser. Time zones can change as the device is transported from one place to another. Since it is not a particularly good detector of identity, this can be set to 0%, unless the device or browser is know to exist in only one location, in which case the importance of this component can be increased significantly. The screen resolution of the device/browser. If only one screen is used, this can be an important component in determining identity; however, when a double or multiple monitor setup is used for a device, this component becomes problematic since multiple monitors are rarely of the same sort or resolution. In general, we recommend setting this weight to 5%. The HTML5 local storage. This component should not change greatly and should be assigned some weight: normally, we recommend 5%. The HTML5 session storage. This component should not change greatly and should be assigned some weight: normally, we recommend 5%. The Internet Explorer (IE) user data support. While some devices always use IE, there are many that use other browsers, such as Google or Firefox, or use a variety of browsers during a single session, so this is generally not a reliable indication of identity. For this reason, we recommend assigning a weight of 2.5% or less. Based on the user s settings, whether cookies are enabled or disabled. Cookies can be enabled or disabled indiscriminately, and often in the background. Therefore, this does not indicate a good evaluator of identity. For this reason, we recommend assigning a weight of 2.5% or less. Best Practices for Weighing FP Components 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback