AdaptiveRiskModule
Realm Operations
Resource path:
/realm-config/authentication/modules/adaptiverisk
Resource version: 1.0
create
Usage
am> create AdaptiveRiskModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "iphistory" : { "type" : "object", "title" : "IP Address History", "propertyOrder" : 3, "properties" : { "ipHistoryProfileAttribute" : { "title" : "Profile Attribute Name", "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "ipHistoryCheckEnabled" : { "title" : "IP History Check", "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertIPHistoryScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryCount" : { "title" : "History size", "description" : "The number of client IP addresses to save in the history list.", "propertyOrder" : 1100, "required" : true, "type" : "integer", "exampleValue" : "" }, "ipHistoryScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "saveSuccessfulIP" : { "title" : "Save Successful IP Address", "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.", "propertyOrder" : 1300, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "requestheader" : { "type" : "object", "title" : "Request Header", "propertyOrder" : 9, "properties" : { "invertRequestHeaderScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderCheckEnabled" : { "title" : "Request Header Check", "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.", "propertyOrder" : 4300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4600, "required" : true, "type" : "integer", "exampleValue" : "" }, "requestHeaderName" : { "title" : "Request Header Name", "description" : "The name of the required HTTP header ", "propertyOrder" : 4400, "required" : true, "type" : "string", "exampleValue" : "" }, "requestHeaderValue" : { "title" : "Request Header Value", "description" : "The required value of the named HTTP header.", "propertyOrder" : 4500, "required" : true, "type" : "string", "exampleValue" : "" } } }, "lastlogin" : { "type" : "object", "title" : "Time Since Last Login", "propertyOrder" : 6, "properties" : { "timeSinceLastLoginScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2600, "required" : true, "type" : "integer", "exampleValue" : "" }, "timeSinceLastLoginCheckEnabled" : { "title" : "Time since Last login Check", "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.", "propertyOrder" : 2200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie used to store the time of the last successful authentication.", "propertyOrder" : 2300, "required" : true, "type" : "string", "exampleValue" : "" }, "saveLastLoginTimeOnSuccessfulLogin" : { "title" : "Save time of Successful Login", "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time", "propertyOrder" : 2500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "maxTimeSinceLastLogin" : { "title" : "Max Time since Last login", "description" : "The maximum number of days that can elapse before this test.", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" }, "invertTimeSinceLastLoginScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "riskThreshold" : { "title" : "Risk Threshold", "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "iprange" : { "type" : "object", "title" : "IP Address Range", "propertyOrder" : 2, "properties" : { "invertIPRangeScoreEnabled" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipRangeCheckEnabled" : { "title" : "IP Range Check", "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipRangeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "ipRange" : { "title" : "IP Range", "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "devicecookie" : { "type" : "object", "title" : "Device Cookie", "propertyOrder" : 5, "properties" : { "invertDeviceCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deviceCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3600, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to be checked for (and optionally set) on the client request", "propertyOrder" : 3400, "required" : true, "type" : "string", "exampleValue" : "" }, "deviceCookieCheckEnabled" : { "title" : "Device Registration Cookie Check", "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.", "propertyOrder" : 3300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "saveDeviceCookieValueOnSuccessfulLogin" : { "title" : "Save Device Registration on Successful Login", "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response", "propertyOrder" : 3500, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "geolocation" : { "type" : "object", "title" : "Geo Location", "propertyOrder" : 8, "properties" : { "geolocationScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "geolocationValidCountryCodes" : { "title" : "Valid Country Codes", "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>", "propertyOrder" : 4000, "required" : true, "type" : "string", "exampleValue" : "" }, "geolocationDatabaseLocation" : { "title" : "Geolocation Database location", "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3900, "required" : true, "type" : "string", "exampleValue" : "" }, "invertGeolocationScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "geolocationCheckEnabled" : { "title" : "Geolocation Country Code Check", "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "knowncookie" : { "type" : "object", "title" : "Known Cookie", "propertyOrder" : 4, "properties" : { "knownCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to set on the client.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "knownCookieValue" : { "title" : "Cookie Value", "description" : "The value to be set on the cookie.", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "knownCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2000, "required" : true, "type" : "integer", "exampleValue" : "" }, "createKnownCookieOnSuccessfulLogin" : { "title" : "Save Cookie Value on Successful Login", "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response", "propertyOrder" : 1900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieCheckEnabled" : { "title" : "Cookie Value Check", "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ", "propertyOrder" : 1600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertKnownCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "attributecheck" : { "type" : "object", "title" : "Profile Attribute", "propertyOrder" : 7, "properties" : { "profileRiskAttributeName" : { "title" : "Attribute Name", "description" : "The name of the attribute to retrieve from the user profile in the data store.", "propertyOrder" : 2900, "required" : true, "type" : "string", "exampleValue" : "" }, "profileRiskAttributeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3100, "required" : true, "type" : "integer", "exampleValue" : "" }, "profileRiskAttributeCheckEnabled" : { "title" : "Profile Risk Attribute check", "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertProfileRiskAttributeScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "profileRiskAttributeValue" : { "title" : "Attribute Value", "description" : "The required value of the named attribute.", "propertyOrder" : 3000, "required" : true, "type" : "string", "exampleValue" : "" } } }, "authfailed" : { "type" : "object", "title" : "Failed Authentications", "propertyOrder" : 1, "properties" : { "failedAuthenticationCheckEnabled" : { "title" : "Failed Authentication Check", "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertFailureScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "failureScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
delete
Usage
am> delete AdaptiveRiskModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AdaptiveRiskModule --realm Realm --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AdaptiveRiskModule --realm Realm --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AdaptiveRiskModule --realm Realm --actionName nextdescendents
query
Get the full list of instances of this collection. This query only supports _queryFilter=true
filter.
Usage
am> query AdaptiveRiskModule --realm Realm --filter filter
Parameters
- --filter
-
A CREST formatted query filter, where "true" will query all.
read
Usage
am> read AdaptiveRiskModule --realm Realm --id id
Parameters
- --id
-
The unique identifier for the resource.
update
Usage
am> update AdaptiveRiskModule --realm Realm --id id --body body
Parameters
- --id
-
The unique identifier for the resource.
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "iphistory" : { "type" : "object", "title" : "IP Address History", "propertyOrder" : 3, "properties" : { "ipHistoryProfileAttribute" : { "title" : "Profile Attribute Name", "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "ipHistoryCheckEnabled" : { "title" : "IP History Check", "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertIPHistoryScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryCount" : { "title" : "History size", "description" : "The number of client IP addresses to save in the history list.", "propertyOrder" : 1100, "required" : true, "type" : "integer", "exampleValue" : "" }, "ipHistoryScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "saveSuccessfulIP" : { "title" : "Save Successful IP Address", "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.", "propertyOrder" : 1300, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "requestheader" : { "type" : "object", "title" : "Request Header", "propertyOrder" : 9, "properties" : { "invertRequestHeaderScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderCheckEnabled" : { "title" : "Request Header Check", "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.", "propertyOrder" : 4300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4600, "required" : true, "type" : "integer", "exampleValue" : "" }, "requestHeaderName" : { "title" : "Request Header Name", "description" : "The name of the required HTTP header ", "propertyOrder" : 4400, "required" : true, "type" : "string", "exampleValue" : "" }, "requestHeaderValue" : { "title" : "Request Header Value", "description" : "The required value of the named HTTP header.", "propertyOrder" : 4500, "required" : true, "type" : "string", "exampleValue" : "" } } }, "lastlogin" : { "type" : "object", "title" : "Time Since Last Login", "propertyOrder" : 6, "properties" : { "timeSinceLastLoginScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2600, "required" : true, "type" : "integer", "exampleValue" : "" }, "timeSinceLastLoginCheckEnabled" : { "title" : "Time since Last login Check", "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.", "propertyOrder" : 2200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie used to store the time of the last successful authentication.", "propertyOrder" : 2300, "required" : true, "type" : "string", "exampleValue" : "" }, "saveLastLoginTimeOnSuccessfulLogin" : { "title" : "Save time of Successful Login", "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time", "propertyOrder" : 2500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "maxTimeSinceLastLogin" : { "title" : "Max Time since Last login", "description" : "The maximum number of days that can elapse before this test.", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" }, "invertTimeSinceLastLoginScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "riskThreshold" : { "title" : "Risk Threshold", "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" }, "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "iprange" : { "type" : "object", "title" : "IP Address Range", "propertyOrder" : 2, "properties" : { "invertIPRangeScoreEnabled" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipRangeCheckEnabled" : { "title" : "IP Range Check", "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipRangeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "ipRange" : { "title" : "IP Range", "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" } } }, "devicecookie" : { "type" : "object", "title" : "Device Cookie", "propertyOrder" : 5, "properties" : { "invertDeviceCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deviceCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3600, "required" : true, "type" : "integer", "exampleValue" : "" }, "deviceCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to be checked for (and optionally set) on the client request", "propertyOrder" : 3400, "required" : true, "type" : "string", "exampleValue" : "" }, "deviceCookieCheckEnabled" : { "title" : "Device Registration Cookie Check", "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.", "propertyOrder" : 3300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "saveDeviceCookieValueOnSuccessfulLogin" : { "title" : "Save Device Registration on Successful Login", "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response", "propertyOrder" : 3500, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "geolocation" : { "type" : "object", "title" : "Geo Location", "propertyOrder" : 8, "properties" : { "geolocationScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "geolocationValidCountryCodes" : { "title" : "Valid Country Codes", "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>", "propertyOrder" : 4000, "required" : true, "type" : "string", "exampleValue" : "" }, "geolocationDatabaseLocation" : { "title" : "Geolocation Database location", "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3900, "required" : true, "type" : "string", "exampleValue" : "" }, "invertGeolocationScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "geolocationCheckEnabled" : { "title" : "Geolocation Country Code Check", "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "knowncookie" : { "type" : "object", "title" : "Known Cookie", "propertyOrder" : 4, "properties" : { "knownCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to set on the client.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "knownCookieValue" : { "title" : "Cookie Value", "description" : "The value to be set on the cookie.", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "knownCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2000, "required" : true, "type" : "integer", "exampleValue" : "" }, "createKnownCookieOnSuccessfulLogin" : { "title" : "Save Cookie Value on Successful Login", "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response", "propertyOrder" : 1900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieCheckEnabled" : { "title" : "Cookie Value Check", "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ", "propertyOrder" : 1600, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertKnownCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "attributecheck" : { "type" : "object", "title" : "Profile Attribute", "propertyOrder" : 7, "properties" : { "profileRiskAttributeName" : { "title" : "Attribute Name", "description" : "The name of the attribute to retrieve from the user profile in the data store.", "propertyOrder" : 2900, "required" : true, "type" : "string", "exampleValue" : "" }, "profileRiskAttributeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3100, "required" : true, "type" : "integer", "exampleValue" : "" }, "profileRiskAttributeCheckEnabled" : { "title" : "Profile Risk Attribute check", "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertProfileRiskAttributeScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "profileRiskAttributeValue" : { "title" : "Attribute Value", "description" : "The required value of the named attribute.", "propertyOrder" : 3000, "required" : true, "type" : "string", "exampleValue" : "" } } }, "authfailed" : { "type" : "object", "title" : "Failed Authentications", "propertyOrder" : 1, "properties" : { "failedAuthenticationCheckEnabled" : { "title" : "Failed Authentication Check", "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertFailureScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "failureScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" } } } } }
Global Operations
Resource path:
/global-config/authentication/modules/adaptiverisk
Resource version: 1.0
getAllTypes
Obtain the collection of all secondary configuration types related to the resource.
Usage
am> action AdaptiveRiskModule --global --actionName getAllTypes
getCreatableTypes
Obtain the collection of secondary configuration types that have yet to be added to the resource.
Usage
am> action AdaptiveRiskModule --global --actionName getCreatableTypes
nextdescendents
Obtain the collection of secondary configuration instances that have been added to the resource.
Usage
am> action AdaptiveRiskModule --global --actionName nextdescendents
update
Usage
am> update AdaptiveRiskModule --global --body body
Parameters
- --body
-
The resource in JSON format, described by the following JSON schema:
{ "type" : "object", "properties" : { "defaults" : { "properties" : { "attributecheck" : { "type" : "object", "title" : "Profile Attribute", "propertyOrder" : 7, "properties" : { "profileRiskAttributeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3100, "required" : true, "type" : "integer", "exampleValue" : "" }, "profileRiskAttributeName" : { "title" : "Attribute Name", "description" : "The name of the attribute to retrieve from the user profile in the data store.", "propertyOrder" : 2900, "required" : true, "type" : "string", "exampleValue" : "" }, "profileRiskAttributeValue" : { "title" : "Attribute Value", "description" : "The required value of the named attribute.", "propertyOrder" : 3000, "required" : true, "type" : "string", "exampleValue" : "" }, "profileRiskAttributeCheckEnabled" : { "title" : "Profile Risk Attribute check", "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.", "propertyOrder" : 2800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "invertProfileRiskAttributeScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3200, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "iphistory" : { "type" : "object", "title" : "IP Address History", "propertyOrder" : 3, "properties" : { "ipHistoryCount" : { "title" : "History size", "description" : "The number of client IP addresses to save in the history list.", "propertyOrder" : 1100, "required" : true, "type" : "integer", "exampleValue" : "" }, "ipHistoryProfileAttribute" : { "title" : "Profile Attribute Name", "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.", "propertyOrder" : 1200, "required" : true, "type" : "string", "exampleValue" : "" }, "invertIPHistoryScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 1500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryCheckEnabled" : { "title" : "IP History Check", "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).", "propertyOrder" : 1000, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipHistoryScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 1400, "required" : true, "type" : "integer", "exampleValue" : "" }, "saveSuccessfulIP" : { "title" : "Save Successful IP Address", "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.", "propertyOrder" : 1300, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "knowncookie" : { "type" : "object", "title" : "Known Cookie", "propertyOrder" : 4, "properties" : { "knownCookieValue" : { "title" : "Cookie Value", "description" : "The value to be set on the cookie.", "propertyOrder" : 1800, "required" : true, "type" : "string", "exampleValue" : "" }, "invertKnownCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2100, "required" : true, "type" : "boolean", "exampleValue" : "" }, "createKnownCookieOnSuccessfulLogin" : { "title" : "Save Cookie Value on Successful Login", "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response", "propertyOrder" : 1900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "knownCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to set on the client.", "propertyOrder" : 1700, "required" : true, "type" : "string", "exampleValue" : "" }, "knownCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2000, "required" : true, "type" : "integer", "exampleValue" : "" }, "knownCookieCheckEnabled" : { "title" : "Cookie Value Check", "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ", "propertyOrder" : 1600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "general" : { "type" : "object", "title" : "General", "propertyOrder" : 0, "properties" : { "authenticationLevel" : { "title" : "Authentication Level", "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).", "propertyOrder" : 100, "required" : true, "type" : "integer", "exampleValue" : "" }, "riskThreshold" : { "title" : "Risk Threshold", "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ", "propertyOrder" : 200, "required" : true, "type" : "integer", "exampleValue" : "" } } }, "devicecookie" : { "type" : "object", "title" : "Device Cookie", "propertyOrder" : 5, "properties" : { "deviceCookieCheckEnabled" : { "title" : "Device Registration Cookie Check", "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.", "propertyOrder" : 3300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "saveDeviceCookieValueOnSuccessfulLogin" : { "title" : "Save Device Registration on Successful Login", "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response", "propertyOrder" : 3500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "deviceCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie to be checked for (and optionally set) on the client request", "propertyOrder" : 3400, "required" : true, "type" : "string", "exampleValue" : "" }, "deviceCookieScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 3600, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertDeviceCookieScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 3700, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "iprange" : { "type" : "object", "title" : "IP Address Range", "propertyOrder" : 2, "properties" : { "ipRange" : { "title" : "IP Range", "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>", "propertyOrder" : 700, "required" : true, "items" : { "type" : "string" }, "type" : "array", "exampleValue" : "" }, "invertIPRangeScoreEnabled" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 900, "required" : true, "type" : "boolean", "exampleValue" : "" }, "ipRangeScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 800, "required" : true, "type" : "integer", "exampleValue" : "" }, "ipRangeCheckEnabled" : { "title" : "IP Range Check", "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.", "propertyOrder" : 600, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "authfailed" : { "type" : "object", "title" : "Failed Authentications", "propertyOrder" : 1, "properties" : { "failureScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 400, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertFailureScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "failedAuthenticationCheckEnabled" : { "title" : "Failed Authentication Check", "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.", "propertyOrder" : 300, "required" : true, "type" : "boolean", "exampleValue" : "" } } }, "geolocation" : { "type" : "object", "title" : "Geo Location", "propertyOrder" : 8, "properties" : { "invertGeolocationScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "geolocationValidCountryCodes" : { "title" : "Valid Country Codes", "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>", "propertyOrder" : 4000, "required" : true, "type" : "string", "exampleValue" : "" }, "geolocationCheckEnabled" : { "title" : "Geolocation Country Code Check", "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3800, "required" : true, "type" : "boolean", "exampleValue" : "" }, "geolocationScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4100, "required" : true, "type" : "integer", "exampleValue" : "" }, "geolocationDatabaseLocation" : { "title" : "Geolocation Database location", "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.", "propertyOrder" : 3900, "required" : true, "type" : "string", "exampleValue" : "" } } }, "lastlogin" : { "type" : "object", "title" : "Time Since Last Login", "propertyOrder" : 6, "properties" : { "timeSinceLastLoginCheckEnabled" : { "title" : "Time since Last login Check", "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.", "propertyOrder" : 2200, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 2600, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertTimeSinceLastLoginScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 2700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "saveLastLoginTimeOnSuccessfulLogin" : { "title" : "Save time of Successful Login", "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time", "propertyOrder" : 2500, "required" : true, "type" : "boolean", "exampleValue" : "" }, "timeSinceLastLoginCookieName" : { "title" : "Cookie Name", "description" : "The name of the cookie used to store the time of the last successful authentication.", "propertyOrder" : 2300, "required" : true, "type" : "string", "exampleValue" : "" }, "maxTimeSinceLastLogin" : { "title" : "Max Time since Last login", "description" : "The maximum number of days that can elapse before this test.", "propertyOrder" : 2400, "required" : true, "type" : "string", "exampleValue" : "" } } }, "requestheader" : { "type" : "object", "title" : "Request Header", "propertyOrder" : 9, "properties" : { "requestHeaderName" : { "title" : "Request Header Name", "description" : "The name of the required HTTP header ", "propertyOrder" : 4400, "required" : true, "type" : "string", "exampleValue" : "" }, "requestHeaderScore" : { "title" : "Score", "description" : "The amount to increment the score if this check fails.", "propertyOrder" : 4600, "required" : true, "type" : "integer", "exampleValue" : "" }, "invertRequestHeaderScore" : { "title" : "Invert Result", "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.", "propertyOrder" : 4700, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderCheckEnabled" : { "title" : "Request Header Check", "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.", "propertyOrder" : 4300, "required" : true, "type" : "boolean", "exampleValue" : "" }, "requestHeaderValue" : { "title" : "Request Header Value", "description" : "The required value of the named HTTP header.", "propertyOrder" : 4500, "required" : true, "type" : "string", "exampleValue" : "" } } } }, "type" : "object", "title" : "Realm Defaults" } } }