Symantec Auth Tree Nodes

With Symantec VIP both enterprise and end users can securely authenticate wherever and however they are accessing the services. With hundreds of supported websites and integrations that you can easily set up yourself, multi-factor authentication is a snap.

Project Readme

VipAuthTreeNode

A simple authentication node for ForgeRock's Access Manager 6.0 and above.

Information

VIP Forgerock offers secondary authentication along with the authentication offered by the openam. Following are the authentication mechanisms available: 1) Push 2) OTP 3)Mobile SDK Registration and Authentication with OpenAM 4)Device Reputation 5)Intelligence Auth Verification

Installation

The VIP OpenAM tree nodes will be packaged as a jar file using the maven build tool and will be deployed in to the ForgeRock Access Management (AM)6 application WEB-INF/lib folder which is running on tomcat server.

Steps

  1. Configure Maven to be able to access the OpenAM repositories

  2. Setup a Maven Project for building the Custom Authentication Node I.e. vip-auth-tree

  3. Write the custom logic inside tree nodes to communicate with vip services

  4. Change to the root directory of the Maven project of the vip Tree Node Run the mvn package command.

  5. The project will generate a .jar file containing our custom nodes I.e . VIP OpenAM Tree Nodes, In the form of vip-auth-tree-1.0.jar.

  6. Copy the vip-auth-tree-1.0.jar file to the WEB-INF/lib/ folder where AM is deployed

  7. Restart the AM for the new plug-in to become available.

The vip tree nodes are now available in the tree designer to add to authentication trees

Following are the nodes that will be available after deploying the jar file:

phase2_nodes_1

phase2_nodes_2

phase2_nodes_3

  • VIP Display Error
This node will display error assiciated with exceed attempts of invalid otp. There are no configurable attributes to it.
  • VIP Add Credential
This node will add credentials as credential id associtaed with user in VIP Database. There are no configurable attributes to it.
  • VIP Add More Credentials
This node gives you a screen where you can choose yes/no for add more credentilas in VIP. There are no configurable attributes to it.
  • VIP AddCred with VerifyCode
This node will add credentials as credential id and OTP  or phone number and OTP associtaed with user in VIP Database. There are no configurable attributes to it.
  • VIP Authenticate Push Credentals
This node will authenticate push credentials during registration.
Attributes to be configured are:
 * Push Display Message Text: The message which should be display on push event. Ex. VIP Push Cred
 * Push Display Message Title: The message title which should be display on push event. Ex. VIP Push
 * Push Display Message Profile. The message profile. Ex www.vip.com

auth-push

  • VIP Check OTP
This node will verify OTP with username. There are no configurable attributes to it.
  • VIP Display Creds
This node gives you a screen where you need choose your credential type. Where you can choose VIP/SMS/VOICE.
Attributes to be configured are:
 * List of Creds : You need to configure key-value pair as
    0 - VIP
    1 - SMS
    2 - VOICE

display

  • VIP Enter CredentialID
This node gives you a screen where you need to enter credential id generated on vip app. There are no configurable attributes to it.
  • VIP Enter Phone Number
This node gives you a screen where you need to enter phone number. There are no configurable attributes to it.
  • VIP OTP Collector
This node gives you a screen where you need to enter OTP, which appears on given phone number . There are no configurable attributes to it.
  • VIP OTPAuth Creds
This node gives you a screen where you need choose your authentication credential type. Where you can choose SMS/VOICE.
Attributes to be configured are:
 * List of Creds : You need to configure key-value pair as
    0 - SMS
    1 - VOICE
    2 - TOKEN

otp-auth

  • VIP Poll Push Auth
This node get poll push request status during authentication. There are no configurable attributes to it.
  • VIP Poll Push Reg
This node get poll push request status during registraton. There are no configurable attributes to it.
  • VIP Push Auth User
This node will authenticate push credentials during authentication.
Attributes to be configured are:
 * Push Display Message Text: The message which should be display on push event. Ex. VIP Push Cred
 * Push Display Message Title: The message title which should be display on push event. Ex. VIP Push
 * Push Display Message Profile. The message profile. Ex www.vip.com

auth-push-1

  • VIP Register User
This node register user in VIP, If user dont exist. There are no configurable attributes to it.
  • VIP Enrollment User
This node search user in VIP and get user info, if user exits. There are no configurable attributes to it.
  • VIP Set Configuration
This node set all the sevice urls which will be used to access Symantec APIs.
Attributes to be configured are:
 * Keystore Path: Path for keystore file.
 * Keystore Password: Password of keystore file.
 * Authentication Service URL: VIP Authentication Service URL
 * Query Service URL: VIP Query Service URL
 * Management Service URL: VIP Management Service URL
 * SDK Service URL : Service url to get Activation Code

url_conf

  • VIP DR Data Collector
This node collects DR data(payload, signature, header) in encoded form.

Attributes to be configured are:
* Certificate Verify Device Hygiene : Path of the certificate, Which is used to verify device hygiene.

phase2_deviceVerify_Cert

  • VIP DR Data Eval
This node takes decesion according to json which are coming from from DR Data Collector node. If attribute value in json true then it goes to another node for further verification and if it is false then it goes to success node. 

Attributes to be configured are:
* DR Data Fields : You need to choose field from DR Data JSON, Which you want to evaluate.

p_4

  • VIP DR OS Decesion
This node just verify forDR Data coming from android device or ios device. There are no configurable attributes to it.
  • VIP IA Authentication
This node execute Evalate Risk request after Deny Risk. There are no configurable attributes to it.
  • VIP IA Confirm Risk
This node execute Confirm Risk request. There are no configurable attributes to it.
  • VIP IA Data Collector Node
This node collects Auth Data using HiddenValueCallBack and ScriptTextOutputCallback.

Attributes to be configured are:
* Script : Script URL which will collect Auth Data.
* Is Page Node : If it false then user will not able to see login button on web page, it will be clicked by script and if it is true then login button will appear on web page and user need to click it to navigate next page.

p_5

  • VIP IA Deny Risk
This node execute Deny Risk request. There are no configurable attributes to it.
  • VIP IA Evaluate Risk
This node execute Evaluate Risk request. There are no configurable attributes to it.
  • VIP IA Registration
This node execute Deny Risk request to register new device. There are no configurable attributes to it.
  • VIP IA Risk Score Decision Node
This node makes decision based on score fetch by evaluate risk api.

Attributes to be configured are:
* Low Score Threshold Value : Low range of score. By default it is 20.
* High Score Threshold Value : High range of score. By default it is 80.

phase2_2

  • VIP SDK Enter CredentialID
This node gives you a screen where you need to enter credential id generated on vip app. There are no configurable attributes to it.
  • Set Session Properties
This node sets session properties, which needs to white list in Session Property Whitelist Service under Global_Services.

Attributes to be configured are:
* Properties : Add key value pair as key-LIMITED_ACCESS value-Rooted_Device(As your convenince)

p_15

p_16

Set Logging Level

  • User can set log level in forgerock instance, To set user need to follow this path:
DEPLOYMENT-->SERVERS-->LocalInstance-->Debugging

set_logging

Configure the trees as follows

  • Navigate to Realm > Authentication > Trees > Create Tree

tree

Configuring VIP Auth Tre

this section depicts configuration of VIP Auth Tree
  • Configure VIP Auth Tree as shown below

phase2_VIP

 Nodes To be Configured:
    * VIP Display Creds
    * VIP OTPAuth Creds
    * VIP Authenticate Push Credentials
    * VIP Push Auth User
    * VIP Set Configuration
  • Now access the protected site by OpenAM

login

VIP SDK Flow

  • Configure Vip-Sdk-Registeration Tree as shown below:
 Nodes To be Configured:
    * VIP Set Configuration : Need to mention all the VIP Service URLs

phase2_registeration

  • Configure Vip-Sdk-VerifyOTP Tree as shown below:
 Nodes To be Configured:
    * VIP Set Configuration : Need to mention all the VIP Service URLs

phase2_authentication

  • Configure VIP_DR Tree as shown below:
 Nodes To be Configured:
    * VIP Set Configuration : Need to mention all the VIP Service URLs
    * VIP DR Data Eval : Need to choose field from drop down to evaluate device hygenie.
    * Set Session Properties : Add key value pair as key-LIMITED_ACCESS value-Rooted_Device.
    * VIP DR Data Collector Node : Path of the public cerificate to verify device hygiene.

phase2_VIP_DR

  • Configure VIP_IA Tree as shown below:
 Nodes To be Configured:
    * VIP Set Configuration : Need to mention all the VIP Service URLs
    * VIP IA Data Collector Node : Enter Script url to get auth data and select true/false to enable/disable login button respectively.
    * Set Session Properties : Add key value pair as key-LIMITED_ACCESS value-Risk_Score.

phase2_1

  • Configure VIP_DR_TXN Tree as shown below:
 Nodes To be Configured:
    * VIP Set Configuration : Need to mention all the VIP Service URLs
    * VIP DR Data Eval : Need to choose field from drop down to evaluate device hygenie.
    * Set Session Properties : Add key value pair as key-LIMITED_ACCESS_TXN value-Rooted_Device
    * VIP DR Data Collector Node : Path of the public cerificate to verify device hygiene

phase2_VIP_DR_TXN

  • Configure VIP_IA_TXN Tree as shown below:
 Nodes To be Configured:
    * VIP Set Configuration : Need to mention all the VIP Service URLs
    * VIP IA Data Collector Node : Enter Script url to get auth data and select true/false to enable/disable login button respectively.
    * Set Session Properties : Add key value pair as key-LIMITED_ACCESS_TXN value-Risk_Score

phase2_IA_TXN

  • Configure VIP_WITHOUT_DR Tree as shown below:
 Nodes To be Configured:
    * VIP Set Configuration : Need to mention all the VIP Service URLs
    * Set Session Properties : Add key value pair as key-LIMITED_ACCESS_TXN value-Rooted_Device

phase2_VIP_WITHOUT_DR

  • Configure VIP Transaction With DR Policy Set as shown below: p_12

  • Configure VIP Transaction With IA Policy Set as shown below: p_13

  • Configure VIP Transaction Without DR Policy Set as shown below: p_14

Project Information
Partner
ForgeRock
6.0, 6.5
2018-12-13
openam
authentication
authTreeNode
Frank.Gasparovic
here
here