Authentication Server (Time/IP Based Session with OTP) Rule Set
The Authentication Server (Time/IP Based Session with OTP) rule set is a library rule set that enables the use of one-time passwords for authenticating users.
| Library rule set - Authentication Server (Time/IP Based Session with OTP) |
|---|
|
Criteria – Always |
|
Cycles – Requests (and IM) |
The following rule sets are nested in this rule set:
- Check for Valid Authentication Session
- Authentication Server
Check for Valid Authentication Session
This nested rule redirects a user's request sent from a client to the authentication server if the user has not yet been successfully authenticated on that server.
| Nested library rule set - Check for Valid Authentication Session |
|---|
|
Criteria – Authentication.IsServerRequest equals false AND (Connection.Protocol equals "HTTP" OR Connection.Protocol equals "SSL" OR Connection.Protocol equals "HTTPS" OR Connection.Protocol equals "IFP") |
|
Cycles – Requests (and IM) |
The rule set criteria specifies that the rule set applies if the request that is currently processed is not requesting a connection to the authentication server and the protocol used in this communication is one of the four that are specified.
The rule set contains the following rules:
Fix hostname
Command.Name equals "CERTVERIFY" AND SSL.Server.Certificate.CN.HasWildcards equals false –> Continue – Set URL.Host = SSL.Server.Certificate.CN
The rule uses an event to set the host name that is submitted with the URL of a request to a particular value, which is required when communication is going on under the SSL protocol. This value is the common name of the certificate that is provided in this communication.
The rule applies if the request that is processed contains the CERTVERIFY command and no wildcards are allowed for the common name.
Redirect clients that do not have a valid session to the authentication server
Authentication.Authenticate<IP Authentication Server> equals false AND Command.Name does not equal "CONNECT" –> Authenticate<Default>
The rule uses the Authentication.Authenticate property to check whether the user who sends a request is successfully authenticated at the user database of the authentication server. For this purpose, the IP address of the client that the request was sent from is evaluated.
The Command.Name property is used to check whether the request is a connection request in SSL-secured communication.
If neither is the case, the user is asked to submit credentials for authentication. This action is executed with the specified settings.
Revalidate session under ideal conditions
Authentication.CacheRemainingTime less than 400 AND
Connection.Protocol equals "HTTP" AND
Command.Name equals "GET"
–> Authenticate<Default>
Under particular conditions (which could be termed "ideal"), a user is asked to authenticate again after sending a request to ensure the current web session is prolonged before the time quota has elapsed completely.
This is done if communication is going on under the HTTP protocol and the request contains the GET command.
The rule is not enabled by default.
Authentication Server
This nested rule set forwards a request for web access when a user submitted a valid one-time password. A user who could not submit a valid one-time password is asked to authenticate.
Authentication is first performed using information from the user database on an authentication server. A successfully authenticated user is then informed that web access also requires a one-time password, which is sent by Web Gateway upon the user's request.
| Nested library rule set - Authentication Server |
|---|
|
Criteria – Authentication.IsServerRequest equals true |
|
Cycles – Requests (and IM) |
The rule set criteria specifies that the rule set applies when a user who sent a request must be authenticated using information from an authentication server.
The rule set contains the following rules:
Redirect if we have a valid OTP
Authentication.Authenticate<OTP> equals true –> Redirect <Redirect Back from Authentication Server>
The rule uses the Authentication.Authenticate property to check whether a user who submitted a one-time password with a request for web access could be successfully authenticated.
If this is the case, web access is allowed and the user is redirected from the authentication server to the requested web object.
Stop after providing an invalid OTP
Authentication.Failed equals true –> Block<Authorized Only>
The rule uses the Authentication.Failed property to check whether a user who submitted a one-time password with a request for web access could not be successfully authenticated.
If this is the case, the request is blocked and a message informs the user about the blocking and the block reason.
Authenticate user against user database
Authentication.Authenticate<User Database at Authentication Server> equals false –> Authenticate<Default>
The rule uses the Authentication.Authenticate property to check whether a user who sent a request and submitted an invalid one-time password could be successfully authenticated at the user database on the authentication server.
If this is not the case, the user is asked to authenticate.
Send OTP if requested
Header.Exists(Request.OTP) equals true –> Continue – Authentication.SendOTP<OTP>
If none of the preceding rules in this rule set has applied, it means no valid one-time password was submitted by a user who sent a request for web access, but authentication at the user database on the authentication server was successful.
Then this rule is processed, which uses the Header.Exists property to check whether the request has a header providing the information that sending a one-time password is requested.
If this is the case, the rule uses an event to send a one-time password to the user.
Return authentication data to client
Header.Exists("Request.OTP") equals true –> Block<Authentication Server OTP> – Header.Block.Add("OTP Context", Authentication.OTP.Context<OTP>)
The rule uses the Header.Exists property to check whether there is a header in a request with information that sending a one-time password is requested.
If this is the case, the request is blocked and a message sent to inform the user who sent the request that a one time password is required for access.
An event is also triggered that adds a header with context information about the one-time password authentication process to the block message.
The first of the two event parameters specifies the header information that is added. The second parameter is a property that has information about the one-time password authentication process as its value, which is the source of the added information.
Block request and offer sending OTP
Always –> Block<Authentication Server OTP>
If none of the preceding rules in this rule set have applied, the Block action of this rule is always executed.
The action stops rule processing and the request is not forwarded.
The action settings specify that a message is sent to inform the user that a one-time password is required for web access, which can be obtained from Web Gateway.