Authorized Override with OTP Rule Set
The Authorized Override with OTP rule set is a library rule set for enabling the use of one-time passwords in authorized overriding.
|
Library rule set – Authorized Override with OTP and Pledge |
|---|
|
Criteria – SSL.ClientContext.IsApplied equals true OR Command.Name does not equal "CONNECT" |
|
Cycles – Requests (and IM) |
The rule criteria specified that the rule set applies when SSL-secured communication is configured or the request that is currently processed is not a CONNECT request, which is usually sent at the beginning of this communication.
The following rule sets are nested in this rule set:
- Verify OTP
- OTP Needed?
Verify OTP
This nested rule checks whether a user who sends a one-time password with a request for authorized overriding is successfully authenticated and performs a redirect to the requested web object if this is true.
|
Nested library rule set – Verify OTP |
|---|
|
Criteria – Quota.AuthorizedOverride.IsActivationRequest.Strict<Default> equals true |
|
Cycles – Requests (and IM) |
The rule set criteria specifies that the rule set applies when a user sends a request to override the termination of a web session due to quota expiration and to continue with the session.
The rule set contains the following rules:
Verify OTP
Authentication.Authenticate<OTP> equals false –> Block<Authorized Only>
The rule uses the Authentication.Authenticated property to check whether the user who submitted a one-time password when sending an authorized overriding request has been successfully authenticated.
If this is not the case, the request is blocked and the user is informed about the blocking and the reason for it.
The Block action is executed with the specified settings.
The session is validated. Redirect to the original page
Always –> Redirect<Default>
If authentication of a user who submitted a one-time password with a request for authorized overriding did not fail, the preceding rule in this rule set does not apply and processing continues with this rule.
The rule always allows the user to continue with the current session and performs a redirect to the requested web object.
The Redirect action is executed with the specified settings.
OTP Needed?
This nested rule set provides a one-time password for a user who sends a request for authorized overriding if the requested web object is located on a host within the corporate domain of Skyhigh Security.
|
Nested library rule set – OTP Needed? |
|---|
|
Criteria – URL.Host matches *https://www.skyhighsecurity.com/* |
|
Cycles – Requests (and IM) |
The rule set criteria specifies that the rule set applies when the host of the URL sent in a request is located within the corporate domain of Skyhigh Security.
The rule set contains the following rules:
Send OTP if requested
Header.Exists(Request.OTP) equals true –> Continue – Authentication.SendOTP<OTP>
If none of the proceeding rules in this rule set have applied when processing a request, it means no valid one-time password was submitted by the user who sent the request, but authentication at the user database of the authentication server was successful.
Then this rule is processed, it uses the Header.Exists property to check whether the request has a header provides the information that sending a one-time password is requested. If this is the case, an event is triggered that send a one-time password to the user.
Return authentication data to client
Header.Exists(Request.OTP) equals true –> Block<Authentication Server OTP> – Header.Block.Add("OTP Context", Authentication.OTP.Context<OTP>)
The uses the Header.Exists property to check whether the request has a header providing the information that sending a one-time password is requested.
If none of the proceeding rules in this rule set have applied when processing a request, it means no valid one-time password was submitted by the user who sent the request, but authentication at the user database of the authentication server was successful.
If this is the case, the request is not forwarded and an event is triggered that sets a particular property to a value that provides information about the authentication of the user.
The Block action is executed with the specified settings, which require that a message is sent to inform the user about the reason of the blocking.
The information that the event provides is specified by the OTP.Context event parameter. The property that has its value set to this information is specified in a second parameter.
Block request and offer sending OTP
Always –> Block<Authentication Server OTP>
If none of the preceding rules in this rule set have applied when processing a request, the action of this rule is always executed.
It stops rule processing and the request is not forwarded. The action settings specify that a message is sent to inform the user that a one-time password can be obtained from Web Gateway.