RBA Data Plug-ins

Risk-based authentication (RBA) is one of the main principles used in DirX Access and is described in detail in the Risk-based Authentication. RBA conditions are one of its main components, and can be one of two main types: regular or environmental conditions or conditions coming from user context. RBA data plug-ins handle user-context-aware conditions.

User-context-aware conditions take various data from users’ behavior and properties which can be taken and processed to claim their identities. We call this data “RBA data”. DirX Access has built-in functions to work with the following user-related characteristics: access time, browser, geolocation and IP addresses.

You may want to supply additional data to DirX Access and then make an authentication evaluation upon these data. To accomplish this task, you can configure your own RBA data plug-in.

About the RBA Data Callout Handler

User-context-aware RBA conditions cannot collect user-specific data by themselves. To handle this task, DirX Access employs RBA data collectors. Each type of collector is designed to collect one specific type of data which is then internally evaluated according to that type. For details about the evaluation of RBA data collectors, see the section Risk-based Authentication. The important point to notice here is that the RBA data handler is evaluated with the String Evaluator and that this process can be changed by implementing an additional risk condition plug-in that covers the evaluation process.

Developing an RBA Data Callout Handler

This section describes the tasks necessary for developing a custom RBA data callout handler.

Externalizing RBA Data from the DirX Access Server

The DirX Access Server allows externalizing RBA data through a plug-in interface. This method requires creating a RBA data callout handler that implements the RbaDataCallout interface (net.atos.dirx.access.authn.api.callout.RbaDataCallout). The implementing class must be contained within an exported package of an OSGi bundle.

Employing an RBA Data Callout Handler

The steps needed to employ the custom callout handler are outlined in the section Employing External Plug-in Modules.

Using an RBA Data Callout Handler

This section describes the tasks that need to be performed to use an RBA data callout handler. Before starting to configure the DirX Access Server, make sure to run through all the steps in the section Employing External Plug-in Modules.

Prerequisites

To successfully employ the custom RBA data callout handler, the OSGi bundle exporting the package containing the callout implementation must be installed on the DirX Access Server. To accomplish this task, make sure you have performed all of the steps described in the section Employing External Plug-in Modules.

Configuring the Custom RBA Data Handler at the DirX Access Server

To configure the custom RBA data callout handler at the DirX Access Server:

In DirX Access Manager, go to Configuration | Extension modules.
Create the callout handler <CalloutIdentifier>:
- Go to Callout handlers and click the “add” icon to create a new callout handler.
- Identifier: <CalloutIdentifier>.
- Description: arbitrary.
- Type: select RbaDataEvents.
- Class name: enter the fully-qualified Java class name of the callout implementation.
- Click Save.
In DirX Access Manager, go to Subjects | Internal representation | Persistent data | RBA data collector:
- Select an RBA data collector to which the custom handler should be assigned. It must be of type “RBA data callout”. If there is no such condition, create one according to the steps described in the “RBA Data Collectors” of Administrative Tasks.
- In the RBA data callout section in the Callout handler identifier drop-down box, select the desired <CalloutIdentifier>.
- “Regular expression pattern” and “Regular expression groups” can also be specified. These parameters work as post-processors of the data supplied by your custom callout handler. For more information on their operation, see the section in the “RBA Data Collectors” of Administrative Tasks.
- Click Save.