AdaptiveRisk as a web service

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

AdaptiveRisk as a web service

Joe Fletcher-2

Hi,

 

Is it possible to use the OpenAM adaptive risk features (specifically HOTP) as a web service independently of everything else?

 

I have a problem to solve which I’d like to handle with OpenAM if possible. The scenario is thus. We have an application acquired from a recent buyout to integrate into our estate. The application is hosted by an external vendor. In its previous incarnation authentication was provided by the external vendor but there was a callback to a web service OTP system hosted by the original owner. They had some kind of hook into their in-house systems that did device registration/MFA etc although this played no part in authentication. The process was that login was done by the application at the external vendor then a payload (essentially the device footprint) was collected and sent back to the in-house MFA system. This MFA system kept a history of device accesses and if it recorded a new device it triggered a risk-based validation process. All this was done independently of the application provider who currently  offer no integrated MFA of their own.

 

I’m wondering if I can use OpenAM to replace that corporate MFA system. If not we’re probably going to have to write or buy  our own equivalent.

 

We almost certainly won’t be able to put any kind of policy agent onto the external vendor’s systems. Is there an endpoint exposed that could be called in a similar way to what the application used to do?

 

Regards

 

Joe

This email with all information contained herein or attached hereto may contain confidential and/or privileged information intended for the addressee(s) only. If you have received this email in error, please contact the sender and immediately delete this email in its entirety and any attachments thereto.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AdaptiveRisk as a web service

Warren Strange

Hi Joe

It sounds like something that OpenIG could assist with in conjunction with OpenAM - since IG can do arbitrary transformations on HTTP traffic. 

The HOTP module is quite different than adaptive. The adaptive module needs to be in the login flow so it can gather browser stats, IP etc.

The HOTP module can be invoked via REST - so that is an option. If you don't want OpenAM to create a session (i.e. you just want to use its HOTP machinery) then you  can use the "no session" attribute on the REST call. 



 

On Wed, Jun 8, 2016 at 10:39 AM, Joe Fletcher <[hidden email]> wrote:

Hi,

 

Is it possible to use the OpenAM adaptive risk features (specifically HOTP) as a web service independently of everything else?

 

I have a problem to solve which I’d like to handle with OpenAM if possible. The scenario is thus. We have an application acquired from a recent buyout to integrate into our estate. The application is hosted by an external vendor. In its previous incarnation authentication was provided by the external vendor but there was a callback to a web service OTP system hosted by the original owner. They had some kind of hook into their in-house systems that did device registration/MFA etc although this played no part in authentication. The process was that login was done by the application at the external vendor then a payload (essentially the device footprint) was collected and sent back to the in-house MFA system. This MFA system kept a history of device accesses and if it recorded a new device it triggered a risk-based validation process. All this was done independently of the application provider who currently  offer no integrated MFA of their own.

 

I’m wondering if I can use OpenAM to replace that corporate MFA system. If not we’re probably going to have to write or buy  our own equivalent.

 

We almost certainly won’t be able to put any kind of policy agent onto the external vendor’s systems. Is there an endpoint exposed that could be called in a similar way to what the application used to do?

 

Regards

 

Joe

This email with all information contained herein or attached hereto may contain confidential and/or privileged information intended for the addressee(s) only. If you have received this email in error, please contact the sender and immediately delete this email in its entirety and any attachments thereto.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam




--

Warren
M:    403-471-7829 

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: AdaptiveRisk as a web service

Bernhard Thalmayr
In reply to this post by Joe Fletcher-2
Hi Warren, I wonder if you could just call OpenAM REST-based auth
service with a chain configured the required auth-modules.

Potentially I did not fully undersand the requirement.

-Bernhard

Am 08/06/16 um 18:39 schrieb Joe Fletcher:

> Hi,
>
>  
>
> Is it possible to use the OpenAM adaptive risk features (specifically
> HOTP) as a web service independently of everything else?
>
>  
>
> I have a problem to solve which I’d like to handle with OpenAM if
> possible. The scenario is thus. We have an application acquired from a
> recent buyout to integrate into our estate. The application is hosted by
> an external vendor. In its previous incarnation authentication was
> provided by the external vendor but there was a callback to a web
> service OTP system hosted by the original owner. They had some kind of
> hook into their in-house systems that did device registration/MFA etc
> although this played no part in authentication. The process was that
> login was done by the application at the external vendor then a payload
> (essentially the device footprint) was collected and sent back to the
> in-house MFA system. This MFA system kept a history of device accesses
> and if it recorded a new device it triggered a risk-based validation
> process. All this was done independently of the application provider who
> currently  offer no integrated MFA of their own.
>
>  
>
> I’m wondering if I can use OpenAM to replace that corporate MFA system.
> If not we’re probably going to have to write or buy  our own equivalent.
>
>  
>
> We almost certainly won’t be able to put any kind of policy agent onto
> the external vendor’s systems. Is there an endpoint exposed that could
> be called in a similar way to what the application used to do?
>
>  
>
> Regards
>
>  
>
> Joe
>
> This email with all information contained herein or attached hereto may
> contain confidential and/or privileged information intended for the
> addressee(s) only. If you have received this email in error, please
> contact the sender and immediately delete this email in its entirety and
> any attachments thereto.
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Loading...