49.5 Defining Security Handler Plug-ins

A Security Handler Plug-in enhances security by consulting additional logic for trust and risk analysis.

Such additional logic may deny access based on certain risky operations. Mobile authentication invokes the Security Handler Plug-in during sensitive security operations; for example, during virtually all token acquisition operations including client application registration.

Note:

Security Plug-in usage is optional. If used, it should only be applied to mobile-related Service Domains and its authentication services and client applications.

Mobile and Social includes the following pre-configured Security Handler Plug-ins.

  • OAAMSecurityHandlerPlugin enables sophisticated device and client application registration logic as well as the advanced risk and fraud analysis logic found in OAAM.

  • Default offers very limited risk analysis logic.

The following topics include information about defining Security Handler Plug-ins:

49.5.1 Creating a Security Handler Plug-in

You can create a security handler plug-in from the Mobile and Social Services configuration page.

To create:

  1. Access the Mobile and Social Services configuration page.
  2. Click Create in the Security Handler Plug-ins section.

    The Security Handler Plug-in Configuration page displays.

  3. Enter values for the Security Handler Plug-in general properties.

    Table 49-14 Security Handler Plug-in General Properties

    Name Notes

    Name

    Type a unique name for this Authorization Service Profile.

    Description

    (Optional) Type a short description that will help you or another Administrator identify this service in the future.

    Security Handler Class

    Choose the Java class that defines the Security Handler Plug-in that you want to use. This release of Mobile and Social supports two Security Handler Plug-ins, the DefaultSecurityHandlerPlugin and the OAAMSecurityHandlerPlugin.
  4. Enter name-value pairs for the Security Handler Plug-in Attributes.
  5. Click Create to create the Security Handler Plug-in configuration object.

49.5.2 Editing or Deleting a Security Handler Plug-in

You can edit or delete a Security Handler Plug-in.

Select the definition in the panel and click Edit or Delete on the panel's tool bar.

49.5.3 Device Fingerprinting and Device Profile Attributes

When a mobile application is started, Mobile Client SDK logic in the application will attempt to detect a number of Device Profile attributes. A particular combination of Device Profile attribute values is treated as a device finger print.

Some Device Profile attributes are general attributes that cannot uniquely identify a device, such as OS Type, OS Version, language locale setting, network setting, and geographic location. Some attributes are hardware identifiers that can uniquely identify a device. An example of a hardware identifier is a MAC Address on a mobile device. The mobile OS type and version will dictate the kinds of Device Profile attributes that can be detected.

When a mobile application requests a token through the Mobile Client SDK, the SDK logic will send the Device Profile attributes as a part of an HTTP request. This set of Device Profile attributes enhances security by creating an audit trail for devices that assists device identification.

When the OAAM Security Plug-in is used, a particular combination of Device Profile attribute values is treated as a device finger print, known as the Digital Finger Print in the OAAM Administration Console. Each finger print is assigned a unique fingerprint number. Each OAAM session is associated with a finger print and the finger print makes it possible to log (and audit) the devices that are performing authentication and token acquisition.