A Security Handler Plug-in enhances security by consulting additional logic for trust and risk analysis.
Such additional logic may deny access based on certain risky operations. Mobile authentication invokes the Security Handler Plug-in during sensitive security operations; for example, during virtually all token acquisition operations including client application registration.
Security Plug-in usage is optional. If used, it should only be applied to mobile-related Service Domains and its authentication services and client applications.
Mobile and Social includes the following pre-configured Security Handler Plug-ins.
OAAMSecurityHandlerPlugin enables sophisticated device and client application registration logic as well as the advanced risk and fraud analysis logic found in OAAM.
Default offers very limited risk analysis logic.
The following topics include information about defining Security Handler Plug-ins:
You can create a security handler plug-in from the Mobile and Social Services configuration page.
The Security Handler Plug-in Configuration page displays.
Table 49-14 Security Handler Plug-in General Properties
Type a unique name for this Authorization Service Profile.
(Optional) Type a short description that will help you or another Administrator identify this service in the future.
Security Handler Class
Choose the Java class that defines the Security Handler Plug-in that you want to use. This release of Mobile and Social supports two Security Handler Plug-ins, the DefaultSecurityHandlerPlugin and the OAAMSecurityHandlerPlugin.
See Setting Up OTP E-Mail Integration for descriptions of the
DefaultSecurityHandlerPlugin has a single attribute setting,
allowJailBrokenDevices. This specifies if jail-broken client devices should be allowed or denied access to protected resources. Set the attribute's value to
false to deny access (default setting) or set it to
true to allow access. The OAAMSecurityHandlerPlugin does not need to be configured for jailbreak enforcement.
You can edit or delete a Security Handler Plug-in.
Select the definition in the panel and click Edit or Delete on the panel's tool bar.
When a mobile application is started, Mobile Client SDK logic in the application will attempt to detect a number of Device Profile attributes. A particular combination of Device Profile attribute values is treated as a device finger print.
Some Device Profile attributes are general attributes that cannot uniquely identify a device, such as OS Type, OS Version, language locale setting, network setting, and geographic location. Some attributes are hardware identifiers that can uniquely identify a device. An example of a hardware identifier is a MAC Address on a mobile device. The mobile OS type and version will dictate the kinds of Device Profile attributes that can be detected.
When a mobile application requests a token through the Mobile Client SDK, the SDK logic will send the Device Profile attributes as a part of an HTTP request. This set of Device Profile attributes enhances security by creating an audit trail for devices that assists device identification.
When the OAAM Security Plug-in is used, a particular combination of Device Profile attribute values is treated as a device finger print, known as the Digital Finger Print in the OAAM Administration Console. Each finger print is assigned a unique fingerprint number. Each OAAM session is associated with a finger print and the finger print makes it possible to log (and audit) the devices that are performing authentication and token acquisition.