Configuring a Geo-Velocity Based Use Case in Oracle Adaptive Risk Management

Introduction

This tutorial shows you how to configure a geo-velocity based use case in Oracle Adaptive Risk Management (OARM).

Geo-velocity rule allows you to authenticate a user based on the distance and the time gap between your current location and where you last logged in from. You can leverage this information as a criteria for granting access to the protected resource.

Geo-velocity is usually calculated as maximum miles-per-hour. This allows you to determine how fast a user can travel from one place to another to successfully sign in within a specific time duration.

A pre-requisite to implement the geo-velocity use case is it to have the geo-location data. The geo-location feature allows you to identify the physical location of the user. This is usually determined by obtaining the IP address of the device being used by a user to attempt a login. This data is then used to calculate the distance between two consecutive login attempts.

This tutorial considers a scenario where the Administrator uses the Challenge based on Device Maximum Velocity out-of-the-box rule to detect such type of fraudulent user activity, trigger an alert, and challenge the user from successfully signing in. This is accomplished in conjunction with the geo-location data. The Administrator can monitor alerts, actions, rules, and other user-related information through the User Session dashboard.

Objectives

In this tutorial you will perform the following tasks:

1. Configure geo-velocity using the Challenge based on Device Maximum Velocity out-of-the-box rule.
2. Enable X-Forwarded-For header support.
3. Test the Device Maximum Velocity rule.
4. Monitor the user session.
5. Validate the working of Device Maximum Velocity rule.

Prerequisites

Before starting this tutorial you must follow:

• A running Oracle Advanced Authentication (OAA) and OARM instance. For instructions on how to install OAA and OARM, see Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management.
• Follow the tutorial Integrate Oracle Access Management with Oracle Advanced Authentication.
• Review the use case Configuring a Geo-Velocity Based Use Case.
• Load the geo-location data in the OARM server. For instructions on how to seed the geo-location data, see Loading Geo-Location Data.

Configure a Geo-Velocity Use Case in OARM

1. Log in to the OARM Administration console. You are redirected to the OAM login page as the console is protected by OAM OAuth. Specify your credentials and login.

2. Click the Application Navigation hamburger menu on top-left and click Adaptive Risk Management. The User Activity dashboard appears.

3. From the User Authentication tile, click the Rules link. The User Activity rules display page appears.

4. In the search pane, enter the relevant text to filter all the rules available out-of-the-box to configure risky IP, for instance, velocity. Challenge based on Device Maximum Velocity rule appears that you need to configure for this use case.

5. Click the Edit icon against the Challenge based on Device Maximum Velocity rule.

   Note: The Challenge based on Device Maximum Velocity out-of-the-box rule has an associated condition that evaluates the maximum velocity of the device in the specified time.

6. Verify that the Select Action and the Select Alert lists are pre-populated with Challenge and Device Maximum Velocity options respectively.

   Note: You can configure action and alert as per your requirement.

7. Verify that the Last login within (Seconds) and Miles per Hour fields are pre-populated with 72000 and 600 respectively.

   Note: You can configure the preceding fields as per your requirement.

8. Add the IP addresses that you want to ignore for the Device Maximum Velocity rule. For the convenience of the Administrator, Ignore IP Group group is provided out-of-the-box.

   Note: This parameter allows you to specify a list of IPs to ignore. If the IP of the user is from that list, then this condition always evaluates to false. For instance, an employee who works on a Finance application and switches frequently between VPN, then you would want to add this IP address in the Ignore IP Group. If the IP of the user is not in that list or if the list is null or empty, then the condition evaluates the velocity of the user or the device from the last login and evaluates to true if the velocity exceeds the configured value.

9. Under Ignore IP Group, with Ignore IP Group option selected in the list, click the Edit Ignore IP Group link to add the IP addresses to ignore for this rule.

10. Click Save and Proceed. The Edit Ignore IP Group page appears.

11. Perform the following steps to configure the list of IP addresses that you want the rule to ignore:

    • Click Add IPs.
    • In the Value field, enter the IP address. For demonstration consider the IP address, 192.0.2.254.
    • Click Add. The following figure displays the IP address added to the Ignore IP Group.
    • Repeat steps 11a to 11c to add the list of IP addresses to ignore in the group.

12. Click Save to save the group. You are redirected to the Edit rule page.

13. Click Save to save the rule. You are redirected to the User Activity rules page.

Now, during the authentication flow when this rule is executed the condition associated with the Device Maximum Velocity out-of-the-box rule is evaluated. If this condition is evaluated to True, then the rule is triggered. In turn, the user is presented the challenge based on the factors configured.

Enable X-Forwarded-For Header Support

The X-Forwarded-For Header is a de-facto standard version that is used to identify the original IP address when a client connects to a web server through an HTTP proxy or load balancer.

In this section you will validate if the X-Forwarded-For header support is enabled.

1. Make a GET request using the following URL:

   Get:
   https://129.153.185.7/policy/config/property/v1?propertyName=vcrypt.tracker.ip.detectProxiedIP
   

2. In the response, confirm that the “value”: “true” appears.

   [
      {
        "name": "vcrypt.tracker.ip.detectProxiedIP",
        "value": "true"
      }
   ]
   

3. If the response is not true, then make a PUT request using the following URL to enable X-Forwarded-For header support.

   Put:
   https://129.153.185.7/policy/config/property/v1?propertyName=vcrypt.tracker.ip.detectProxiedIP
   

4. In the response, confirm that the “value”: “true” appears.

   [
      {
        "name": "vcrypt.tracker.ip.detectProxiedIP",
        "value": "true"
      }
   ]
   

Test the Device Maximum Velocity Rule

In this section you access the protected application, log in to OARM and test how the Device Maximum Velocity rule works.

1. Launch a browser and access the protected application, for instance http://oam.example.com:7777/mybank. As this application is protected you should be redirected to the OAM login page. Log in as the new user user2/<password>. This user logs in from Tamil Nadu, India.

   

   Description of the illustration oamlogin.PNG

2. If the authentication is successful you should be redirected to the protected application page, for instance /mybank.

   

   Description of the illustration mybank.PNG

Monitor the User Session

1. Launch a new browser.

2. Log in to the OARM Administration console. You are redirected to the OAM login page, as the console is protected by OAM OAuth. Specify your credentials and login.

3. Click the Application Navigation hamburger menu on top-left, and click Monitor User Sessions. The User Sessions dashboard appears.

4. Click Include Successful Sessions toggle button to display the list of successful logins. You will notice user2 login is successful.

   

   Description of the illustration usersession.PNG

5. Click the link under Session ID for this user, for instance 50018. The User Sessions - 50018 page appears.

6. On the Location Information pane, view the IP address, Country, and State information for the user.

   

   Description of the illustration sessiondetail.PNG

Validate the Working of Device Maximum Velocity Rule

In this section, you will validate if the Device Maximum Velocity rule is working accurately. To establish the accuracy, login to the same banking application with a different IP address using the same user and device.

1. Launch a browser and access the protected application, for instance http://oam.example.com:7777/mybank. Log in as the same user user2/<password> but from a different IP address. In this example, the IP address being used is of Tokyo (Japan).

2. If the login is successful you will be redirected to the OAA endpoint e.g: https://oaa.example.com/oaa/authnui. Internally OAA passes this request to OARM, which triggers the Device Maximum Velocity rule that is set to Challenge and the challenge page is presented for the user.

   

   Description of the illustration challengechoice.PNG

3. You will be redirected to the Email page where you are asked to Enter OTP from the registered email device. In the Enter OTP field enter the one-time passcode that is emailed to the users email address and click Verify.

   

   Description of the illustration emailotp.PNG

4. If the authentication is successful you should be redirected to the protected application page, for instance /mybank.

   

   Description of the illustration mybank.PNG

5. Open a new browser tab and log in to the OARM Administration console. Specify your credentials and login.

6. Click the Application Navigation hamburger menu on top-left, and click Monitor User Sessions. The User Sessions dashboard appears.

7. Click Include Successful Sessions toggle button to display the list of successful logins. You will notice user2 login details from the same device, but a different IP address.

   

   Description of the illustration usersession2.PNG

8. Click the link under Session ID for this user, for instance 50019. The User Sessions - 50019 page appears.

9. On the User Authentication pane, click Alerts to view the message triggered by the Alert to the Administrator. This outlines that the user who logged in from Japan was presented a challenge and an alert was raised for the Administrator.

   

   Description of the illustration usersession2detail.PNG

Learn More

• Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
• Oracle Fusion Middleware Help Reference for Oracle Advanced Authentication Admin Console

Feedback

To provide feedback on this tutorial, please contact idm_user_assistance_ww_grp@oracle.com

Acknowledgements

• Author - Devanshi Mohan

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Configuring a Geo-Velocity Based Use Case in Oracle Adaptive Risk Management

F54762-02

March 2022

Copyright © 2022, Oracle and/or its affiliates.