How policies are used in the Identity Platform

Policies in the SecureAuth® Identity Platform allow you to define rules to authenticate and block your users to certain resources. A policy is a collection of authentication rules to assert a user identity in the login workflow:

  1. User login attempt to access a resource.

  2. Identity Platform connects to the data store.

  3. Authentication policy to block or allow user.

  4. User identity is asserted into a resource.

The Identity Platform comes with a default policy that you can modify, but not delete. You can create more than one policy with different rules for your resources. When you first create a new custom policy, it brings over the rules from the default policy.

As an example, you might create a policy to block users from a certain country, but only allow employees who work in that country. Then, you define the login workflow and multi-factor methods (MFA) user identities can use to authenticate, like FIDO2 security keys or SMS text. Finally, you attach resources like Salesforce, to that policy.

The following is an overview of each tab you configure in a policy:

Authentication Rules tab

Adaptive rules to specify how to handle user login attempts to access a resource.

Identity Platform honors the rules from top to bottom, and you can drag and drop rules to organize them. You can also add conditions within a rule. For example:

  • Rule 1: Block users located in China, but allow employees in that location who are members of the china_employees group.

    This uses the rule=Country with a condition=Group.

  • Rule 2: Skip MFA if the user has not moved faster than 575 mph.

    Let's say a user logs in from Los Angeles, California (point A) at 11:15 a.m. and then from New York, New York (point B) at 11:45 a.m. on the same day. Something might be off; the adaptive engine can determine whether it is possible for the user to get from point A to point B at the time of login.

    This uses the rule=Geo-Velocity.

  • Else Rule: The last catch-all rule. This rule cannot be deleted. You can set it to Prompt for MFA, Skip MFA, or Run Device/Browser recognition.

policy_overview_001.png

To learn more about each rule type, see Adaptive authentication rules settings in a policy.

Multi-Factor Methods tab

Choose the login experience for end user logins. For example, you can choose a Passwordless login with a FIDO2 security key. Or choose login with a Username & Password and MFA method.

Then, select the types of MFA users can choose to authenticate into resources attached to this policy. If you don't see an MFA method enabled on this tab, go to the Multi-Factor Methods on the left side of this page to enable it.

For example, you have MFA global settings enabled for a FIDO2 security key and a timed passcode from an authentication app. But for this policy, you don't want to allow users to authenticate using an email login confirmation link; you can clear that check box.

policy_overview_002.png

To learn more about types of login workflows and choice of MFA methods, see Define login experience and MFA settings in a policy.

Resources tab

Select or add resources to which this policy applies.

For example, resources might be Office 365 and Salesforce. When you attach resources to a policy, it determines the login experience and authentication to assert users into access Office 365 and Salesforce.

policy_overview_003.png

To learn more about adding and managing resources, see Resource settings in a policy.