Policies in the SecureAuth® Identity Platform allow you to define rules to authenticate and block your users to certain applications. A policy is a collection of rules and acts as a middle piece in how user identity is asserted in the Identity Platform:
- Identity Platform connects to the data store.
- Users are subjected to an authentication policy.
- User identity is asserted into an application.
The Identity Platform comes with a default policy that can be modified, but it cannot be deleted. You can also create multiple custom policies with different rules for your applications. When a new custom policy is created, the rules from the default policy are applied.
Multi-factor methods can be defined globally in the Identity Platform, however, you can limit which multi-factor authentication methods are available in a policy. For example, your organization wants to use SMS text authentication method for a certain group of applications, but you want to make sure that your users can only use an email link for another set of applications.
In a policy, you configure authentication rules on the following tabs as follows. Take note that the display of policy rules depends on the package level licensed by your organization.
- Authentication Rules
Rules to specify how to handle the user login attempts to access an application are handled by the Adaptive Engine.
For example, if a user logged in from Los Angeles, California (point A) at 11:15 a.m. and then from New York, New York (point B) at 11:45 a.m. on the same day, something might be off. The Adaptive Engine can determine whether it is logistically possible for the user to get from point A to point B at the time of the login. The rule option (Skip or Prompt) determines whether the user must use multi-factor authentication to verify their identity or be allowed access to the application.
- Blocking Rules
Rules to block users from accessing any applications.
For example, your organization does not allow a user from a certain country to log in into your system, you can set up a blocking rule to prevent access.
- Multi-Factor Methods
Limit the types of multi-factor methods (MFA) users can choose to authenticate with this policy. When you create a new policy, the global settings for Multi-Factor Methods (from the left side of the main page under AUTHENTICATION) are applied in this tab. You can limit which MFA methods you want applied to this policy.
For example, your organization has the global settings enabled for a one-time passcode from an authentication app and the use of an email login confirmation link. But for this policy, you don't want to allow users to the ability to use an email login confirmation link; you can clear that check box.
Pertains to the list of resources added by means of the Application Manager. Choose the resources to which this policy applies. By default, all resources are added to the default policy, unless otherwise assigned to a custom policy.
For example, resources might be Office 365 and Salesforce logins to which the authentication rules, blocking rules, and multi-factor methods defined in this default policy apply to authenticate user logins.