Risk-Based Authentication Data Flow

The following figure shows a web-based application before it is configured for risk-based authentication (RBA). In this example, the network resource is protected by an SSL-VPN, and the SSL-VPN is configured to validate user logon credentials using an LDAP directory.

Data flow occurs in the following sequence:

1. The user browses to the SSL-VPN logon page over an HTTPS connection.

2. The user provides a user name and password.

3. The SSL-VPN validates the user’s identity using an LDAP directory, the identity source, over an LDAPS connection.

4. The SSL-VPN grants the user access to the protected resource.

When RBA is enabled, the logon page for the web-based application redirects the user to the AM logon page. The user enters logon credentials, and AM validates the user’s credentials using an LDAP directory as an identity source.

You can deploy RBA so that the workflow is transparent to the user. The redirect is immediate. Also, you can customize the AM logon page.

The following figure shows RBA integrated with the SSL-VPN.

Data flow occurs in the following sequence:

1. The user browses to the SSL-VPN logon page over an HTTPS connection.

2. The SSL-VPN redirects the user’s browser to an AM logon page.

3. The user provides a user name and password.

4. AM validates the user’s identity using an LDAP directory, the identity source, over an LDAPS connection.

   Also, AM assesses the assurance level (the confidence level that determines when the user is challenged for identity confirmation) of the authentication attempt. One of the following occurs:

   • If the assurance level meets the level that is required by the RBA policy, the workflow continues at step 5.

   • If the assurance level does not meet the level that is required by the RBA policy, the user is prompted to confirm his or her identity. One of the following happens:

     • If the user provides identity confirmation, the workflow continues at step 5.

     • If the user does not provide identity confirmation, AM returns a message to the user’s browser that access is denied, and the workflow ends.

5. AM redirects the user’s browser to the SSL-VPN with an authentication artifact to confirm that the user’s credentials are valid.

6. The SSL-VPN validates the authentication artifact over the RSA SecurID protocol, which is the native authentication protocol for AM.

7. The SSL-VPN grants the user access to the protected resource.