- Created by Phillip Hanegan on Aug 24, 2022
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
Version 1 Next »
EmpowerID adaptive authentication allows organizations to execute rules during initial login or single sign-on into a service provider to determine if additional steps must be taken before users can login. Examples include rules to check whether specific attributes are missing or whether users need to go through a workflow process to gain additional level of assurance points before gaining access. While EmpowerID provides several of these out of the box, you can develop your own custom rules and workflows in Workflow Studio.
Create adaptive authentication rules
In Workflow Studio, right-click on the desired folder for the rule and select New Adaptive Authentication > Adaptive Auth Rules from the context menu.
Workflow Studio creates the rule and opens the stub in the C# Editor.In the Code Tree to the right of the C# Editor, right-click on the main node and select Add New Adaptive Auth Rule.
Enter an appropriate name for the rule and click OK.
Workflow Studio stubs out the Adaptive Auth Rule with the prerequisite namespaces, attribute decorations and classes and opens it in the C# Editor.
Locate the
//TODO
line of code in the Editor and write the logic for the rule there. You can uncomment the code underneathTODO
and replace the values for the output parameters with the appropriate values. Parameters include the following:InvokeWorkflow – Boolean that specifies whether to run the Adaptive Authentication workflow.
WorkflowName – String that specifies the name of the Adaptive Authentication workflow to run.
WorkflowParameters – Dictionary<string, object> – Provides additional context information that can be passed to the workflow as parameters.
The below code fragment provides an example of an Adaptive Authentication Rule that could be used to run a specific workflow when a person missing the specified attribute information logs in or attempts to access a protected application.
//TODO: Implementation goes here var outputModel = new DOC_ProfileAdaptiveAuthRuleOutputModel() { Result = false }; var personID = context.TargetPersonID.HasValue ? context.TargetPersonID.Value : default(int); var person = Person.GetCachedByPersonID(personID); if (string.IsNullOrWhiteSpace(person.Email) || string.IsNullOrWhiteSpace(person.BusinessPhone) || string.IsNullOrWhiteSpace(person.StreetAddress)) { outputModel.InvokeWorkflow = true; outputModel.workflowname = "DOC_ProfileAdaptiveAuthRuleWF"; outputModel.workflowparameters = new Dictionary<string, object> { {"TargetPerson", person} }; } return outputModel;
After adding your code, click the Save button above the C# Editor and save the Adaptive Auth Rule in your working directory.
Close the Adaptive Auth Rule and then locate it in your Workspace tree.
Double-click the rule to open it in Visual Studio.
Review the rule and when ready build the solution.
If prompted, enter your credentials to authenticate to EmpowerID.
Building the solution in Visual Studio, publishes the rule in EmpowerID. If successful, you should see something similar to the below output message:
Now that you have created the Adaptive Authentication Rule, the next step is to create the workflow that runs when the logic for the rule is initiated via a Password Manager Policy or application with the rule.
Create the Adaptive Auth Workflow
In Workflow Studio, right-click on the desired folder for the workflow and select New Adaptive Authentication > Adaptive Auth Workflow from the context menu.
This opens the workflow in the Workflow Designer.
Please note the
DoWork()
andSetActivityParameters()
activities. These activities are where you add can additional logic used by the workflow, if needed. Additionally, you place any additional activities. Business Rules, etc., needed by the workflow between theDoWork()
and theSetActivityParameters()
activities.Save the workflow, naming it appropriately.
If your workflow needs any additional properties, add them in the Properties tab.
If your workflow needs additional activities, such as forms, Business Rules or operation activities, add them to the workflow as indicated above, connecting them within the workflow to ensure the logic flows from activity to activity appropriately.
Double-click the DoWork activity to open the code editor for it.
Add any needed code to the activity.
Add any logic to any other activities or Business Rules used as needed.
When ready, click the Compile and Publish button at the top of the Workflow Designer and follow the wizard to publish the workflow in your environment.
At this point, the workflow is simply published to your local file system. In order to make it available to users in the EmpowerID Web application, you need to run the PublishWorkflowStudioItem workflow in the Web application.
Log in to the EmpowerID web application as a user with the appropriate access to run the PublishWorkflowStudioItem workflow.
On the navbar, expand Object Administration > Workflows and click the Publish Workflow Studio Item action link.
Click Choose File, navigate to the _PublishedItems folder, and select the .pub file for the workflow.
Click Submit.
After the workflow has been deployed, click Publish Workflow Studio Item again and follow the same process, this time deploying the rule created earlier.
Now that the Adaptive Auth Rule and workflow have been developed, published and deployed, the next step is to create the Adaptive Auth Rule in the EmpowerID Web app.
Create the Adaptive Auth Rule in EmpowerID
Log in to EmpowerID as an administrator and navigate to Apps and Authentication > SSO Connections > Adaptive Authentication Rules.
Click the Add New button.
This opens the Add Rule panel.
Field
Description
Rule
Select EmpowerID Progressive Profiling Rules
Rule Name
Name of the rule created in Workflow Studio.
Name of the Rule Method
Name of the rule created in Workflow Studio.
Friendly Name of the Rule
Name of the rule that appears to users in the Web interfaces
Fill in the fields in the Add Rule panel and then click Save.
Now that the rule has been added to EmpowerID, administrators can apply the rule to Password Manager policies and managed applications. Please see Assign Adaptive Authentication Rules to Password Manager Policies and Assign Adaptive Authentication Rule to Applications in the Admin Guide.
IN THIS ARTICLE
- No labels