ForgeRock with F5 Distributed Cloud (XC) Account Protection and Authentication Intelligence
Introduction
Can you think of a person you know who has experienced fraud? Surveys suggest that 1 in 3 global consumers have experienced fraud in the past 3 months. For businesses that means higher churn, revenue loss and potential fines. F5 recognizes the impact on consumers and businesses when fraud occurs. As such, F5 XC's Account Protection and Authentication Intelligence services are now available with ForgeRock empowering ForgeRock customers to slash fraud and abuse, increase top-line revenue and remove log-in friction from legitimate users.
Who is ForgeRock?
ForgeRock is a global leader in identity, orchestration and access decisioning. Specifically, ForgeRock Identity Platform is AI-powered consisting of identity management, access management, identity governance and universal directory with dynamic lifecycle orchestration able to send rich signals amongst the digital enterprise. They offer cloud and hybrid environments reaching more than 1,300 customers around the world.
Let's get started by walking through how we can enable account protection and authentication intelligence with the ForgeRock plugin!
Deployment Steps
Prerequisites
ForgeRock
- Tomcat 9
- Java 8 or above
- Forgerock Open AM (7.1.2)
F5 provided
- API Hostname
- Frontend/Backend JS path
- Customer ID (can be customized by customer)
- Cookie name (can be customized by customer)
- Decryption Key for Cookie
Step 1: Create the F5 .jar file
The first step will be to visit the ForgeRock backstage and type in "F5". Next choose, "F5 Auth Tree Nodes" which will land at this page.
Figure 1: F5 Auth Tree Node backstage landing page
Following the steps above will create the specific F5 XC nodes which are required for building the tree.
Step 2: Building the tree
Once logged into ForgeRock, click on Top Level Realm > Authentication Trees > Create Tree > Name the tree > Create.
From here we begin to build the tree with the nodes we created from the .jar file as well as some of the existing ForgeRock built-in nodes.
Figure 2: Creation of new tree
The most important node is the "F5 XC FR Configuration" node which houses the service specific information as well as the defined attributes for Account Protection and Authentication Intelligence.
Figure 3: F5 XC FR Configuration node
Please note that Authentication Intelligence endpoint configurations are the same as Account Protection endpoint configurations.
The completed tree will look like this
Figure 4: Completed Authentication tree
This integration is based upon encrypted cookies which are used to send the fraud recommendations from F5 XC. The cookie is collected from the website by the "F5 XC Analyze" node and then is decrypted by the "F5 XC Account Protection" node. For the protected endpoints, the "FR" value is read and then an action is then taken based upon the customers configurations as defined in the "F5 XC FR Configuration" node.
For Authentication Intelligence, if enabled, a legitimate user's session is extended beyond the default timeout. The ForgeRock plug-in will use an encrypted persistent cookie which is saved in the client's browser and maintains the user session details and remains even when the user closes the browser.
Step 3: Validating the AP configurations
In this example, to demonstrate the power of Account Protection, let's say a merchant is protecting his "Shop" endpoint. A user visits the website and makes more than 2 orders and then visits the protected "Shop" endpoint. Based upon the collected telemetry the recommendation comes back as fraud. The previously defined action in the ForgeRock tree is to redirect the user.
Figure 5: User triggering redirection action
Next we can see the webpage begins to take the action of redirect as per the pre-configured action based upon the fraud recommendation.
Figure 6: Endpoint beginning the redirection
And then the actual website used for redirection.
Figure 7: Successful redirection of the user
Step 4: Validating the AI configurations
Starting off in the ForgeRock Access Manager, we see the flag for JS injection is ON, the default session is set for 2 minutes, Authentication Intelligence is Enabled, and the action for the "https://apgis.fun:8443/index1" endpoint is extend.
Figure 8: Configuration of Authentication Intelligence within ForgeRock Access Manager
After the "e1" user logs into the endpoint, despite it having an action of extend, the recommendation for that user is ineligible as seen below. This means that the user is ineligible for a session extension, so the session will be the default of 2 minutes.
Figure 9: Ineligible user for session extension
After two minutes and a refresh of the page, user "e1" has been logged out.
Figure 10: Completed action to log out user after 2 minutes
Now let's say that the recommendation comes back as eligible for a session extension of 7 days.
Figure 11: User eligible for 7 day session extension
This can be verified under the Identities menu in the ForgeRock Access Manager.
Figure 12: Access was extended to 7 days
Please note that "dc" value in the content of the cookie is being shown in plain text for illustrative purposes, in a production environment, the "dc" value is stored inside encrypted content.
The availability of F5 XC Account Protection and Authentication Intelligence on ForgeRock's Identity Platform creates the perfect synergy to help further protect users from fraud and risk as well as reducing log-in friction. It's a win-win!
Additional Resources
Enabling F5 Distributed Cloud Fraud and Risk Services with ForgeRock Connector Video: HERE
Enabling F5 Distributed Cloud Fraud and Risk Solutions with ForgeRock Connector DevCentral article: HERE
ForgeRock Marketplace Backstage: HERE
F5 Download Integration: HERE