OAAM policy risk evaluation in OAM policies
Demo Video: https://youtu.be/NOAW2JE0km8
Steps:
Login to OAAM Admin Console
Search for DAP token version property and change to v2.1
Update OAAM TAP Token version from v2.0 to v2.1 in oam-config.xml file.
Note: Since I have integrated OAM + OAAM already I changed OAM DAP token version in oam-config.xml file from "v2.0" to "v2.1". Else you can provide version v2.1 directly while executing ThirdParty TAP registration command(while OAM + OAAM integration)
Create a group for to hold all the restricted IP Addresses as shown in the screen shot below.
Add IP Address to the group
Create new OAAM Policy as post authentication
Create rule and condition to determine if user login in from restricted IP Address or not.
Select IP Address Group created initially from the drop down
Click on Results Tab and enter score as "1"
Click on "Group Linking" and select "All Users"
Login to OAM Admin Console and click on "Application Domain".
Select the "ohs_webgate". This is the OHS webgate I have already created and used OAAM TAP Authentication Schema to protect resource.
Click on "Authentication Policies"
Click on "Protected Resource Policy"
Click on "Responses"
Add response as shown in the screen shot below.
This "session_risk_level" is the session attribute that passes as part of DAP token from OAAM to OAM after policy evaluation created in the above steps.
Click on "Authorization Policies"
Click on "Protected Resource Policy"
Click on "Conditions"
Click on "+" sign
Enter the condition details as shown in the screen shot below.
Add Condition Details as shown in the screen shot below.
This is the "session_risk_level" session attribute returned from OAAM and the attribute value that gets "1"
Click on "Rules" tab and add new rule in the "Deny Rule" list and click "Apply".
Now test the protected application from two different machines!!!
-- Siva Pokuri.
