Beruflich Dokumente
Kultur Dokumente
Legal Notice
Copyright 2014 - 2016 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to
provide attribution to the third party (Third Party Programs). Some of the Third Party Programs
are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under those
open source or free software licenses. Please see the Third Party Legal Notice Appendix to
this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com
Contents
Chapter 1
Overview
................................................................................. 4
Chapter 2
Integration .............................................................................. 7
Requirements ................................................................................ 7
Integrating VIP Intelligent Authentication ............................................. 8
Configuring VIP Intelligent Authentication in VIP Manager ................ 9
Configuring Remembered Devices in VIP Manager ....................... 11
Configuring VIP IA and Remembered Devices with VIP Enterprise
Gateway ......................................................................... 12
Integrating the VIP Integration Code for JavaScript .............................. 13
Appendix A
Troubleshooting
.................................................................. 15
Chapter
Overview
This chapter includes the following topics:
End-user behavior
Device risk
Overview
About Measuring VIP IA Risk
The more inconsistencies that are identified against an end user's established
sign-in behavior, the higher the risk of the user's sign-in. For each end-user sign-in
event, VIP IA determines a corresponding risk score that is used to assess the
security risk of the sign-in.
If a VIP IA risk score exceeds the threshold value that is configured within VIP
Manager, the sign-in event is considered potentially suspicious, or risky.
Any risky sign-in requires additional authentication from the user to confirm their
identity for a successful sign-in. VIP IA prompts users to provide a unique VIP
Security Code as an out-of-band (OOB) method for additional authentication. Your
users obtain this security code by selecting one of the following retrieval options:
Voice call
Overview
About VIP Remembered Devices
Similar to VIP IA, VIP Remembered Devices provide security for your end users
with little disruption of the user experience. If you are interested in layering VIP IA
with VIP Remembered Device authentication, you must follow a specific procedure.
See Configuring Remembered Devices in VIP Manager on page 11.
Chapter
Integration
This chapter includes the following topics:
Requirements
Requirements
You must meet the following requirements to integrate VIP IA with your web pages:
Access to VIP Manager to enable and configure the VIP IA policy. If you also
integrate a VIP Remembered Device, you need to enable the Remembered
Device policy.
The following operating systems and browsers are supported for VIP IA (without
VIP Remembered Devices):
Chrome 13 or higher
Integration
Integrating VIP Intelligent Authentication
Safari 5 or higher
Mobile:
Android 2.3 and 3.0 for Samsung mobile devices and tablets
If you want to combine VIP Remembered Device authentication with VIP IA, use
the following supported operating systems and browsers:
Chrome 13 or higher
Safari 5 or higher
You can set VIP IA to send security codes to users in an out-of-band (OOB)
channel if IA considers the users' sign-in events risky. Enable out-of-band
authentication by configuring the Self Service Portal IDP.
See Configuring VIP IA and Remembered Devices with VIP Enterprise
Gateway on page 12.
Figure 2-1 describes the process for integrating your web application with VIP IA
and provides an overview of the VIP IA integration flow.
Integration
Integrating VIP Intelligent Authentication
Figure 2-1
Integration
Integrating VIP Intelligent Authentication
IA threshold
IA policy settings
IA risk score
Optionally, specify additional countries with increased risk, from where any
user sign-in attempt can increase the user's IA risk score.
Optionally, specify IP addresses from where you need to always block (fail)
or always accept (succeed) user sign-in attempts.
Up to 100 entries can be uploaded from a single file (one IP address or one
IP address range represents one entry). The file must show each IP address
in decimal format and each IP address range must be separated by a
hyphen. All entries must be comma-separated.
For example:
10
Integration
Integrating VIP Intelligent Authentication
10.146.2.40,172.31.255.255,192.168.0.1-192.168.0.100
Click Save.
If you plan to combine VIP Remembered Device authentication with VIP IA,
you must configure the Remembered Device policy.
See Configuring Remembered Devices in VIP Manager on page 11.
If you plan to integrate VIP IA with an externally-accessible web application,
use VIP integration code for JavaScript.
See Integrating the VIP Integration Code for JavaScript on page 13.
In the Remembered Devices policy section, enable the type of credentials that
your organization supports; Device Fingerprint, Trusted Device, or both.
Set the maximum number of days before the device fingerprint expires.
Enter from 1 day to 730 days. The device fingerprint expires after this
time period, even if the user has successfully authenticated before the
authentication expiration threshold.
Set the number of days before the device fingerprint expires if users do
not use their device to successfully authenticate themselves. Enter from
1 day to 365 days.
Successful authentication only resets the counter of days to the next
successful authentication. Device fingerprints always expire after the
number of days configured in the Expire after field.
11
Integration
Integrating VIP Intelligent Authentication
Enter the maximum number of devices that each user can register as
Remembered Devices. You can enter from 1 to 20.
Select how devices are deleted if a user attempts to register more than the
maximum allowed number of Remembered Devices:
Click Save.
Note: If you want to provide VIP Remembered Devices for users without VIP IA,
see the VIP Remembered Device Integration Guide.
Make sure that users outside the enterprise have access to the Self Service
Portal IDP by making the Self Service Portal IDP URL public or by configuring
a reverse proxy.
Symantec recommends that you also use the Configuration Console to configure
LDAP synchronization of your organization's user store to ensure that the user
information is current and valid.
Be sure that your Validation server is configured in User Name + LDAP Password
+ Security Code mode or User Name + Security Code mode.
See VIP Enterprise Gateway Installation and Configuration Guide for details about
VIP Self Service Portal settings in the VIP Enterprise Gateway Configuration
Console.
12
Integration
Integrating the VIP Integration Code for JavaScript
Select the link for Get VIP Integration Code for VPN.
Enter the URL for out-of-band authentication options. The URL must start
with https if you use the secure protocol for VPN.
For users within the enterprise, the URL for the Self Service Portal IDP
should be similar to
https://<Your_Self_Service_Portal_IDP_URL>/vipssp/login
For users outside the enterprise, the URL for the Self Service Portal
IDP proxy should be similar to
https://<Your_Self_Service_Portal_IDP_Proxy_URL>/dmzssp/DmzListener
If you use a third-party reverse proxy in the DMZ, map the Self Service
Portal IDP URL (https://<Your_SSP_IDP_URL>/vipssp/login) to your
proxy URL and use the reverse proxy URL on this page.
If not already done, you must also configure the VIP Self Service Portal
IDP or VIP Self Service Portal IDP Proxy in VIP Enterprise Gateway.
See Configuring VIP IA and Remembered Devices with VIP Enterprise
Gateway on page 12.
13
Integration
Integrating the VIP Integration Code for JavaScript
14
Copy the VIP integration code that you generated in the VIP Manager.
Paste the code between the <head> and </head> tags of your sign-in page.
Your sign-in page is now ready for VIP IA or VIP IA/Remembered Device
layered authentication.
If your application requires additional code modification for the sign-in page, you
need to download your application's integration guide from VIP Manager for details.
Appendix
Troubleshooting
This appendix includes the following topics:
Troubleshooting
After Selecting the Submit Button
Table A-2
Issue
Resolution
The Confirm Your Identity window may Make sure that the browser is not set to clear
appear repeatedly even after you select cache automatically.
the Remember Me option.
You cannot view the Confirm
Your Identity window.
You cannot view the Don't have a
Make sure that the:
security code? link in the Confirm Your
User has a valid email address
Identity window.
Self Service Portal IDP proxy service runs
When you attempt to generate a security <failure_reason> states the reason why the request
code, the following message may
to generate a security code has failed.
appear in the console log:
"Unable to generate security
code." <failure_reason>
If an exception occurs when you attempt Although it is unlikely, this error may occur when
to generate a security code, be sure to you attempt to generate a security code.
look for this line in the console log:
ERROR: Unable to generate
security code.
If other generic errors appear, be sure
look for this line in the console log:
ERROR: Unable to submit the
request.
16
Troubleshooting
After Selecting the Submit Button
Table A-2
Issue
Resolution
17