SecZetta Risk-Based AuthN

Integrating SecZetta and Auth0 enables real-time risk-based access policy to be utilized when non-employee users attempt to log in to a protected resource.

Auth0 can apply SecZetta user risk score(s) to an authentication decision to determine the appropriate level of authentication needed. This allows for context-based access decisions to extend to all non-employees.

Integrating SecZetta and Auth0 provides real-time risk-based access policy to be leveraged when non-employee users attempt to log in to a protected resource. Auth0 can apply SecZetta risk score(s) to an authentication decision to determine the level of authentication needed. This allows for context-based access decisions to extend to all non-employees. ​

Prerequisites

1. An Auth0 account and tenant. Sign up for free here.
2. An active SecZetta account and tenant where you have administrative privileges. To set up a new SecZetta account, please reach out to SecZetta Support.
3. Auth0 MFA should be configured in the case where a login risk score is above an allowable level.

Setup in SecZetta

​ To configure the integration with SecZetta, the only thing required is an understanding of how users map to SecZetta profiles. SecZetta stores user data as 'profiles' and in order to look up a users risk score, the Auth0 Action needs to be able to pull the profile information for the user logging in. This is done typically by using the username field and mapping that to an attribute in SecZetta ​

Using Advanced Search API

​ The Advanced Search API is what will be used to pull the profile data based on the user logging in. You can find detailed information on this api here. This integration uses the following request body to find the user profile. ​ There are a few variables in that body that are required (see below for configuration details)

1. profileTypeId - this is the id of the profile type
2. attributeId - this is the id of the attribute that will be used to look the user up (i.e. email)
3. uid - the value of this attribute (i.e. john.doe@company.com)

{
    advanced_search: {
        label: "All Contractors",
        condition_rules_attributes: [
          {
              "type": "ProfileTypeRule",
              "comparison_operator": "==",
              "value": profileTypeId
          },
          {
              "type": "ProfileAttributeRule",
              "condition_object_id": attributeId,
              "object_type": "NeAttribute",
              "comparison_operator": "==",
              "value": uid
          }
        ]
    }
}

Get Risk Score

Once you get the profile from the API above we need to execute one more API to grab the overall risk score for that profile.

Request URL:

https://<your-seczetta-tenant>.com/api/risk_scores?object_id=${objectId}

Example Response:

{
  "risk_scores": [
    {
      "id": "14118693-983e-462f-a330-f3b34d29f281",
      "uid": "036e7e2a3d0c41938609cdc6029d5b11",
      "object_id": "633b5e71-090c-4a47-a1a3-d0b8338df872",
      "object_type": "Profile",
      "overall_score": 3.5,
      "overall_risk_level_id": "29fc4382-2c60-4c6d-891b-15102cdc9e01",
      "impact_score": 7.0,
      "impact_risk_level_id": "29fc4382-2c60-4c6d-891b-15102cdc9e01",
      "probability_score": 0.0,
      "probability_risk_level_id": "c1f10e76-44c0-4bda-b344-8ae2a256d6c4"
    }
  ]
}

Notice in the response that the risk score still comes back as an array of 1.

Add the Auth0 Action

1. Select Add Integration (at the top of this page).
2. Read the necessary access requirements and click Continue.
3. Configure the integration using the following fields:

• API Key: API Token from your SecZetta tenant
• Base URL: URL for your SecZetta tenant
• Attribute ID the id of the SecZetta attribute you are searching on (i.e personal_email, user_name, etc.)
• Profile Type ID: the id of the profile type this user's profile in SecZetta
• Allowable Risk: Set to a risk score integer value above which MFA is required
• Maximum Allowed Risk: Set to a maximum risk score integer value above which login fails.
• Authenticate on error?: Choose whether or not the Action continues to authenticate on error, by default this is No
• Token Claim Namespace: The attribute name on the access token where the users risk score will be stored. Defaults to https://seczetta.com/risk.

Please note, Maximum Allowed Risk should be greater than Allowable Risk. A good starting point is to use 5 for allowable risk and 7.5 for maximum risk

Attribute ID and Profile Type ID will be in the UUID v4 format. (i.e. 7cffa07d-ad6d-4398-ba07-b3d1e5f9ee9f)

1. Click Create to add the integration to your Library.
2. Click the Add to flow link on the pop-up that appears.
3. Drag the Action into the desired location in the flow.
4. Click Apply Changes.

Please note: Once the Action is added to the Post Login flow, all logins for your tenant will be processed by this Action. Please make sure all components have been configured correctly and verified on a test tenant before activating the integration in production.

Results

This Action (when configured properly) will run right before Authentication time. The Action itself controls the authentication flow and will require MFA or deny access completely if the risk score is too high.

If a user's risk score is too high, an error will occur with the following message:

A 8.25 Risk score is too high. Maximum acceptable risk is 7.5

This message can be adjusted in the Action itself.

Troubleshooting

For any issues regarding this integration please access the SecZetta support team via your portal located here.