Geolocation

The Geolocation feature enables adaptive authentication using geographical data. More adaptive login methods can be used by leveraging the geographical data provided by the Geolocation component. Using this data, measures can be taken based on the fact that a user is potentially logging in from a country never attempted to login before, a different country since last login, a forbidden country, or has made an impossible journey between two sequential login events. Geographical data can also be used to determine which authentication methods should be available to the user.

Geolocation Database File

In order to provide geographical data, a locally maintained IP geolocation database is needed. This database will be a separate file that will exist in the filesystem of each Curity Identity Server run-time node. The admin should copy the file to the $IDSVR_HOME/etc folder of each node and the database file should be named geolocation.mmdb. Copying the file on the filesystem is a requirement in order to the Geolocation feature to function as expected. Lack of this database file will result in errors if any geolocation feature is used. New versions of the database file are provided on a regular (weekly) basis, and the file should be updated on each of the running nodes.

To obtain this, go to the Downloads area of the Curity Developer Portal as shown in Fig. 143:

../_images/portal.jpg

There, for any particular release greater than or equal to 5.1.0, you can find the geolocation database as an additional file at the bottom of the page. This is depicted in Fig. 144:

../_images/geo-database-in-portal.jpg

Note

If you do not have a license to use the geo-location database, the Download button will be disabled. In such a case, a license can be obtained by contacting sales.

Because this database changes every week, it is important to setup automated downloads of the database file to each run-time node. This can be done using the API. The API call needed is shown on the Info page and under the downward chevron of the Download button. This API is protected with an API access token. To obtain one that lasts for a prolonged period of time, surf to your profile in the top right corner of the portal. There, you can issue a token that will last for one year. Use it when authenticating to the release API to download the geolocation database in an automated fashion.

Warning

Whenever the geo-location database is updated, those changes must be deployed within a month.

Geolocation Actions

As for the rest of the authentication actions, Geolocation actions present a set of tools for orchestrating what happens after authentication but before the session is committed. For that purpose, each action is providing different geographical data to enforce the admin to configure an authentication action tailored to each use case’s needs.

Geolocation Allow or Deny Country Action

The Allow or Deny Action can be used to allow or deny authentication based on the country of origin of a request. For more information refer to Geolocation Allow or Deny Action.

Geolocation Changed Country Action

The Geolocation Changed Country Action can be used to enforce additional measures when the user attempts to login from some other country than they were during their last login. For more information refer to Geolocation Changed Country Action.

Geolocation Impossible Journey Action

The Geolocation Impossible Journey Action can be used to enforce additional measures when the user attempts to login from another location that is impossible to have travelled from, since their last login. For more information refer to Geolocation Impossible Journey Action.

Geolocation New Country Action

The Geolocation New Country Action can be used to enforce additional measures when the user attempts to login from another location that they have never logged in before. For more information refer to Geolocation New Country Action.

Geolocation authenticator filter

The Geolocation Authenticator Filter can be configured to allow or deny specific countries to use a configurable list of authenticators. For more information refer to Geolocation Authenticator Filter.

Geolocation authenticator settings

These settings allow or deny an authenticator to be used, depending on the location of the request. For more information refer to Geolocation authenticator settings.

For more information about geolocation, refer to the resources section of the Curity Web site and view this video.