TimH.25571 (Customer) asked a question.
Behavior Detection Through a Trusted Application Acting as a Proxy
How can I get any of the behavior detection rules to work when authentication for a web application is handled by a trusted, back-end application using SSWS and an API Token?
I'm using the following method from the Okta authn sdk:
authenticationClient.authenticate(authRequest, requestContext, handler);
I've tried setting a custom deviceToken in the authenticationRequest's context object (Map<String,Object>), setting the "X-Forwarded-For" and "X-Device-Fingerprint" headers on requestContext, and many variations on both.
My Okta event logs show two IPChains and show the following in the DebugData:
DebugData
- Behaviors {New Geo-Location=UNKNOWN, New Device=BAD_REQUEST, New IP=UNKNOWN, New State=UNKNOWN, New Country=UNKNOWN, Velocity=UNKNOWN, New City=UNKNOWN}
- RequestId XukRYGsM1AvqKsfPa7T4LQAABMU
- RequestUri /api/v1/authn
- Risk {reasons=Anomalous Location, Anomalous Device, level=HIGH}
- ThreatSuspected false
- Url /api/v1/authn?
Hello,
Firstly, regarding the Bad_request error: Not enough information from the sign-in attempt to detect behavior. For example, if the cookies and device fingerprint are missing, Okta treats it as a BAD_REQUEST, which results in the policy rule matching – if MFA is configured for the rule, Okta prompts for MFA.
Secondly, for "Unknown": not enough history to detect behavior. UNKNOWN results in the policy rule matching – if MFA is configured for the rule, Okta prompts for MFA.
Since this is a custom set up I would recommend opening a case with Okta support to have an engineer to dig further into this and leverage all of the available resources if the need shall arise.
Thank you.