Symantec VIP

Intelligent Authentication (IA)

Enterprise Integration Guide

Legal Notice
Copyright 2014 - 2016 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
This Symantec product may contain third party software for which Symantec is required to
provide attribution to the third party (Third Party Programs). Some of the Third Party Programs
are available under open source or free software licenses. The License Agreement
accompanying the Software does not alter any rights or obligations you may have under those
open source or free software licenses. Please see the Third Party Legal Notice Appendix to
this Documentation or TPIP ReadMe File accompanying this Symantec product for more
information on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use, copying,
distribution, and decompilation/reverse engineering. No part of this document may be
reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED
WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR
NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH
DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL
NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION
WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE
INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE
WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software
as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in
Commercial Computer Software or Commercial Computer Software Documentation", as
applicable, and any successor regulations. Any use, modification, reproduction release,
performance, display or disclosure of the Licensed Software and Documentation by the U.S.
Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation
350 Ellis Street
Mountain View, CA 94043
http://www.symantec.com

Contents

Chapter 1

Overview

................................................................................. 4

About VIP Intelligent Authentication ................................................... 4

About Measuring VIP IA Risk ............................................................ 5
About VIP Remembered Devices ...................................................... 6

Chapter 2

Integration .............................................................................. 7
Requirements ................................................................................ 7
Integrating VIP Intelligent Authentication ............................................. 8
Configuring VIP Intelligent Authentication in VIP Manager ................ 9
Configuring Remembered Devices in VIP Manager ....................... 11
Configuring VIP IA and Remembered Devices with VIP Enterprise
Gateway ......................................................................... 12
Integrating the VIP Integration Code for JavaScript .............................. 13

Appendix A

Troubleshooting

.................................................................. 15

After Loading the Sign-in Page ........................................................ 15

After Selecting the Submit Button .................................................... 15

Chapter

Overview
This chapter includes the following topics:

About VIP Intelligent Authentication

About Measuring VIP IA Risk

About VIP Remembered Devices

About VIP Intelligent Authentication

VIP Intelligent Authentication (IA) helps prevent malicious account sign-in from
untrusted sources. VIP IA is an alternative or addition to traditional hardware and
mobile credentials. VIP IA provides layered security for your end users with minimal
disruption of the user experience.
The VIP IA security layer uses "risk-based" authentication to analyze various profile
elements together with a typical user name and password for each user sign-in.
VIP IA can assess the legitimacy of sign-in events by considering:

End-user behavior

Browser and device attributes

Device reputation and network intelligence

Device risk

This documentation helps enterprise web developers or IT professionals to

implement VIP IA into their web applications. This implementation of VIP IA enables
secure sign-in for users in their organization.
The VIP Intelligent Authentication policy must be configured in the VIP Manager
tool before you can leverage VIP IA security for your end users.

Overview
About Measuring VIP IA Risk

About Measuring VIP IA Risk

VIP IA measures the risk of sign-in events by using the IA engine components that
determine a specific risk level. In particular, a VIP IA rules engine provides a risk
score that helps determine the following:

Whether the sign-in event is valid

Whether the sign-in attempt is from a legitimate end user

This measurement is calculated to identify any aberrations or irregularities of the

end user's browser, computer device, or behavior during normal user sign-in. Some
of the tracking elements that help determine the risk score include:

Real-time sign-in events (physical or geographic location):

Does the end-user attempt to sign in from two distant locations within a
questionable time frame? For example, are sign-in attempts made from San
Francisco and Beijing by the same user within an hour?

IP address (physical or geographic location):

Does the end user attempt to sign in from a distant country or location that is
inconsistent with the user's usual physical location?

OS or browser attributes (derived from an HTTP request):

Does the end user change operating systems or browser versions that are
inconsistent with the pattern of those already established in the user's profile?

Device ID "fingerprint" (attributes of the end user's device):

Is the physical device different than the device consistently used in the user's
behavioral pattern?

The more inconsistencies that are identified against an end user's established
sign-in behavior, the higher the risk of the user's sign-in. For each end-user sign-in
event, VIP IA determines a corresponding risk score that is used to assess the
security risk of the sign-in.
If a VIP IA risk score exceeds the threshold value that is configured within VIP
Manager, the sign-in event is considered potentially suspicious, or risky.
Any risky sign-in requires additional authentication from the user to confirm their
identity for a successful sign-in. VIP IA prompts users to provide a unique VIP
Security Code as an out-of-band (OOB) method for additional authentication. Your
users obtain this security code by selecting one of the following retrieval options:

Email

SMS text message

Voice call

Overview
About VIP Remembered Devices

About VIP Remembered Devices

VIP Remembered Devices use device identification to determine whether a user
has attempted to authenticate from an unregistered device or a device with
inconsistent characteristics. Remembered Devices complement VIP IA by providing
a concrete device ID to assess risk of sign-in events. By combining a Remembered
Device with VIP IA, you can offer a comprehensive mode of authentication for your
users.

Trusted Device provides strong authentication by employing a certificate to

identify a particular user's device during normal sign-in. The end users can select
Trusted Device in the VIP Self Service Portal. Trusted Device is a plug-in that
installs a security certificate to register the laptop or PC. This certificate binds
the user's device to a unique ID. This unique ID becomes an assigned credential
for the device that is associated with that user.

Device Fingerprint is a JavaScript-based method of accruing and assessing

detailed information about a user's device. Device Fingerprint evaluates attributes
such as the operating system, screen size and resolution, browser, language,
and time zone for a specific device.

Similar to VIP IA, VIP Remembered Devices provide security for your end users
with little disruption of the user experience. If you are interested in layering VIP IA
with VIP Remembered Device authentication, you must follow a specific procedure.
See Configuring Remembered Devices in VIP Manager on page 11.

Chapter

Integration
This chapter includes the following topics:

Requirements

Integrating VIP Intelligent Authentication

Integrating the VIP Integration Code for JavaScript

Requirements
You must meet the following requirements to integrate VIP IA with your web pages:

Access to VIP Manager to enable and configure the VIP IA policy. If you also
integrate a VIP Remembered Device, you need to enable the Remembered
Device policy.

Access to the Configuration Console in VIP Enterprise Gateway to configure

the Self Service Portal IDP. Since the VIP Enterprise Gateway is typically
installed in the Enterprise data center, you may need to configure a reverse
proxy or Self Service Portal IDP Proxy in the DMZ to provide your end-users
access to the Self Service Portal IDP from outside of the enterprise.

VIP uses jQuery version 1.6.2 if you want to use jQuery

The following operating systems and browsers are supported for VIP IA (without
VIP Remembered Devices):

Microsoft XP, Windows 7 or 8, and Windows Vista:

Internet Explorer 7 or higher

Firefox 3.6 or higher

Chrome 13 or higher

Mac OS 10.5.8 or higher:

Integration
Integrating VIP Intelligent Authentication

Safari 5 or higher

Mobile:

Android 2.3 and 3.0 for Samsung mobile devices and tablets

iOS for iPhone 4 and iPad 2

If you want to combine VIP Remembered Device authentication with VIP IA, use
the following supported operating systems and browsers:

Microsoft XP, Windows 7 or 8, and Windows Vista:

Internet Explorer 7 or higher

Firefox 3.6 or higher

Chrome 13 or higher

Mac OS 10.5.8 or higher:

Safari 5 or higher

Integrating VIP Intelligent Authentication

The following steps summarize the process to integrate your web application with
VIP Intelligent Authentication.

Configure the VIP IA policy within VIP Manager.

See Configuring VIP Intelligent Authentication in VIP Manager on page 9.
If you want to combine VIP Remembered Device authentication with VIP IA,
you must configure the Remembered Device policy.
See Configuring Remembered Devices in VIP Manager on page 11.

You can set VIP IA to send security codes to users in an out-of-band (OOB)
channel if IA considers the users' sign-in events risky. Enable out-of-band
authentication by configuring the Self Service Portal IDP.
See Configuring VIP IA and Remembered Devices with VIP Enterprise
Gateway on page 12.

Update your web page(s) to include JavaScript.

See Integrating the VIP Integration Code for JavaScript on page 13.

Figure 2-1 describes the process for integrating your web application with VIP IA
and provides an overview of the VIP IA integration flow.

Integration
Integrating VIP Intelligent Authentication

Figure 2-1

VIP Intelligent Authentication Integration Sequence

Configuring VIP Intelligent Authentication in VIP Manager

As the first step for VIP Intelligent Authentication integration, you must enable and
configure the VIP IA policy in VIP Manager.
To configure VIP Intelligent Authentication in VIP Manager for the first time:

Sign in to your account in VIP Manager.

Select Policies in the navigation bar at the top of the page.

Select the VIP Intelligent Authentication tab.

Integration
Integrating VIP Intelligent Authentication

Select the Edit link.

Enable the VIP IA, and then configure the IA policy.

Select an appropriate sign-in threshold value for your users by estimating

how likely IA requires additional authentication based on end user risk.
By default, the threshold value is set between Moderate and Strict, which
is the setting that Symantec recommends.
In general, the stricter that you set the risk threshold value, the more likely
VIP IA considers sign-in events suspicious. If an IA risk level for a user's
authentication attempt is higher than the set threshold, IA considers the
attempt risky. Then IA recommends performing additional authentication
before the user is granted sign-in access.

Determine whether security codes should always be required for

authentication from unrecognized devices.
This option is checked by default to take advantage of Device Fingerprint
(within the VIP Account policy) for evaluating device attributes during user
sign-in. Users must always provide a security code in response to a
challenge for sign-in authentication, regardless of the current IA threshold
or risk-based IA score.
If this option is disabled, users must respond to the challenge for
authentication based exclusively on the following regardless of any
unrecognized devices:

IA threshold

IA policy settings

IA risk score

If this feature is disabled, it effectively makes the IAAuthData parameter

optional for applicable IA APIs.
See VIP User Services Developer's Guide for details about IAAuthData.

Optionally, specify additional countries with increased risk, from where any
user sign-in attempt can increase the user's IA risk score.

Optionally, specify IP addresses from where you need to always block (fail)
or always accept (succeed) user sign-in attempts.
Up to 100 entries can be uploaded from a single file (one IP address or one
IP address range represents one entry). The file must show each IP address
in decimal format and each IP address range must be separated by a
hyphen. All entries must be comma-separated.
For example:

10

Integration
Integrating VIP Intelligent Authentication

10.146.2.40,172.31.255.255,192.168.0.1-192.168.0.100

Click Save.
If you plan to combine VIP Remembered Device authentication with VIP IA,
you must configure the Remembered Device policy.
See Configuring Remembered Devices in VIP Manager on page 11.
If you plan to integrate VIP IA with an externally-accessible web application,
use VIP integration code for JavaScript.
See Integrating the VIP Integration Code for JavaScript on page 13.

Configuring Remembered Devices in VIP Manager

If you want to combine VIP Remembered Device authentication with VIP IA, you
must enable VIP Remembered Devices within the applicable policy in VIP Manager.
To configure Remembered Devices in VIP Manager:

Sign in to your account in VIP Manager.

Select Policies in the navigation bar at the top of the page.

In the Account tab, select the Edit link.

In the Remembered Devices policy section, enable the type of credentials that
your organization supports; Device Fingerprint, Trusted Device, or both.

Configure your policy settings:

If you enable Device Fingerprint, also set the following:

Set the maximum number of days before the device fingerprint expires.
Enter from 1 day to 730 days. The device fingerprint expires after this
time period, even if the user has successfully authenticated before the
authentication expiration threshold.

Set the number of days before the device fingerprint expires if users do
not use their device to successfully authenticate themselves. Enter from
1 day to 365 days.
Successful authentication only resets the counter of days to the next
successful authentication. Device fingerprints always expire after the
number of days configured in the Expire after field.

If you enable Trusted Device, also select whether to automatically upgrade

Trusted Devices to the latest version. If you enable Auto-upgrade Trusted
Device, users on supported platforms automatically receive the latest
versions of Trusted Device.

11

Integration
Integrating VIP Intelligent Authentication

Enter the maximum number of devices that each user can register as
Remembered Devices. You can enter from 1 to 20.

Select how devices are deleted if a user attempts to register more than the
maximum allowed number of Remembered Devices:

Select Auto to automatically delete the least recently-used Remembered

Device when the user registers another device. Users and administrators
can manually delete Remembered Devices at any time.

Select Admin Only to require the administrator to delete a Remembered

Device. The user cannot be able to delete any Remembered Devices
without administrator intervention.

Click Save.

Note: If you want to provide VIP Remembered Devices for users without VIP IA,
see the VIP Remembered Device Integration Guide.

Configuring VIP IA and Remembered Devices with VIP Enterprise

Gateway
The VIP Enterprise Gateway acts as a bridge between the cloud-based VIP Service
and your application. For both VIP IA integration and Remembered Device
integration, use the VIP Enterprise Gateway Configuration Console to configure
the VIP Self Service Portal IDP. The Self Service Portal IDP facilitates the
out-of-band security codes that are delivered to your users if VIP IA considers their
sign-in events risky.
Consider the following when configuring these components:

Make sure that users outside the enterprise have access to the Self Service
Portal IDP by making the Self Service Portal IDP URL public or by configuring
a reverse proxy.

Symantec recommends that you also use the Configuration Console to configure
LDAP synchronization of your organization's user store to ensure that the user
information is current and valid.

Be sure that your Validation server is configured in User Name + LDAP Password
+ Security Code mode or User Name + Security Code mode.

See VIP Enterprise Gateway Installation and Configuration Guide for details about
VIP Self Service Portal settings in the VIP Enterprise Gateway Configuration
Console.

12

Integration
Integrating the VIP Integration Code for JavaScript

Integrating the VIP Integration Code for JavaScript

You can use java script to integrate VIP IA with your externally-accessible web
applications.
To configure VIP integration code for JavaScript:

Sign in to your account in VIP Manager.

Select Policies in the navigation bar at the top of the page.

In the Account tab, select the Edit link.

Under VIP Integration Code for JavaScript, enter the externally-accessible

domain name(s) of the web applications that you plan to use with VIP IA. This
step is optional for IA, but required if you configure Remembered Device
authentication with VIP IA.
For example, if your sign-in page URL is https://vpn.example.com, enter
example.com.

Select the link for Get VIP Integration Code for VPN.

Select a method to generate the code.

Note: The Simplified method assumes that your Validation server is
configured in User Name + LDAP Password + Security Code authentication
mode.

Enter the URL for out-of-band authentication options. The URL must start
with https if you use the secure protocol for VPN.

For users within the enterprise, the URL for the Self Service Portal IDP
should be similar to
https://<Your_Self_Service_Portal_IDP_URL>/vipssp/login

For users outside the enterprise, the URL for the Self Service Portal
IDP proxy should be similar to
https://<Your_Self_Service_Portal_IDP_Proxy_URL>/dmzssp/DmzListener

If you use a third-party reverse proxy in the DMZ, map the Self Service
Portal IDP URL (https://<Your_SSP_IDP_URL>/vipssp/login) to your
proxy URL and use the reverse proxy URL on this page.
If not already done, you must also configure the VIP Self Service Portal
IDP or VIP Self Service Portal IDP Proxy in VIP Enterprise Gateway.
See Configuring VIP IA and Remembered Devices with VIP Enterprise
Gateway on page 12.

13

Integration
Integrating the VIP Integration Code for JavaScript

14

If you selected the Manual method, choose your preferred authentication

mode, and then enter the required field and form names.

Example for User Name field name:

<input type="text" value="" name="Signin.username"/>

Example for Password field name:

<input type="password" value="" name="Signin.password"/>

Example for Form name:

<form name="SigninForm" action="signin.action" method="post">

Click Generate VIP Integration Code.

Copy the VIP integration code that you generated in the VIP Manager.

Enable the JavaScript console in your browser .

Paste the code between the <head> and </head> tags of your sign-in page.
Your sign-in page is now ready for VIP IA or VIP IA/Remembered Device
layered authentication.

If your application requires additional code modification for the sign-in page, you
need to download your application's integration guide from VIP Manager for details.

Appendix

Troubleshooting
This appendix includes the following topics:

After Loading the Sign-in Page

After Selecting the Submit Button

After Loading the Sign-in Page

Table A-1 lists the error message that may appear after you load the sign-in page.
Table A-1
Issue

Error Message After Loading the Sign-In Page

Resolution

The following error message may

This error may occur because one or more of your
appear after an unsuccessful integration entries in the required fields for code generation
of the VIP code:
cannot be identified. Example for these entries is
the user name, password, security code, or the
Unable to successfully
form.
integrate VIP code. If the
issue continues, refer to the Make sure that all required fields include the valid
VIP documentation as noted on names that are reflected in HTML. You also need
the VIP Integration Code for to check for JavaScript errors or inadvertent typos.
If you selected the Simplified method, you may
JavaScript page.
want to apply the Manual method instead.

After Selecting the Submit Button

Table A-2 lists the error messages that may appear after the selection of the Submit
button.

Troubleshooting
After Selecting the Submit Button

Table A-2

Error Message After Selection of Submit Button

Issue

Resolution

The following error message may

appear:

Make sure that the:

JavaScript does not contain any syntax errors

You cannot view the Confirm

Your Identity window.

VIP User Services URL is accessible from the

client computer
Domain of your server or IP has been added
in VIP Manager

The Confirm Your Identity window may Make sure that the browser is not set to clear
appear repeatedly even after you select cache automatically.
the Remember Me option.
You cannot view the Confirm
Your Identity window.
You cannot view the Don't have a
Make sure that the:
security code? link in the Confirm Your
User has a valid email address
Identity window.
Self Service Portal IDP proxy service runs

You cannot view the Remember Me

check box in the Confirm Your Identity
window.

Self Service Portal can be successfully

accessed from the client computer

Make sure that the:

User exists in the User Store

Trusted Device option is disabled in the policy

for your VIP Manager account

When you attempt to generate a security <failure_reason> states the reason why the request
code, the following message may
to generate a security code has failed.
appear in the console log:
"Unable to generate security
code." <failure_reason>
If an exception occurs when you attempt Although it is unlikely, this error may occur when
to generate a security code, be sure to you attempt to generate a security code.
look for this line in the console log:
ERROR: Unable to generate
security code.
If other generic errors appear, be sure
look for this line in the console log:
ERROR: Unable to submit the
request.

Any exception that occurs before the generation

of a security code may cause this error.

16

Troubleshooting
After Selecting the Submit Button

Table A-2

Error Message After Selection of Submit Button (continued)

Issue

Resolution

You cannot sign in after including the

VIP integration code.

Verify that your sign-in page includes well-formed

HTML and that you have included the VIP
integration code within the proper tags.

Your attempt to sign in to the VIP Self

Service Portal is aborted.

Open a new tab or browser, and manually enter

the IDP URL. If you use a self-signed certificate,
you can use a trusted public certificate, instead.

17