Beta: Adapt-Affirm Integration in CC
Please note, this integration is in a beta phase. Please provide any feedback or enhancement requests to your HYPR Account Manager and these will be worked into our next release.
HYPR Affirm calls for this feature can be found in the HYPR Affirm API in the HYPR Passwordless API.
See also the HYPR Adapt policy evaluation call, which is used to determine if HYPR Affirm comes into play.
If an Adapt policy finds that a user has exited the bounds set for an event, Affirm will be triggered, thereby forcing the user to re-verify their identity. This is enforced in Keycloak.
Configuring HYPR to use Adapt and Affirm together is accomplished in the following steps:
-
Configure the HYPR Affirm verification flow to be used.
-
Complete the following fields in Okta for affected users:
- Mobile phone
- Street address
- City
- State
- Zip code
- Manager
- ManagerId
-
Modify the Adapt policy to be used, and add any additional checks as desired. The Adapt policy must be written with the following additions specifically for triggering the Affirm authenticator:
verificationFlowId = 382382635631346432allowedAuthenticators = authenticators {
not allowed # This ensures the rule only applies if condition is true
authenticators := ["AFFIRM"]
}Here is a sample policy write-up:
package authz
import future.keywords.if
import future.keywords.in
default allowed := false
verificationFlowId = 382382635631346432
result = {"verificationFlowId" : verificationFlowId}
currentSystemTime := time.now_ns() / 1000000
# Rule to get the last KC auth event based on eventTimeInUTC
latestAffirmEvent = last_event {
# Filter events
affirmEvents := {event |
event := input.events[_]
filterSuccessfulAffirmEvents(event)
}
# Extract event times and sort them
event_times := [event.eventTimeInUTC | event := affirmEvents[_]]
sorted_times := sort(event_times)
# Get the last time
last_time := sorted_times[count(sorted_times) - 1]
# Find the event that matches the last time
event := affirmEvents[_]
event.eventTimeInUTC == last_time
# Return the event
last_event := event
}
# Get latest Affirm event - make sure attestationResult is successful - check within hardcoded 20 minute time window
latestAffirmEventIsSuccessful if {
latestSignal := latestAffirmEvent
#latestSignal.additionalDetails.affirmInformation.attestationResult == "SUCCESS"
checkAgainstTimeWindow(latestSignal.eventTimeInUTC)
}
# *** Using current system time and event time we check against configured blocked user time window to determine if event should be considered
checkAgainstTimeWindow(eventTime) if {
timeDifferenceMillis = currentSystemTime-(to_number(eventTime))
timeDifferenceMillis < 3 * 1000 * 60
}
# *** events to search for
filterSuccessfulAffirmEvents(event) if {
event.isSuccessful == true
event.eventName == "KEYCLOAK_USER_EVENT"
event.eventTags == "AUTHENTICATION"
}
allowed if {
latestAffirmEventIsSuccessful
}
# ***
allowedAuthenticators = authenticators {
not allowed # *** This ensures the rule only applies if condition is true
authenticators := ["AFFIRM"]
}
allowedAuthenticators = authenticators {
allowed # *** This ensures the rule only applies if condition is false
authenticators := ["PUSH"]
}
message = "Forcing KC flow, could not find Affirm success event in last 3 minutes" if {
not allowed
}
message = "Successful KC flow event found, skipping Affirm requirement" if {
allowed
} -
Contact HYPR Support to turn on the Adapt-Affirm integration feature.
-
Create a new API Access (Bearer) Token in the affected RP application(s) to connect the HYPR API.