OpenAM support for user geo location and user device identity


This topic has 3 replies, 2 voices, and was last updated 5 years, 2 months ago by Andy Cory.

  • Author
  • #17654

    Hi all,

    We need to understand more on the below points out of box support from the openam, if not whats the best way to achieve the same.
    * If user change the Geo location, user need to get a second factor authentication, preferred email confirmation
    * If user change the device for logon, user need to get a second factor authentication, preferred email.


     Andy Cory

    Please check the documentation for the Adaptive Risk Authentication Module here (assuming OpenAM 13.5).

    The Adaptive Risk Authentication Module can also be configured to check whether the client IP address location matches a country specified in the configured Valid Country Codes list. Note that the geolocation database isn’t shipped with OpenAM, but is available here. More accurate paid-for databases are available.

    The Adaptive Risk Authentication Module can also be configured to check for a device cookie to fulfil your second requirements.

    In both cases, the Adaptive Risk Authentication Module should be configured in a chain of modules, and will pass processing to the next module in the chain if it determines a second factor is required. The next module can be an HOTP module to send a one time password to the user’s configured email address.

    If the device cookie check in the Adaptive Risk Authentication Module doesn’t meet your needs (if your client devices cannot handle a cookie, for example), then the Device ID modules may provide an answer – see the documentation here.



    Thanks Andy,

    Can you please explore more on using the device cookie? Virtual machines (citrix) also expected on our environment. kindly help us with the high level logic.

     Andy Cory

    The device cookie functionality of the adaptive risk module checks for a specific cookie in the request, and checks that the value, which is a hashed device identifier, matches the device making the request. The ‘device’ could be anything capable of using cookies; let’s make an assumption it’s a browser. A browser in a Citrix VM should behave in the same way as a browser running on a physical machine, so this check should work fine. The question is, how does the cookie get sent to the browser in the first place? One of the setting in the device cookie functionality is ‘Save Device Registration on Successful Login’, which sets the cookie in the response to a successful login. If the same browser were to attempt a login in future, the cookie would be presented to the adaptive risk module.

    It’s possible to end up with a situation where the user needs the cookie in order to authenticate successfully, but doesn’t get the cookie until a successful authentication… so it’s worth making sure your authentication strategy allows an authentication to succeed by other methods than just the device cookie. Using the absence of the cookie to prompt a one time password is a classic pattern.

    If you do go down this route, note that in order to have the cookie saved in the response following a successful authentication it’s necessary to save the data as part of post authentication processing by adding org.forgerock.openam.authentication.modules.adaptive.Adaptive to the list of post authentication plugins.


Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?