Functional overview

Context-based access includes an external authorization service (EAS), runtime authorization service, and attribute collection service.

The following diagram illustrates the architecture of context-based access. The diagram also shows how the various components plug into WebSEAL. WebSEAL is a component available in the following IBM products:
  • IBM Web Gateway Appliance
  • IBM® Security Verify Access
  • Tivoli Verify Access for e-business
Figure 1. Context-based access architecture
Context-based access architecture
Context-based access runtime services
Context-based access provides the following runtime services:
Authorization service
The context-based access authorization service is a component of the runtime environment. The runtime authorization service stores the policy, calculates the risk score, and makes the access decision. The authorization service exposes an XACML over SOAP web service that third-party enforcement points can call to get authorization decisions.
Attribute collection service
The attribute collection service is a Representational State Transfer (REST) service that collects web browser and location attributes from the user. The attribute collection service is a push service. You can configure the context-based access runtime service to use the collected attributes as the policy attributes for calculating risk. You can also use the Java™ ADK to plug in your custom implementation for a pull service that retrieves attributes from the user.
Risk-scoring engine
The risk-scoring engine calculates the risk or confidence level. It provides a single integer that represents the risk score for the current transaction in the form of a percentage. The risk score is calculated based on the weights that are assigned to one or more of the following policy attributes that are part of the active risk profile:
  • Device identification or fingerprint, such as details of hardware, IP address, location information, IP address reputation, operating system, web browser type, web browser version, web browser plug-ins, and screen resolution.
  • Behavioral patterns, such as frequency of login, time of access, frequency of access, and type of transactions.
  • Custom attributes that you can configure and manage through a pluggable interface. The context-based access authorization service is extensible and can also include external sources for attributes.
The risk engine returns the final risk score as a policy attribute, which is the basis of the final authorization decision.
Policy enforcement point (PEP)
WebSEAL is the policy enforcement point for context-based access. Context-based access integrates with the existing WebSEAL authentication mechanisms, such as cross domain authentication service (CDAS) and external authentication interface (EAI).
External authorization service
The runtime security services EAS plug-in for WebSEAL enforces the policy decision. The EAS takes the request data and sends an authorization decision request to the context-based access authorization service. The authorization service maps the authorization decision response to the appropriate WebSEAL action, such as permit, deny, or step-up authentication. You can manage the EAS with entries in the webseald.conf file with the WebSEAL stanza syntax. The isamcfg tool automates the configuration of the EAS for the predefined scenarios provided with the product.
Policy information points (PIPs)
Policy information points are components of the context-based access authorization service. They provide all the policy attributes that are not provided in the initial access request. The risk score and attributes that are pushed to the attribute collection service are provided to the authorization service through PIPs.
Context-based access includes ready-to-use PIP implementations that provide the policy attributes that are required. You can also provide custom policy attributes to the authorization service through a custom PIP.
Policy decision point (PDP)
The runtime authorization service is the policy decision point for context-based access. This service is configured to use the PEP context-based access plug-in. The authorization decision is based on an authorization policy that uses policy attributes and PIPs that are specific to context-based access. The PIPs provide information, such as risk score, user location, and device type.
The policy administration point (PAP)
The IBM Security Verify Access appliance is the policy administration point for context-based access. Context-based access provides an administrative console for configuring and managing the policies, risk profiles, attributes, and weights, which are required for calculating risk.