Skip to main content

External question sets and authentication plugins

Bravura Security Fabric can use external programs to retrieve security question data, and to validate answers in order to authenticate Bravura Security Fabric users. This allows you to integrate Bravura Security Fabric with human resources databases or with external authentication systems, such as token or smart card systems.

The following sections show you how to:

See also

Alternatively, you can configure a custom authentication chain , using the Connector package agent module (agent.pss) with a suitable connector to perform a user verify or challenge-response operation. See Use case: Adding RSA Authentication method to Bravura Security Fabric .

Writing plugin programs for external security questions and authentication

Authentication plugins allow Bravura Security Fabric to interface with any authentication system. Each plugin corresponds to a question set configured in the Bravura Security Fabric system.

An authentication plugin is a PSLang script or console executable that writes input/output as plain text in KVGroup format. For more information about PSLang see the PSLang Manual ( pslang.pdf ) .

CGI programs can execute the authentication plugin to perform one of four tasks. The tasks that an authentication plugin may be asked to perform depend on how the corresponding question set is configured. However, the plugin will only be required to perform one operation each time it is run.

Bravura Security Fabric can issue the following requests to the authentication plugin:

  • Request questions

    Bravura Security Fabric receives questions from the authentication plugin, and displays the questions to the user.

  • Request questions and answers

    Bravura Security Fabric reads the questions and answers from the authentication plugin and internally validates the responses from the user.

    The External program provides answers along with questions option must be enabled for the question set.

  • Validate answers

    The authentication plugin reads the responses provided by the user, and tells Bravura Security Fabric whether or not the answers are valid.

    The External program provides answers along with questions option must be disabled for the question set.

  • Update questions and answers

    When users update existing questions and add new ones, their changes are forwarded to the external system.

    The Users allowed to edit questions/answers option must be enabled for the question set.

Input / output for authentication plugins

This section details input / output requirements for authentication plugins when:

  • Requesting questions

  • Requesting questions and answers

  • Validating answers

  • Editing questions and answers

Requesting questions

When the input information from Bravura Security Fabric includes a task action of "questions", the authentication plugin should write a list of questions back to the CGI program.

Input

"action" "questions" = {
       "state" = "0"
       "userid" = "USER"
     }

The "state" can be any integer.

Output

"action" "questions" = {
       "returnval" = "RETURNVAL"
       "qid" "QID1" = {
         "question" = "QUESTION1"
         "answer" = "ANSWER1" (optional)
       }
       "qid" "QID2" = {
         "question" = "QUESTION2" (optional)
         "answer" = "ANSWER2"
       }
       ...
     }

If the External program provides answers along with questions box is not checked in the question set configuration page, the answers will be ignored by the plugin.

For external pre-defined question sets, the "qid" values are expected to be the same as in the qdef table.

Requesting questions and answers

If the External program provides answers along with questions box is checked in the question set configuration page, then the authentication plugin must supply answers as well as questions. The input / output will be the same as in the above example, but the "answer" value is required.

Validating answers

When the input includes a task action of "validate", the authentication plugin should accept a list of answers in the same form as above. The authentication plugin receives an answer for every question that it supplied.

Input

 "action" "validate" = {
       "state" = "STATE"
       "qid" "QID1" = {
         "answer" = "ANSWER1"
       }
       "qid" "QID2" = {
         "answer" = "ANSWER2"
       }
       ...
     }

Output

"action" "validate" = {
      "returnval" = "RETURNVAL"
       // the following are optional
       "errmsg" = "ERRMSG"
       "state" = "STATE"
       "qid" "QID1" = {
         "answer" = "ANSWER1"
       }
       "qid" "QID2" = {
         "answer" = "ANSWER2"
       }
       ...
     }

Once the authentication plugin receives all of the answers, it should check the answers for correctness. A "returnval" value of 0 means the answers are valid. Any other "returnval" value means the answers are not valid. The "errmsg" tag can be used to indicate the error for a failed operation.

Editing questions and answers

When input includes a task action of "edit", the authentication plugin should accept both questions and answers.

Input

 "action" "edit" = {
      "qid" "QID1" = {
        "question" = "QUESTION1"
        "answer" = "ANSWER1"
      }
      "qid" "QID2" = {
        "question" = "QUESTION2"
        "answer" = "ANSWER2"
      }
      ...
    }

If both question and answers are blank, it indicates that the security question pair was removed. The questions are not provided for pre-defined question sets.

Output

 "action" "edit" = {
      "returnval" = "RETURNVAL"
     }

A "returnval" value of 0 means the update was successful.

Enabling plugins for external question sets

To configure a plugin to look up and store security question data on an external source, but validate the responses in Bravura Security Fabric :

  1. Write a custom plugin , or a configuration script for a plugin shipped with Bravura Security Fabric . There are two shipped plugins:

    • odbcqa.exe looks up and stores security question information on an ODBC DSN connection.

    • resextqa.exe manages security questions using SHA1 hashing and stores security question information internally.

  2. Ensure the program is located in the plugin directory on the Bravura Security Fabric server.

    If the program requires a script or configuration file, ensure that the file is also located in this directory.

  3. Add an external question set .

  4. Enable the authentication method:

    • Using the Manage the system > Modules > Front-end (PSF) menu:

      • Set PSF EXT to Security questions or User selectable.

      • Ensure that PSFEXT VALUES includes response.pss.

      Or

    • By adding a security question authentication module to an authentication chain .

      This method provides more flexible configuration options.

Enabling plugins for external authentication

To enable a plugin to look up and store security question data, and validate responses on an external program:

  1. Write a custom plugin .

  2. Ensure the program is located in the plugin directory on the Bravura Security Fabric server.

    If the program requires a script or configuration file, ensure that the file is also located in this directory.

  3. If required, add an external question set.

    This is optional if the external program can validate responses. You can add an external question set if you want users to define questions or answers to complete their profile.

  4. Enable the authentication method:

    • Using the Manage the system > Modules > Front-end (PSF) menu:

      • Set PSF EXT to Security questions or User selectable.

        You must select User selectable if you did not add a question set.

      • Add the plugin or script name to PSFEXT VALUES.

      Or

    • By adding an external authentication module to an authentication chain .

      This method provides more flexible configuration options.

ODBC (odbcqa)

The odbcqa external security questions plugin program retrieves external question and answer information from an ODBC connection, including Oracle and Microsoft SQL Server.

To use this program:

  1. Configure an ODBC connection DSN.

  2. Configure the database server (SQL or Oracle).

  3. Edit the odbcqa.psl file to suit your environment .

  4. Add a NULL target system.

  5. Optionally, add an external question set, and set the External program to odbcqa .

  6. Enable odbcqa as an authentication method.

These steps are detailed below.

Configure an ODBC connection DSN

To configure an ODBC connection DSN:

  1. Open ODBC Data Source Administrator.

    • From a 32-bit Windows server, go to Start > Administrative Tools > Data Sources (ODBC).

    • From a 64-bit Windows server, run C:\windows\SysWOW64\odbcad64.exe to open the 64-bit ODBC Data Source Administrator.

  2. Select the System DSN tab.

  3. Click Add to add a new DSN.

  4. Select one of the listed data sources (SQL Server Native Client, or Oracle client).

If you selected SQL Server Native Client:

  1. Provide the Name of the data source, for example EXTQA_DSN, and select a server from the drop-down list to choose a server to connect to, then click Next .

  2. Select With SQL Server authentication using a login ID and password entered by the user. Provide a valid login for the SQL Server you are connecting to, and click Next .

  3. Click Next to use Default database.

  4. click Next to use default language.

  5. Click Finish to finish adding the data source.

  6. Click Test Data Source to test if the login provided is valid on the database server and then click OK to quit the program.

If you selected Oracle Client:

  1. Provide a Data Source Name (any name), Description (any string), a valid TNS Service Name, and a valid User ID on the database server.

  2. Click Test Connection button to test if the connection to the server with provided credential is valid;

  3. Click OK to finish adding the Data Source.

Configure the database server

To configure the database server (SQL or Oracle):

  1. Create two new tables on the server with the following table name and fields:

    Table name

    Fields

    allowedquestions

    question

    userqa

    profileguid/profilename, question, answer

    • allowedquestions stores all questions that available for the user to authenticate.

    • userqa stores questions and answers for individual users with profileid/profilename specified. Which column, profileguid or profilename, you add to userqa depends on which script you copied over.

  2. Insert the questions into the allowedquestions table.

Edit the odbcqa.psl configuration file

Configure the odbcqa plugin using a file called odbcqa.psl. Copy the odbcqa_guid.psl file or odbcqa_name.psl file from the samples\ directory to the \<instance>\script\ directory, rename it to odbcqa.psl, and edit it to suit your environment.

  • odbcqa_guid.psl uses profileguid to identify user. Profileguid never changes once it is assigned to a user.

  • odbcqa_name.psl uses profilename to identify user. Profilename is more user-friendly but it does not stay constant. You will have to manually change the entries for any user that has had a profilename change

The file is written using the PSLang language. For more information, see the PSLang Manual ( pslang.pdf ) .

The following function must be included in the script:

  • getQuestions Retrieve questions from the database server

  • getQuestionsAndAnswers Retrieve questions and answers from the database server

  • targetid return the target system ID for the ODBC database

  • validateAnswer validate that user’s answer is correct compared with the answer in the database.

Add a NULL target system for odbcqa

Add a target system with the following configuration:

  • Target type: NULL target system

  • Target ID: by default, EXTQATARGET is defined in the odbcqa.psl file

  • Address : same ID as the system DSN ID; for example, EXTQA_DSN

  • List accounts : unselected (disabled);

  • Credentials: The valid database access ID/password provided when creating the system DSN.

The rest of the settings can be left as default.

Add a question set for ODBC authentication

Add an external question set with the following configuration:

  1. Click Manage the system > Policies > Question sets .

  2. Click External questions.

  3. If Bravura Security Fabric displays a list of existing question sets, click Add new… at the bottom of the list.

  4. Set appropriate options for the new question set.

    • External program: odbcqa.exe.

    • External program provides questions along with answers: deselected.

    • Ask user to answer questions from this set: selected.

  5. Click Add.

  6. Click Add new at the bottom of the page

  7. Add questions to the external question set.

Enable authentication via ODBC connection

Enable the authentication method:

  • By adding a security question authentication module to an authentication chain.

    This method provides more flexible configuration options.

    Or,

  • By configuring the default authentication menu (Manage the system > Modules> Front-end (PSF) ):

    • Set PSF EXT to Security questions or User selectable.

    • Ensure that PSFEXT VALUES includes response.pss.

SHA1 hashing (resextqa)

The resextqa i s a shipped plugin program which is used to manage security questions and answers by using SHA1 hash in external question sets.

To use this program, add an external question set and set the External program to resextqa.exe:

  1. Click Manage the system > Policies > Question sets .

  2. Click External questions (this includes external pre-defined sets).

  3. If Bravura Security Fabric displays a list of existing question sets, click Add new… at the bottom of the list.

  4. Set appropriate options for the new question set.

    • External program: resextqa.exe.

    • External program provides questions along with answers:deselected.

    • Ask user to answer questions from this set: selected.

  5. Click Add.

  6. Click Add new at the bottom of the page

  7. Add questions to the external question set.

Security question response validation

The security question response plugin provides additional validation logic of pre-defined and user-defined questions and answers. The plugin is executed when users are updating their security question profile.

To configure this type of plugin:

  1. Click Manage the system > Policies > Question sets .

  2. Select or add a pre-defined or user-defined question set.

  3. Set Plugin for validating answers to the name of your plugin.

  4. Click Update.

There is no shipped plugin in use with this plugin point.

Write a custom plugin for validating answers

Requirements

See Writing plugins for general requirements.

Input

The input KVGroup to the plugin is in the format:

"qarule" "" = {
   "qsid" = "<questionsetid>"
   "sessionid" = "<sessionid>"
   "<questionid_assigned_by_instance>" "" = {
     "answer" = "<answer_to_test>"
     "question" = "<human-readable question>"
   }
 }

Where <questionsetid> is the question set ID, <answer_to_test> is the answer provided by the user, and <human-readable question> is the question being answered.

Output

The output KVGroup for a successful validation is of the format:

"" "" = {
       "returnval" = "0"
}
In this section: