Create authentication rules

This topic describes how to create authentication rules to apply adaptive multi-factor authentication (MFA).

Authentication rules define the conditions in which an authentication profile is applied. Authentication profiles are where you select the authentication mechanisms. For example, you can create a rule that requires users to provide a password and text message confirmation code if they are outside of your corporate IP range. To configure this, you need to create a rule and associate it with an authentication profile.

If you do not define any authentication rules, then a default rule and profile are used. This default rule uses the identity cookie not present condition and the Default New Device Login Profile. This profile uses Password for the first challenge and Mobile Authenticator, Text message (SMS) confirmation code, Email confirmation code, or OATH OTP Client for the second challenge with a 12-hours pass-through duration. The following image shows the default authentication rule.

Watch the video!

To define an authentication rule

The following procedure describes how to create an authentication rule to apply adaptive MFA, using Identity Administration as an example. The concept of creating authentication rules is the same whether you want to apply adaptive MFA to Identity Administration, an endpoint, a sensitive application, or another resource. Available filters differ depending on the resource.

  1. Go to Core Services > Policies and select the policy you want to edit or click Add Policy Set to create a new one.

  2. Go to Authentication Policies, then expand policy settings for what you want to define an authentication rule for.

    Available resources for authentication rules

    Resource

    Description

    Identity Administration

    Define authentication rules for access to the User Portal.

    CyberArk Identity Admin Portal

    Define authentication rules for access to the Identity Administration portal.

    Endpoint Authentication

    Define authentication rules for access to macOS or Windows devices.

  3. Select Yes in the Enable authentication policy controls drop-down menu.

  4. (Optional) Click Add Rule to specify conditional access.

    The Authentication Rule window appears.

  5. Click Add Filter on the Authentication Rule window.

  6. Define the filters and conditions using the drop-down menus.

    The table below describes where each filter is applicable for creating MFA rules.

    Authentication rule filters

    Filter

    Identity Administration portal/User Portal

    Application

    Endpoint

    RADIUS

    IP Address

    Y

    Y

    Y

    Y

    Identity Cookie

    Y

    Y

    NA

    NA

    Day of Week

    Y

    Y

    Y

    Y

    Date

    Y

    Y

    Y

    Y

    Date Range

    Y

    Y

    Y

    Y

    Time Range

    Y

    Y

    Y

    Y

    Device OS

    Y

    Y

    Y

    NA

    Network Level Authentication

    NA

    NA

    Y

    NA

    Browser

    Y

    Y

    NA

    NA

    Role

    NA

    Y

    NA

    NA

    Country

    Y

    Y

    NA

    NA

    Risk Level

    Y

    Y

    Y

    NA

    Managed Device

    NA

    Y

    NA

    NA

    Certificate Authentication

    Y

    Y

    NA

    NA

    The table below provides the description and conditions for filters in the Authentication profile.

    Authentication rule filter options
    Filter Description Conditions available

    IP Address

    The computer’s IP address when the user logs in. You can create rules based on:

    • Whether the IP address is inside or outside the corporate network.

      Use either the inside secure zone or outside secure zone condition. Secure zones are defined in Settings > Network > Secure Zones.

    • Whether the IP address is inside a subset of your corporate network.

      Use the inside secure zone... condition. If you select this condition, you also need to indicate the specific secure zone (IP range configured in the IP table in Settings > Network > Secure Zones).

    To configure the IP address condition, you first need to configure the IP address range in Settings > Network > Secure Zones. See Define Secure Zones. . The specified authentication profile is then applied to users whose IP address matches the specified IP address value, or falls within the specified IP address range.

    Also see Disable Secure Zones to exempt certain IP addresses or ranges from policy rules.
    • inside secure zones
    • outside secure zones
    • inside secure zone...

    Identity Cookie

    The cookie that is embedded in the current browser by Identity Administration after the user has successfully logged in.
    • Is present
    • Is not present

    Day of Week

    Specific days of the week (Sunday through Saturday). You can select one or more, based on User Local Time or UTC.

    Checkboxes for each day of the week and radio buttons to select either User Local Time or UTC

    Date

    A date before or after which the user logs in that triggers the specified authentication requirement, based on either User Local Time or UTC.
    • Less than <selected date>
    • Greater than <selected date>

    User Local Time or UTC

    Date Range

    A specific date range, based on either User Local Time or UTC.

    Date pickers and radio buttons for User Local Time or UTC

    Time Range

    A time range in hh:mm (24 hour clock), based on User Local Time or UTC .

    Select an Authentication Profile for the time range defined; users who sign in during that time range are subject to the selected authentication profile. You can also choose to not allow sign in during a specified time range.

    Example

    If the Time Range in the Authentication Rule is from 18:00 to 09:00 and the Authentication Profile selected is Not Allowed, impacted users can't sign in during this time. A message displays saying the user does not have the required attributes to sign in.

    Authentication filters for RADIUS connections only use UTC.

    Strings representing time ranges in the format hh:mm, with radio buttons for User Local Time or UTC

    Device OS

    The operating system of the device a user is logging in from.
    • equal to
    • not equal to

    Network Level Authentication

    This filter is used to apply authentication profiles based on whether an RDP client has completed Network Level Authenticaton (NLA).

    • is done

    • is not done

    Browser

    The browser used for opening Identity Administration portal.
    • equal to
    • not equal to

    Role

    Identity Administration roles that a user belongs to. If a user belongs to multiple roles, the authentication rule that comes first (highest priority on top) is honored.

    If a role is renamed following the creation of an authentication rule using Role as a filter, the authentication rule automatically updates with the new role name. If a role is deleted, the portion of the any authentication rule using that role as a filter is also be deleted.

    This filter is only applicable to managing web application access.

    Contact support if Role does not display in your menu. This filter requires tenant configuration.
    • equal to
    • not equal to

    Country

    The country based on the IP address of the user's computer.
    • equal to
    • not equal to

    Risk Level

    The authentication factor is the risk level of the user logging on to the User Portal. For example, a user attempting to log in to Identity Administration from an unfamiliar location is prompted to enter a password and text message (SMS) confirmation code because the external firewall condition correlates with a medium risk level. This Risk Level filter requires additional licenses. The supported risk levels are:

    • Non Detected: No unexpected activities are detected.

    • Low: Some aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.

    • Medium: Many aspects of the requested identity activity are unexpected. Remediation action or simple warning notification can be raised depending on the policy setup.

    • High: Strong indicators that the requested identity activity is an anomaly and the user's identity has been compromised. Immediate remediation action, such as MFA, should be enforced.

    • Undetermined: Not enough user behavior activities (frequency of system use by the user and length of time user has been in the system) have been collected.

      This feature requires Identity Security Intelligence. See Configure CyberArk Identity Security Intelligence Settings for more information.

    The following video illustrates how to create an authentication rule based on risk level.
    • equal to
    • not equal to

    Managed Device

    Your device is considered managed under the following circumstances:

    • It is enrolled to Identity Administration for device management.

      A device that is enrolled for only single sign-on or endpoint authentication is not considered a managed device. For more information about the difference, see Mobile Device Management or single sign-on only.

    • It is enrolled to a supported Unified Endpoint Manager (UEM).

    • It is compliant with policies defined by a UEM. Compliance means that a UEM is enrolled and conforms to compliance rules defined by a third-party.

      For more information, see Configure access based on a third-party UEM trust.

      This filter is only for step-up authentication for app launches.

    • enrolled to

    • not enrolled to

    • compliant with

    • not compliant with

    Certificate Authentication

    Whether you use a digital certificate issued by your organization’s trusted certificate authority. You can upload a certificate using the Identity Administration portal > Settings > Authentication > Certificate Authorities. Users can also individually use CyberArk as their trusted certificate authority and automatically install the digital certificate by enrolling their devices.

    For example, if you configure an authentication rule to use the Certificate Authentication condition, then Identity Administration checks for a digital certificate issued by a trusted certificate authority and enforces the specified authentication profile before allowing access to this application.

    Certificate-based authentication on mobile devices is only supported through the web browser. It is not supported for apps launched from the CyberArk Identity mobile app.
    CyberArk support must enable the Certificate Authentication filter for your company.
    • is used
    • is not used

  7. Click the Add button associated with the filter and condition.

  8. Select the profile that you want applied if all filters/conditions are met in the Authentication Profile drop-down menu, then click OK.

    The authentication profile is where you define the authentication mechanisms. If you have not created the necessary authentication profile, select Add New Profile. See Create authentication profiles.

  9. (Optional) In the Default Profile (used if no conditions matched) drop-down menu, you can select a default profile to be applied if a user does not match any of the configured conditions.

    If you have no authentication rules configured and you select Not Allowed in the Default Profile drop-down menu, users will not be able to log in to the service.

  10. (Optional) If you have more than one authentication rule, you can drag and drop the rules to a new position in the list to control the order they are applied.

  11. Click Save.

If you have more than one authentication rule, you can prioritize them by dragging them. The rule on top has the highest priority.

Configure access based on third-party UEM trust