Client fingerprinting-based lockout

If Airlock Gateway can be configured to terminate a session because of a high client fingerprinting (CFP) score – in this case, Airlock IAM is informed about this as part of the Gateway logout propagation. IAM can be configured to permanently lock a user account if the CFP score is higher than a configured threshold value.

This way, not only the current Airlock Gateway session is terminated, but also the user account is locked for further login attempts.

The account can only be unlocked by an administrator (or help desk) and not using the Unlock self-service.

• Client fingerprinting must be enabled in the Airlock Gateway Security Gate Expert Settings.
• Logout propagation must be configured in Airlock Gateway.

The following excerpt shows a part of the Airlock Gateway default threshold settings in the CLIENT FINGERPRINTING ACTIONS section of the Expert Settings:

...
 
ClientFingerprinting.Action.3.Name                        "Protect" 
ClientFingerprinting.Action.Protect.Threshold.Log         "50" 
ClientFingerprinting.Action.Protect.Threshold.Notify      "200" 
ClientFingerprinting.Action.Protect.Threshold.Block       "300" 
ClientFingerprinting.Action.Protect.Threshold.Terminate   "300" 
ClientFingerprinting.Action.Protect.Scope                 "session" 
ClientFingerprinting.Action.Protect.Block.RedirectUrl     "/error_path/403.html"

For the configuration in Airlock IAM, an appropriate threshold from the expert settings must be used, e.g. between 200 (session notification) and 300 (session termination and blocking).

1. In the Config Editor, go to:
   Loginapp >> Authentication Flows >> section Advanced Settings
2. In property Client Fingerprinting Lockout Threshold, set a value according to the threshold settings of the Expert Settings, e.g. 250.
3. If the client fingerprinting score reported by the Airlock Gateway is above or equal to the threshold, the user account is locked in Airlock IAM.