Configure Check Before Authorization Profiles

A Check Before profile defines a set of criteria that must be met for an authentication request to be successful.

ActivID AS checks these criteria after sending the logon and password criteria, but before validating a user’s identity. The system uses Check Before criteria as additional requirements for approving an authentication. For example, if only users connecting with PPP should be allowed access, then you can configure ActivID AS to check if a user is using another method and deny access when the user’s connection is not PPP, even if the user provides the correct password.

Check Before attributes/value pairs can be sent with the authentication request, and will be verified before the credential-based authentication is performed.

For example, Check Before can be used to check a user’s AccountID, IP Address, or Client information:

  • Username = johndoe
  • Password = xxxxxxx
  • AccountID = 12345678

Where AccountID is a user attribute, not a credential. This value can be enforced to ensure that the user is authenticating with the correct Password AND AccountID.

Note:
  • If you select a Check Before criteria, then you expect your Service Provider to send attributes to check. Access can be denied only if the values sent are not the ones expected by ActivID AS. If the Service Provider sends no values, ActivID AS will authenticate the user.

  • For Push-based RADIUS authentication, Check Before profiles are not supported (that is, Check Before attributes will not be applied).

Create a Check Before Profile

  1. Log on to the ActivID Management Console as an ActivID Administrator.

  2. Select the Configuration tab and, under Policies, select Authorization.
  3. Select Check Before.

  4. Click Add.

  5. Modify the Code, if necessary.

  6. Enter a Name for the profile.

  7. The name should be descriptive of the type of functionality for which the profile will be used.

  8. From the Dictionary drop-down list, select the dictionary that contains the attributes you want to use in the authorization profile and click Next:

If required, proceed with the channel configuration.

Add/Delete an Attribute for a Check Before Profile

  1. Log on to the ActivID Management Console as an ActivID Administrator.

  2. Select the Configuration tab and, under Policies, select Authorization.
  3. Select Check Before.

  4. Select the Check Before profile you want to edit.
    • To add an attribute, click Add, follow the steps above and then click Save.
    • To delete an attribute, select the check box of the Dictionary Attribute and then click Delete.

      Click Yes to confirm.

Copy a Check Before Profile

  1. Log on to the ActivID Management Console as an ActivID Administrator.

  2. Select the Configuration tab and, under Policies, select Authorization.
  3. Select Check Before.

  1. Select the check box of the Check Before profile that you want to copy and click Copy.

  2. Edit the settings of the profile.

Delete a Check Before Profile

  1. Log on to the ActivID Management Console as an ActivID Administrator.

  2. Select the Configuration tab and, under Policies, select Authorization.
  3. Select Check Before.

  4. Select the check box of the Check Before profile that you want to delete and click Delete.

  5. When prompted, select Yes to delete.