Added article: Use Akamai Supplemental Signals in Actions

Author: Kevin Strong-Holte

main/docs/secure/attack-protection/use-akamai-supplemental-signals-actions.mdx

@@ -0,0 +1,199 @@
+---
+'og:description': Learn how to use Akamai supplemental signals in Auth0 Actions.
+'og:image': https://cdn2.auth0.com/docs/1.14553.0/img/share-image.png
+'og:title': Use Akamai Supplemental Signals in Actions
+'og:url': https://auth0.com/docs/
+permalink: use-akamai-supplemental-signals-actions
+title: Use Akamai Supplemental Signals in Actions
+'twitter:description': Learn how to use Akamai supplemental signals in Auth0 Actions.
+'twitter:title': Use Akamai Supplemental Signals in Actions
+---
+<Warning>
+**Auth0 Supplemental Signals is currently in Early Access.**
+
+By using this feature, you agree to the applicable Free Trial terms in Okta’s [Master Subscription Agreement](https://www.okta.com/legal). To learn more about Auth0 product release stages, read [Product Release Stages](/docs/troubleshoot/product-lifecycle/product-release-stages).
+</Warning>
+<Info>
+**Before you start**
+
+To use Akamai supplemental signals in Actions, you must:
+- [Configure Akamai as a reverse proxy](/docs/customize/custom-domains/self-managed-certificates)
+- [Configure Akamai to Send Supplemental Signals](./configure-akamai-supplemental-signals)
+</Info>
+
+If you have configured Akamai as a reverse proxy and set it up to send supplemental signals to Auth0, you can use the data provided in those signals in [Auth0 Actions](/docs/customize/actions).
+
+## Supported supplemental signals by Action trigger
+| Trigger | Supplemental signal objects | Event object |
+| --- | --- | --- |
+| Login | <ul><li><code>akamaiBot</code></li><li><code>akamaiUserRisk</code></li></ul> | <a href="/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-event-object"><code>authentication.riskAssessment.supplemental.akamai</code></a> |
+| Pre-User Registration | None | N/A |
+| Post-User Registration| None | N/A |
+| Send Phone Message | None | N/A |
+| Post-Challenge | None | N/A |
+| Post-Change Password | None | N/A |
+| Credentials Exchange | None | N/A |
+
+## Supplemental signal object schemas
+The `akamaiBot` and `akamaiUserRisk` objects contain multiple properties you can use to customize your authentication flow.
+
+<ResponseField name="akamaiBot" type="object">
+<Expandable>
+<ResponseField name="action" type="string">
+The action of the Akamai bot manager results.
+
+Example: `Monitor`
+</ResponseField>
+<ResponseField name="botCategory" type="string[]">
+The bot cateogry of the Akamai bot manager results.
+
+Example: `["Web Search Engine Bots"]`
+</ResponseField>
+<ResponseField name="botScore" type="number">
+The bot score of the Akamai bot manager results.
+
+Example: `90`
+</ResponseField>
+<ResponseField name="botScoreResponseSegment" type="string">
+The bot score response segment of the Akamai bot manager results.
+
+Example: `aggressive`
+</ResponseField>
+<ResponseField name="botnetId" type="string">
+The botnet ID of the Akamai bot manager results.
+
+Example: `googlebot`
+</ResponseField>
+<ResponseField name="type" type="string">
+The type of the Akamai bot manager results.
+
+Example: `Akamai-Categorized Bot`
+</ResponseField>
+</Expandable>
+</ResponseField>
+
+<ResponseField name="akamaiUserRisk" type="object">
+<Expandable>
+<ResponseField name="action" type="string">
+The action of the Akamai user risk assessment.
+
+Example: `monitor`
+</ResponseField>
+<ResponseField name="allow" type="number">
+The allowed status of the Akamai user risk assessment.
+
+Example: `0`
+</ResponseField>
+<ResponseField name="emailDomain" type="string">
+The email domain of the user.
+
+Example: `example.com`
+</ResponseField>
+<ResponseField name="general" type="object">
+The general risk of the Akamai user risk assessment.
+
+Example: `{ aci: “0”, db: “Chrome 85”, di: “0fc91b5ec42f5a471c16a85e3e388ca57697c1a9”, do: “Mac OX X 10” }`
+</ResponseField>
+<ResponseField name="ouid" type="string">
+The OUID of the user.
+
+Example: `m534264`
+</ResponseField>
+<ResponseField name="requestid" type="string">
+The request ID of the user.
+
+Example: `19e22e`
+</ResponseField>
+<ResponseField name="risk" type="object">
+The risk of the Akamai user risk assessment.
+
+Example: `{ ugp: “ie/M”, unp: “432/H” }`
+</ResponseField>
+<ResponseField name="score" type="number">
+The score of the Akamai user risk assessment.
+
+Example: `0`
+</ResponseField>
+<ResponseField name="status" type="number">
+The status of the Akamai user risk assessment.
+
+Example: `4`
+</ResponseField>
+<ResponseField name="trust" type="object">
+The trust of the Akamai user risk assessment.
+
+Example: `{ udbp: "Chrome85", udfp: "25ba44ec3b391ba4ce5fbbd2979635e254775werwe", udop: "Mac OS X 10", ugp: "FR", unp: "12322", utp: "weekday_3" }`
+</ResponseField>
+<ResponseField name="username" type="string">
+The username of the user.
+
+Example: `[email protected]`
+</ResponseField>
+<ResponseField name="uuid" type="string">
+The UUID of the Akamai user risk assessment.
+
+Example: `86b37525-8047-4a3c-8d7a-23e99666da05`
+</ResponseField>
+</Expandable>
+</ResponseField>
+
+## Use cases
+<AccordionGroup>
+<Accordion title="Revoke a session based on Akamai Account Protector results">
+Here’s an example of how you could revoke a session based on the `akamaiUserRisk.score` property:
+```javascript
+exports.onExecutePostLogin = async (event, api) => {
+  const userRiskHeader = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiUserRisk;
+  if (userRiskHeader?.score && userRiskHeader?.score >= 90) {
+        console.log('User is deemed high risk.');
+        //This will revoke session cookies to deny login.
+        api.session.revoke('Session revoked, User risk score is greater than 90.');
+    }
+};
+
+```
+
+Please note the use of the `api.session.revoke` method (compared to the `api.access.deny` method). Using the `revoke` method ensures that if the user refreshes the application, the Akamai supplemental signals are sent with the authentication request and the post-login Action flow is triggered.
+</Accordion>
+<Accordion title="Prompt multi-factor authentication (MFA) based on Akamai Bot Manager results">
+Here’s an example of how you could enforce MFA based on the `akamaiBot.score` property. 
+
+#### Enforce MFA
+This Action performs two tasks:
+1. **Update [app metadata](/docs/manage-users/user-accounts/metadata/metadata-fields-data)**: If the score property exceeds a specified value, record that MFA is required for the session.
+2. **Require MFA**: If the score property exceeds a specified value or if there is a record in the app metadata indicating MFA is required for the session, enforce MFA.
+```javascript
+exports.onExecutePostLogin = async (event, api) => {
+  const userRiskHeader = event.authentication?.riskAssessment?.supplemental?.akamai?.akamaiUserRisk;
+
+  if (userRiskHeader?.score && userRiskHeader?.score >= 90) {
+    console.log(`Setting app metadata for session id: ${event.session?.id}`);
+    api.user.setAppMetadata(`mfa_required_${event.session?.id}`, true);
+  }
+
+  if (userRiskHeader?.score && userRiskHeader?.score >= 90 ||
+      event.user.app_metadata[`mfa_required_${event.session?.id}`]) {
+        console.log(`Requiring MFA FOR Session id: ${event.session?.id}`);
+        api.multifactor.enable('any', {allowRememberBrowser: false});
+  }
+};
+
+```
+
+#### Clean up app metadata
+This Action removes session-specific MFA information from app metadata after the user completes MFA successfully.
+
+```javascript
+exports.onExecutePostLogin = async (event, api) => {
+  const mfaMethod = event.authentication?.methods.find((method) => {
+    return method.name === 'mfa';
+  });
+
+  if (mfaMethod) {
+    console.log(`Removing MFA requirement for session id: ${event.session?.id}`);
+    api.user.setAppMetadata(`mfa_required_${event.session?.id}`, undefined);
+  }
+};
+```
+</Accordion>
+</AccordionGroup>