Merge pull request #5980 from ZiyamSanthosh/sift-connector-docs-3

Add Sift v2 documentation and preserve v1 documentation

Author: ZiyamSanthosh

en/identity-server/next/docs/assets/img/connectors/sift/sift-configs.png

@@ -2,4 +2,4 @@
 template: templates/connector.html
 ---
 
-{% include "../../../../../includes/connectors/sift/overview.md" %}
+{% include "../../../../../includes/connectors/sift-v2/overview.md" %}

en/identity-server/next/docs/connectors/sift/overview.md

@@ -2,4 +2,4 @@
 template: templates/connector.html
 ---
 
-{% include "../../../../../includes/connectors/sift/reference.md" %}
+{% include "../../../../../includes/connectors/sift-v2/reference.md" %}

en/identity-server/next/docs/connectors/sift/reference.md

@@ -2,4 +2,4 @@
 template: templates/connector.html
 ---
 
-{% include "../../../../../includes/connectors/sift/set-up.md" %}
+{% include "../../../../../includes/connectors/sift-v2/set-up.md" %}

en/identity-server/next/docs/connectors/sift/set-up.md

@@ -2,4 +2,4 @@
 template: templates/connector.html
 ---
 
-{% include "../../../../../includes/connectors/sift/usage.md" %}
+{% include "../../../../../includes/connectors/sift-v2/usage.md" %}

en/identity-server/next/docs/connectors/sift/usage.md

@@ -0,0 +1,50 @@
+# Sift
+
+[Sift](https://sift.com/){:target="_blank"} helps businesses prevent fraud, abuse, and account takeovers by analyzing user behavior and contextual data in real time. By combining signals like device fingerprinting, IP reputation, and behavioral patterns, Sift creates a dynamic risk score that helps businesses make smarter decisions and reduce false positives.
+
+You can integrate {{product_name}} with Sift to assess the risk level of login attempts. During authentication, {{product_name}} sends relevant contextual data to Sift. Sift then evaluates the request and returns either a risk score or a decision ID. Based on this response, you can decide to:
+
+- Allow the login.
+- Deny the login.
+- Trigger additional verification (e.g., MFA).
+
+The following sections describe two common use cases for integrating {{product_name}} with Sift.
+
+## Decide based on risk score
+
+Based on the login context data sent to Sift, it calculates a risk score, where a higher score indicates a higher likelihood of fraud.
+
+You can configure {{product_name}} to deny or step up authentication when the risk score of a login request exceeds a defined threshold.
+
+![Sift use case 1]({{base_path}}/assets/img/connectors/sift/sift-use-case-1.png){: width="600px"}
+
+How it works,
+
+- When a user attempts to log in, {{product_name}} sends the relevant contextual data such as IP address, device details, geolocation, to Sift.
+
+- Sift analyzes these attributes along with its own data and calculates a risk score.
+
+- Sift returns this value to {{product_name}}.
+
+- Based on the configured threshold, {{product_name}} executes a predefined action:
+  - Allow login if the score is within acceptable limits.
+  - Deny login or enforce additional MFA if the score exceeds the threshold.
+
+## Decide based on decision ID
+
+You can use [Sift workflows](https://developers.sift.com/tutorials/workflows){: target="_blank"} to define decisions based on risk factors including the risk score.
+
+Based on the login context data sent to Sift, it returns a decision ID instead of the raw risk score. This decision ID corresponds to a predefined action in the Sift console, such as `allow`, `deny`, or `challenge`.
+
+By using decision IDs, organizations can offload complex risk logic to Sift, keeping {{product_name}} policies cleaner and more maintainable. This approach also allows real-time policy adjustments in the Sift console without redeploying configurations in {{product_name}}.
+
+![Sift use case 2]({{base_path}}/assets/img/connectors/sift/sift-use-case-2.png){: width="600px"}
+
+How it works,
+
+- When a user attempts to log in, {{product_name}} sends the relevant contextual data such as IP address, device details, geolocation, to Sift.
+- Sift analyzes these attributes along with its own data and returns a decision ID to {{product_name}}.
+- Based on the decision ID received, {{product_name}} executes the corresponding action:
+  - Allow login if the decision is `allow`.
+  - Deny login if the decision is `deny`.
+  - Enforce additional MFA if the decision is `challenge`.

en/includes/connectors/sift-v2/overview.md

@@ -0,0 +1,92 @@
+# Reference: Sift functions and parameters
+
+This reference describes the functions and parameters you can use in [conditional authentication]({{base_path}}/guides/authentication/conditional-auth/) scripts to interact with Sift.
+
+!!! note
+    - To use these functions, you must first [set up Sift]({{base_path}}/guides/connectors/sift/set-up/) in {{product_name}}.
+    - You can find example scripts in the [how to use Sift]({{base_path}}/guides/connectors/sift/how-to-use/) guide.
+
+## `getSiftRiskScoreForLogin()`
+
+This function,
+
+- returns a value between 0 and 1. Higher the score, greater the risk.
+- returns –1 if an error occurs due to an invalid API key, network issue or a Sift server issue.
+- takes the following arguments.
+  - `AuthenticationContext` - Current authentication [context]({{base_path}}/references/conditional-auth/api-reference/#context).
+  - `LoginStatus` - Status of login; *LOGIN_SUCCESS* for a success status, *LOGIN_FAILED* for a failed status.
+  - `AdditionalParameters` - Any extra parameters you want to send to Sift as explained in [additional parameters](#additional-parameters).
+
+## `getSiftWorkflowDecision()`
+
+This function,
+
+- returns the Sift decision ID for a login event. This ID uniquely identifies the decision made during the Sift workflow for that event. Learn more about [Sift workflows](https://developers.sift.com/tutorials/workflows){: target="_blank"}.
+- returns null if an error occurs due to an invalid API key, network issue or a Sift server issue.
+- takes the following arguments.
+  - `AuthenticationContext` - Current authentication [context]({{base_path}}/references/conditional-auth/api-reference/#context).
+  - `LoginStatus` - Status of login; *LOGIN_SUCCESS* for a success status, *LOGIN_FAILED* for a failed status.
+  - `AdditionalParameters` - Any extra parameters you want to send to Sift as explained in [additional parameters](#additional-parameters).
+
+## `publishLoginEventToSift()`
+
+This function,
+
+- publishes the status of the current login event to Sift, indicating whether it succeeded or failed.
+- takes the following arguments.
+  - `AuthenticationContext` - Current authentication [context]({{base_path}}/references/conditional-auth/api-reference/#context).
+  - `LoginStatus` - Status of login; *LOGIN_SUCCESS* for a success status, *LOGIN_FAILED* for a failed status.
+  - `AdditionalParameters` - Any extra parameters you want to send to Sift as explained in [additional parameters](#additional-parameters).
+
+## Additional parameters
+
+You can configure the following options when creating a conditional authentication script using Sift-related functions.
+
+### Customize the data sent to Sift
+
+To assess risk of a login event, {{product_name}} sends the following data to Sift:
+
+- user ID (mandatory)
+- session ID
+- IP address
+- user agent
+
+You can override the default values that {{product_name}} sends by passing these as additional parameters in the functions. You can also exclude any optional parameter from being sent, by setting the value to an empty string as shown below.
+
+```javascript
+var additionalParams = {
+    "$ip": "",
+    "$user_agent": "",
+    "$session_id": ""
+}
+```
+
+!!! important
+    The `$user_id` field sent to Sift is **not** the user's actual UUID. By default, it contains a hashed value of the username. To reliably identify users in Sift, use the `user_uuid` field, which is published separately in the event payload and contains the actual user UUID.
+
+### User data published to Sift
+
+The following user attributes may be included in the event payload depending on your [fraud detection configuration]({{base_path}}/connectors/sift/set-up/#step-3-configure-fraud-detection-settings).
+
+#### User information
+
+| Field | Description |
+|---|---|
+| **Email** | The user's registered email address. |
+| **Mobile** | The user's mobile phone number. Published only if in E.164 format. |
+| **Name** | The user's full name. If unavailable, the first or last name is used instead. |
+
+#### User browser and device metadata
+
+| Field | Description |
+|---|---|
+| **IP Address** | The user's IP address at the time of the event. |
+| **User Agent** | The browser or device user agent string associated with the user's session. |
+
+### Enable logging
+
+You can enable logging by sending `"loggingEnabled": true` as an additional parameter in the functions.
+
+- If sent with `getSiftRiskScoreForLogin()`, it logs the payload sent to Sift and the risk score that Sift returns.
+- If sent with `getSiftWorkflowDecision()`, it logs the payload sent to Sift and the decision ID returned by Sift.
+- If sent with `publishLoginEventToSift()`, it logs the payload sent to Sift.

en/includes/connectors/sift-v2/reference.md

@@ -0,0 +1,56 @@
+# Set up
+
+The following guide explains how you can install and set up Sift in {{product_name}}.
+
+## Prerequisites
+
+You need to have a Sift account. If you don't have an account, create one by visiting the [Sift website](https://sift.com/).
+
+## Step 1: Install the Sift connector
+
+Follow the steps below to install Sift in {{product_name}}.
+
+1. Download the following artifacts from the {{product_name}} [connector store](https://store.wso2.com/connector/identity-fraud-detection-sift){: target="_blank"}.
+    - `org.wso2.carbon.identity.fraud.detection.sift-<version>.jar` - The Sift connector jar file.
+    - `sift-java-<version>.jar` - The Sift Java SDK jar file.
+2. Copy the `org.wso2.carbon.identity.fraud.detection.sift-<version>.jar` file to the `<IS_HOME>/repository/components/dropins` directory.
+3. Copy the `sift-java-<version>.jar` file to the `<IS_HOME>/repository/components/lib` directory.
+4. Restart {{product_name}}.
+
+## Step 2: Add the API key
+
+To work with Sift, you need to register your Sift API key in {{product_name}}. To do so,
+
+1. On the {{product_name}} Console, go to **Login & Registration**.
+2. Click **Sift Configuratioin** and enter the API key.
+    ![Configuring Sift in WSO2 Console]({{base_path}}/assets/img/connectors/sift/sift-configs.png)
+3. Click **Update** to save the changes.
+
+## Step 3: Configure fraud detection settings
+
+After adding the API key, you can further configure how {{product_name}} interacts with Sift.
+
+### Information to include in the event payload
+
+- Enable **Include user profile information in the event payload** to include the user's `email`, `mobile`, and `name` in events sent to Sift.
+- Enable **Include user device metadata in the event payload** to include the user's `IP address` and `User Agent` in events sent to Sift.
+
+### Events to publish
+
+You can select which user events are published to Sift for fraud analysis:
+
+| Event | Description |
+|---|---|
+| **Registrations** | Publishes user registration events. |
+| **Credential Updates** | Publishes user credential update events. |
+| **User Profile Updates** | Publishes user profile update events. |
+| **Logins** | Publishes user login events. |
+| **Logouts** | Publishes user logout events. |
+| **User Verifications** | Publishes notification-based user verification events. |
+
+!!! note
+    User self-registration and password reset related Sift events are only published when using the legacy self-registration and password recovery flows.
+
+### Diagnostic logging
+
+Enable **Log event payloads locally** to log the event payloads sent to Sift as diagnostic logs in {{product_name}}. This is useful for troubleshooting your Sift integration.

en/includes/connectors/sift-v2/set-up.md

@@ -0,0 +1,142 @@
+# Usage
+
+Administrators can use the risk score or decision ID returned by Sift to decide whether to allow, deny, or step up authentication for a login attempt.
+
+{{product_name}} supports two mechanisms for Sift fraud detection:
+
+- **Event Publishing** — Passively publishes user events such as registrations, logins, logouts, credential updates, profile updates, and user verifications to Sift. Once configured, events are published automatically with no additional steps required. This is useful for events outside the login flow that conditional authentication cannot cover.
+- **Conditional Authentication** — Actively queries Sift during login and makes real-time authentication decisions based on the risk score or decision ID returned by Sift.
+
+This guide gives examples of how to use the Sift functions in [conditional authentication]({{base_path}}/guides/authentication/conditional-auth/) scripts to customize the login flow based on risk.
+
+## Prerequisites
+
+- If you haven't already, [register your application]({{base_path}}/guides/applications/#register-an-application) in {{product_name}}.
+
+- [Set up conditional authentication]({{base_path}}/guides/authentication/conditional-auth/configure-conditional-auth/) for your application.
+
+!!! note
+
+    Learn more about all the elements you can use to create conditional authentication scripts in its [API reference]({{base_path}}/references/conditional-auth/api-reference/).
+
+## Risk score-based scenario
+
+In this example scenario, imagine you want to fulfill the following requirements:
+
+- if the user's risk score exceeds 0.7, fail the login attempt.
+
+- if the risk score falls between 0.5 and 0.7, prompt for an extra login step.
+
+- if authentication fails, publish a login fail event to Sift.
+
+- Enable {{product_name}} to send the user ID, session ID, IP address to Sift for risk evaluation, but prevent sending the user agent information to Sift.
+
+You can implement this using the [getSiftRiskScoreForLogin()]({{base_path}}/connectors/sift/reference/#getsiftriskscoreforlogin) function in a conditional authentication script as shown below.
+
+```javascript
+var additionalParams = {
+    "loggingEnabled": true, // enable logging for debugging
+    "$user_agent": "" // prevent sending user agent info to Sift
+}
+var errorPage = '';
+var suspiciousLoginError = {
+    'status': 'Login Restricted',
+    'statusMsg': 'You login attempt was identified as suspicious.'
+};
+
+var onLoginRequest = function (context) {
+    executeStep(1, {
+        onSuccess: function (context) {
+            var riskScore = getSiftRiskScoreForLogin(context, "LOGIN_SUCCESS", additionalParams);
+            if (riskScore == -1) {
+                Log.info("Error occured while obtaining Sift score.");
+            }
+            if (riskScore > 0.7) {
+                sendError(errorPage, suspiciousLoginError);
+            } else if (riskScore > 0.5) {
+                executeStep(2);
+            }
+        },
+        onFail: function (context) {
+            publishLoginEventToSift(context, 'LOGIN_FAILED', additionalParams);
+        }
+    });
+};
+```
+
+How it works:
+
+- When a user attempts to log in, the script executes step 1 (e.g., username/password authentication).
+
+- If step 1 is successful, it calls the `getSiftRiskScoreForLogin()` function, passing the current authentication context, login status, and additional parameters. This function sends the relevant contextual data to Sift and retrieves the risk score.
+
+- Based on the returned risk score:
+
+  - If the score is greater than 0.7, it sends an error response, effectively blocking the login attempt.
+
+  - If the score is between 0.5 and 0.7, it executes step 2 (e.g., an additional authentication step like OTP).
+
+- If step 1 fails, it calls the `publishLoginEventToSift()` function to notify Sift of the failed login attempt, which can help improve future risk assessments.
+
+- Additional parameters enable logging and prevent {{product_name}} from sending the user agent information to Sift.
+
+## Decision ID-based scenario
+
+In this example scenario, imagine you want to fulfill the following requirements:
+
+- if the decision ID is `session_looks_bad_account_takeover`, fail the login attempt.
+
+- if the decision ID is `mfa_account_takeover`, prompt for an extra login step.
+
+- if the login fails, publish a login fail event to Sift.
+
+- Enable {{product_name}} to send the user ID, session ID, IP address to Sift for risk evaluation, but prevent sending the user agent information to Sift.
+
+You can implement this using the [getSiftWorkflowDecision()]({{base_path}}/connectors/sift/reference/#getsiftworkflowdecision) function in a conditional authentication script as shown below.
+
+```javascript
+var additionalParams = {
+    "loggingEnabled": true, // enable logging for debugging
+    "$user_agent": "", // prevent sending user agent info to Sift
+}
+var errorPage = '';
+var suspiciousLoginError = {
+    'status': 'Login Restricted',
+    'statusMsg': 'You login attempt was identified as suspicious.'
+};
+
+var onLoginRequest = function (context) {
+    executeStep(1, {
+        onSuccess: function (context) {
+            var workflowDecision = getSiftWorkflowDecision(context, "LOGIN_SUCCESS", additionalParams);
+            if (workflowDecision == null) {
+                Log.info("Error occured while obtaining Sift score.");
+            }
+            if (workflowDecision == "session_looks_bad_account_takeover") {
+                sendError(errorPage, suspiciousLoginError);
+            } else if (workflowDecision == "mfa_account_takeover") {
+                executeStep(2);
+            }
+        },
+        onFail: function (context) {
+            publishLoginEventToSift(context, 'LOGIN_FAILED', additionalParams);
+        }
+    });
+};
+```
+
+How it works:
+
+- When a user attempts to log in, the script executes step 1 (e.g., username/password authentication).
+
+- If step 1 is successful, it calls the `getSiftWorkflowDecision()` function, passing the current authentication context, login status, and additional parameters. This function sends the relevant contextual data to Sift and retrieves the decision ID.
+
+- Based on the returned decision ID:
+
+  - If the decision ID is `session_looks_bad_account_takeover`, it sends an error response, effectively blocking the login attempt.
+
+  - If the decision ID is `mfa_account_takeover`, it executes step 2 (e.g., an additional authentication step like OTP).
+
+- If step 1 fails, it calls the `publishLoginEventToSift()` function to notify Sift of the failed login attempt, which can help improve future risk assessments.
+
+- Additional parameters enable logging and prevent {{product_name}} from sending the user agent information to Sift.