PingOne

Adding risk level results to your authentication policy

By modifying your PingFederate authentication policy to include the Result from PingOne Risk, you can dynamically change authentication requirements based on security risk level.

Before you begin

The steps in this topic assume that an HTML Form Adapter exists for login purposes. Learn more about creating an HTML Form Adapter for login in Configuring an HTML Form Adapter instance.

About this task

These steps are designed to help you add to an existing authentication policy. Learn more about configuring authentication policies in PingFederate authentication API in the PingFederate documentation.

For new deployments, you should allow for a training period. To do this, configure your policy to pass traffic through the PingOne Risk IdP Adapter and continue regardless of the Result result. When you are ready to end the training period, adjust your authentication policy as described here.

When the authentication flow finishes, PingFederate informs PingOne Risk whether the user ultimately succeeded or failed. This is an important consideration when designing your authentication flow.

For example, a user receives a Result of HIGH, but ultimately completes the PingFederate authentication policy successfully. Based on that success, PingOne Risk now considers the user authenticated and lowers the Result to MEDIUM or LOW on the next attempt.

Steps

  1. In the PingFederate administrative console, go to the Policies tab.

    Choose from:

    • For PingFederate 10.1 or later: go to Authentication > Policies > Policies.

    • For PingFederate 10.0 or earlier: go to Identity Provider > Authentication Policies > Policies.

  2. Select the IdP Authentication Policies checkbox.

  3. Open an existing authentication policy, or click Add Policy.

    Learn more in Defining authentication policies in the PingFederate documentation.

  4. In the Policy area, in the Select list, select a PingOne Risk IdP Adapter instance.

    A screen capture of adding the PingOne Risk IdP Adapter to the authentication policy.

  5. Map the user ID into the PingOne Risk IdP Adapter instance.

    A screen capture showing passing the user ID from the first-factor authentication adapter to the PingOne Risk IdP Adapter.

    1. Under the PingOne Risk IdP Adapter instance, click Options.

    2. In the Options dialog, in the Source list, select a previous authentication source that collects the user ID.

    3. In the Attribute list, select the user ID. Click Done.

  6. Define policy paths based on risk results.

    A screen capture showing branching the authentication policy based on risk results.

    1. Under the PingOne Risk IdP Adapter instance, click Rules.

    2. In the Rules dialog, in the Attribute Name list, select riskLevel or riskValue.

    3. In the Condition list, select equal to.

    4. In the Value field, if you selected riskLevel, enter LOW, MEDIUM, or HIGH.

      If you selected riskValue, enter one of the risk values that you configured in PingOne.

    5. In the Result field, enter a name.

      This appears as a new policy path that branches from the authentication source.

    6. Optional: To add more policy paths, click Add and repeat steps 6b-6e.

    7. Optional: Clear the Default to success check box.

    8. Click Done.

  7. Complete the authentication policy:

    1. Configure each of the policy paths.

    2. Optional: To allow users to continue to sign on by satisfying stricter authentication requirements when PingOne Risk is unreachable or returns an error, do one of the following:

      Choose from:

      • In your PingOne Risk IdP Adapter instance, set the Failure mode as shown in PingOne Risk IdP adapter settings reference.

      • In your authentication policy, set the Fail outcome of the PingOne Risk IdP Adapter instance to point to a second authentication factor, as shown in the following image.

        Screen capture of the complete authentication policy

  8. Click Done.

  9. In the Policies window, click Save.