Connectors

PingOne Protect Connector

This connector lets you use PingOne Protect in a PingOne DaVinci flow to improve the user experience, reduce fatigue, lower the probability of unintentional push approvals, and issue challenges or deny access in high-risk situations.

PingOne Protect is a cloud-based service that applies machine learning and configurable, intelligent security policies to analyze user identity and detect potential threats. PingOne Protect combines multiple risk factors to calculate an overall risk score.

When you add a PingOne Protect connector in a flow, you can define different paths based on the recommended action (when available), the risk level, or the risk score calculated by PingOne Protect in a risk evaluation. For example:

  • Skip the MFA challenge for low risk.

  • Use a specific authentication method if user behavior data suggests medium or high risk.

  • Block access completely for high risk, such as when the recommended action is bot mitigation or if impossible user travel is detected.

Learn more in the PingOne Protect documentation.

Setup

Resources

Learn more in the following documentation:

Requirements

To use the connector, you’ll need:

  • A PingOne Protect license

  • A PingOne environment with PingOne Protect added. Learn more in Adding an environment.

  • A worker application configured in your PingOne environment. Learn more in Adding an application.

  • A PingOne Protect risk policy. You can use the default risk policy or create a custom risk policy. Learn more in Risk policies.

Setting up the connector

  1. Follow the instructions in Getting started with PingOne Protect.

  2. In DaVinci, add a PingOne Protect connector.

Connector configuration

Environment ID

The Environment ID from the Environment Properties page of the relevant environment in PingOne.

Client ID

The Client ID of the worker application you created in PingOne.

Client Secret

The Client Secret from the Configuration tab of your PingOne worker application.

Using the connector in a flow

Use the PingOne Protect connector to add risk evaluations to different types of flows, such as sign-on with MFA or passwordless sign-on. You can use the PingOne Protect connector in template flows available in the Integration Directory, such as:

Learn more about risk evaluations and how the response result affects the user flow in Reviewing risk evaluations.

The PingOne Protect connector provides these capabilities:

  • Create Risk Evaluation: Add in the flow where you want to base the next action on the risk score or level calculated. For example, show an MFA prompt for medium or high risk but automatically grant access for low risk.

  • Update Risk Evaluation: Add in the flow after authentication has been completed. This capability represents the system’s ability to learn over time to improve results and is essential for risk evaluation precision.

The following diagram shows an example user transaction flow with the two different PingOne Protect connector capabilities:

A diagram of an example DaVinci flow with the Create Risk Evaluation and Update Risk Evaluation connectors.

Create Risk Evaluation

Evaluate risk for a specific transaction based on predictors, such user location anomaly, IP reputation, and bot detection. Learn more in Predictors.

Steps

  1. In your flow, add a PingOne Protect connector and select the Create Risk Evaluation capability.

  2. On the General tab, enter the following information:

    • User Name

    • User ID

    • IP

    • Risk Policy ID (optional): If you’ve created custom risk policies beyond the default risk policy, you can enter the ID of the risk policy you want to use in the flow.

      You can find the ID for a risk policy on the Risk Policies page in your environment in PingOne. If you don’t provide a risk policy ID, the connector uses the default risk policy.

    • Custom Attributes (optional): If you’re using a policy that includes one or more custom predictors that require external data, use the Custom Attributes field to enter the names of the custom attributes and their values.

      For example:

      {"managedDevice" : isManaged, "transactionValue" : transactionValueVar}

      The attribute names must match the attribute names you used in the custom predictors that you created and included in the risk policy. Learn more in Adding custom predictors and Using third-party risk scores with PingOne Protect.

      A screen capture of the Custom Attributes field in the Protect connector.

  3. Click Apply.

  4. To improve risk analysis, include the data for additional risk-related variables provided by the Signals (Protect) SDK.

    Risk evaluation can be performed without the Signals (Protect) SDK payload if there’s no way to provide the payload. However, some predictors require the SDK payload and won’t return a risk level if the payload is missing. Learn more in Predictors.

    You can manually deploy the Signals (Protect) SDK when integrating using the DaVinci APIs. For mobile applications or integrating your webpage with DaVinci using APIs instead of redirecting, you’ll:

    • Deploy the Signals (Protect) SDK.

    • Send the SDK payload and the rest of the required data, such as username, user ID, IP address, and any custom attributes to DaVinci using the API.

    • Include a variable in your flow that represents the data obtained.

    To manually deploy the SDK:

    1. Follow the PingOne Protect Native SDKs documentation to implement the SDK in your mobile app or webpage.

    2. Set global variables using the SDK to pass risk-related information from the SDK and map the information into the risk evaluation in DaVinci.

    3. In DaVinci, click the applicable PingOne Protect connector with the Create Risk Evaluation capability in your flow to open its settings.

      1. On the Device Configurations tab, for Risk input from device, enter the name of the variable that represents the data obtained from the SDK in your manual implementation.

      2. In the User Agent field, enter the user agent string for the browser, if available.

        User Agent is included in the SDK payload by default.

      3. To improve risk analysis, use the Cookie field to provide the value of a persistent cookie, if available.

      4. If you want to maintain your own device IDs, you can assign external device IDs that are not managed by the SDK, such as device serial number or mobile application installation ID. External IDs can be sent to DaVinci using the API.

        For example, in a workforce user flow, you can use the Google Chrome Device Trust connector to map the user device serial number when using the Chrome browser.

      5. To pass the risk information from the SDK to DaVinci, map the global variables that you set with the SDK into DaVinci:

        1. On the Log Fields Mapping tab, click + Field.

        2. Select and enter the global variables you set with the SDK.

Update Risk Evaluation

Update an existing risk evaluation to include the flow completion status for the risk evaluation. Updating the completion status allows PingOne Protect to refine and improve the accuracy of future risk evaluations. Always include a PingOne Protect connector with the Update Risk Evaluation capability in your flows to allow PingOne Protect to learn over time. The Update Risk Evaluation event includes one of the following flow completion statuses for the risk evaluation:

  • SUCCESS when the user was granted access or passed the MFA challenge

    Only events with completionStatus=SUCCESS allow the predictors to learn.

  • FAILED when the user was denied access or failed the MFA challenge

    If a user is unable to successfully complete an event, such as if their authentication failed, the risk evaluation for the event is updated as completionStatus=FAILED.

If completionStatus isn’t updated, the status remains completionStatus=IN_PROGRESS, and the predictor can’t learn from the event and stays in training mode.

Steps

  1. Add a PingOne Protect connector with the Update Risk Evaluation capability in your flow at the end of each possible path.

  2. Update the risk evaluation completion status for SUCCESS and FAILED events.

    Learn more in Updating completion status for risk evaluations.

Capabilities

Create Risk Evaluation

Evaluate risk for a specific transaction. Risk results are based on predictors like user behavior anomalies, IP reputation analysis, Geo velocity and other risk models.

Show details
User ID textField required

The ID of the user whose risk is being evaluated.

User Name textField

The username of the user whose risk is being evaluated.

User Type dropDown

Indicates whether the user exists in the PingOne directory or in an external directory.

  • EXTERNAL (Default)

  • PING_ONE

User Groups textField

User groups names.

Password textField

The password entered by the user.

Password Hash Algorithm dropDown

Password hashing method.

  • SHA_256 (Default)

  • SHA_384

IP textField

The IP address of the user who initiated the flow.

Application ID textField

The ID for the application or resource the user wants to access.

Application Name textField

The name of the application or resource the user wants to access.

Flow Type textField

The type of flow in which risk is evaluated.

Default: AUTHENTICATION

Flow Subtype textField

The subtype of the flow.

Session ID textField

The unique session ID associated with the event.

Risk input from device textField
User Agent textField

The user agent of the browser/device that triggered the flow.

Cookie textField

The cookie of the browser/device that triggered the flow.

External ID textField

A unique device identifier generated and managed independently of the Signals SDK (SKrisk).

Risk Policy ID textField

The risk policy set used during risk evaluation.

Custom Attributes textField

Your Custom Atributes defined at Ping.

Update Risk Evaluation

Update an existing risk evaluation to refine future results.

Show details
Risk Evaluation ID textField

ID of the Risk Evaluation

Risk Evaluation status textField

status of the Risk Evaluation

Troubleshooting

To start troubleshooting issues with the PingOne Protect connector, try the following:

  • Test your implementation. Learn more in the PingOne Protect Integration Testing knowledgebase article.

  • For each connector in the flow, make sure you provided all required inputs.

  • For mobile applications, if you’re using the skrisk component to include the data provided by the Signals (Protect) SDK, make sure that you followed the steps in the PingOne Protect Native SDKs documentation.

  • To use the DaVinci Analytics feature to see where the flow stopped, open your flow and click Analytics in the lower-left corner of the flow editor. Learn more in Debugging and analytics.

  • Open your flow, click the More Options (⋮) icon, and click the Show Node ID toggle. This makes it easier to identify the source of inputs and outputs.