PingOne

Adding risk level results to your authentication policy

By modifying your PingFederate authentication policy to include the risk evaluation ("LOW", "MEDIUM", and "HIGH") from PingOne Protect, you can dynamically change authentication requirements based on security risk level.

About this task

These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see PingFederate authentication API in the PingFederate documentation.

For new deployments, you should allow for a training period. To do this, configure your policy to pass traffic through the PingOne Protect IdP Adapter and continue regardless of the risk evaluation result. When you are ready to end the training period, adjust your authentication policy as described here.

When the authentication flow finishes, PingFederate informs PingOne Protect whether the user ultimately succeeded or failed. This is an important consideration when designing your authentication flow.

For example, a user receives a risk evaluation of HIGH, but ultimately completes the PingFederate authentication policy successfully. Based on that success, PingOne Protect now considers the user authentic and lowers the risk evaluation to MEDIUM or LOW on the next attempt.

Steps

  1. In the PingFederate administrative console, go to the Policies tab.

    Choose from:

    • For PingFederate 10.1 or later: go to Authentication → Policies → Policies.

    • For PingFederate 10.0 or earlier: go to Identity Provider → Authentication Policies → Policies.

  2. Select the IdP Authentication Policies check box.

  3. Open an existing authentication policy, or click Add Policy.

    See Defining authentication policies in the PingFederate documentation.

  4. In the Policy area, in the Select list, select a PingOne Protect IdP Adapter instance.

    A screen capture of adding the PingOne Risk IdP Adapter to the authentication policy
  5. Map the user ID into the PingOne Protect IdP Adapter instance.

    A screen capture showing passing the user ID from the first-factor authentication adapter to the PingOne Risk IdP Adapter
    1. Under the PingOne Protect IdP Adapter instance, click Options.

    2. In the Options dialog, in the Source list, select a previous authentication source that collects the user ID.

    3. In the Attribute list, select the user ID. Click Done.

  6. Define policy paths based on risk results.

    A screen capture showing branching the authentication policy based on risk results
    1. Under the PingOne Protect IdP Adapter instance, click Rules.

    2. In the Rules dialog, from the Attribute Name list, select riskLevel or riskValue.

    3. In the Condition list, select equal to.

    4. In the Value field, if you selected riskLevel, enter LOW, MEDIUM, or HIGH.

      If you selected riskValue, enter one of the risk values that you configured in PingOne.

    5. In the Result field, enter a name.

      This appears as a new policy path that branches from the authentication source.

    6. Optional: To add more policy paths, click Add and repeat steps 6b-6e.

    7. Optional: Clear the Default to success check box.

    8. Click Done.

  7. Complete the authentication policy:

    1. Configure each of the policy paths.

    2. Optional: To allow users continue to sign on by satisfying stricter authentication requirements when PingOne Protect is unreachable or returns an error, do one of the following.

      Choose from:

      • In your PingOne Protect IdP Adapter instance, set the Failure mode as shown in IdP Adapter settings reference.

      • In your authentication policy, set the Fail outcome of the PingOne Protect IdP Adapter instance to point to a second authentication factor, as shown in the example below.

    Screen capture of the complete authentication policy
  8. Click Done.

  9. In the Policies window, click Save.