ThreatMetrix Integration Kit

Adding review statuses to your authentication policy

By modifying your PingFederate authentication policy to include the review status from ThreatMetrix, you can dynamically change authentication requirements based on security risk level.

About this task

These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication API in the PingFederate documentation.

ThreatMetrix automatically tunes its rules and policies based on user behavior. To accommodate an initial training period, we recommend that you allow all transactions to succeed for a period of time, regardless of review status.

Steps

  1. In the PingFederate administrative console, go to the Policies tab.

    • For PingFederate 10.1 or later: go to Authentication → Policies → Policies.

    • For PingFederate 10.0 or earlier: go to Identity Provider → Authentication Policies → Policies.

  2. Select the IdP Authentication Policies check box.

  3. Open an existing authentication policy, or click Add Policy.

    For help, see Defining authentication policies in the PingFederate documentation.

  4. In the Policy area, select your ThreatMetrix IdP Adapter instance.

    Adding the to the authentication policy
  5. Map the user ID into the ThreatMetrix IdP Adapter instance:

    A screenshot that shows the Incoming User ID dialog with the user identifier selected
    1. Under the ThreatMetrix IdP Adapter instance, click Options.

    2. On the Options dialog, from the Source list, select a previous authentication source that collects the user ID.

    3. From the Attribute list, select the user ID.

    4. Click Done.For PingFederate 10.2 and later, select the User ID Authenticated check box.

  6. Define policy paths based on the information provided by ThreatMetrix:

    Branching the authentication policy based on the
    1. Under the ThreatMetrix IdP Adapter instance, click Rules.

    2. On the Rules dialog, from the Attribute Name list, select reviewStatus.

    3. From the Condition list, do one of the following:

      • For reviewStatus, select equal to.

      • For reasonCode, select multi-value contains.

    4. In the Value field, do one of the following:

      • For reviewStatus, enter "pass", "review", "challenge", or "reject".

      • For reasonCode, enter a ThreatMetrix reason code.

        Reason codes reflect the policy or policies that ThreatMetrix used to determine the review status. In the ThreatMetrix admin console, set meaningful names for your policies and enter the names here.

    5. In the Result field, enter a name.

      This appears as a new policy path that branches from the ThreatMetrix IdP Adapter.

    6. If you want to add more authentication paths, click Add and repeat steps b-e.

    7. Optional: Clear the Default to success check box.

    8. Click Done.

  7. Configure each of the authentication paths.

    In case ThreatMetrix is unreachable or returns an error, the Failure mode setting in Configuring an adapter instance will assign a default review status. As a result, the Fail outcome of the ThreatMetrix IdP Adapter instance is not used.

    The complete authentication policy
  8. Click Done. In the Policies window, click Save.