PingAccess

Risk policy field descriptions

The following table describes the fields available for managing risk policies on the Risk Policies tab in the PingAccess administrative console.

Field Required Description

Name

Yes

A unique name for the risk policy.

PingOne Connection

Yes

The PingOne connection you created in steps 2a-2c of Adding a PingOne connection.

PingOne Risk Policy ID

No

The id of the PingOne risk policy you want to use to perform risk evaluation.

A null value tells PingOne Protect to use a default policy.

You can only configure a PingOne risk policy in PingOne Protect.

PingAccess doesn’t currently support device profiling, so New Device and other device-related PingOne predictor types shouldn’t be included in a PingOne risk policy that you intend to use with PingAccess. Some of these device-related predictor types are included in the default PingOne risk policy. Make sure to remove the following predictor types from your configuration or adjust the weights or scores associated with them:

  • Anonymous network detection

  • Geovelocity anomaly

  • IP reputation

  • IP velocity

  • New device

  • User location anomaly

For more information, see Risk policies in the PingOne Cloud Platform documentation.

Risk Check Interval (MS)

No

The rate at which PingAccess requests an evaluation from PingOne Protect for the same end-user.

This field accepts values from zero to a full day. The default value is 20000 ms (20 seconds).

To have PingOne Protect perform an evaluation on every request that an end-user makes, you can set this value to 0. However, evaluating every request could slow down your environment’s performance.

User ID Attribute

Yes

Tells PingOne Protect what kind of user attribute to define as an end-user’s user ID.

High Risk Policy Evaluator

Yes

A policy that tells PingAccess what action to take if the returned risk score from an end-user’s request is HIGH.

In the High Risk Policy Evaluator list, select one of the following options:

Allow

The default value. Permits the end-user’s request.

Authentication Challenge Policy

Directs the user to reauthenticate. If you select this option, you must select an Authentication Challenge Policy to use. Adjusting the Authentication Validity Period (M) is optional.

Deny

Rejects the end-user’s request. If you select this option, you must select a Rejection Handler to use.

Rule

PingAccess evaluates a rule you specify to determine how to proceed. If you select this option, you must select a specific web Rule to use.

API policy is currently incompatible with this type of policy evaluator. For more information on web policy and API policy, see Applying rules to applications and resources. The following PingAccess rule types are API-specific, and thus currently unusable on a protected web application:
Rule Set

PingAccess evaluates a rule set you specify to determine how to proceed. If you select this option, you must select a Rule Set to use.

Medium Risk Policy Evaluator

Yes

A policy that tells PingAccess what action to take if the returned risk score from an end-user’s request is MEDIUM.

In the Medium Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry.

Low Risk Policy Evaluator

Yes

A policy that tells PingAccess what action to take if the returned risk score from an end-user’s request is LOW.

In the Low Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry.

Failed Risk Policy Evaluator

Yes

A policy that tells PingAccess what action to take if the returned risk score is an invalid value or if the risk evaluation service is unavailable.

In the Failed Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry.