Risk policy field descriptions
The following table describes the fields available for managing risk policies on the Risk Policies tab in PingAccess.
Field | Required | Description | ||||||
---|---|---|---|---|---|---|---|---|
Name |
Yes |
A unique name for the risk policy. |
||||||
PingOne Connection |
Yes |
The PingOne connection that you created in steps 2a-2c of Adding a PingOne connection. |
||||||
PingOne Risk Policy ID |
No |
The ID of the PingOne risk policy that you want to use to perform risk evaluation. A null value tells PingOne Protect to use a default policy.
|
||||||
Risk Check Interval (MS) |
No |
The rate at which PingAccess requests an evaluation from PingOne Protect for the same end-user. This field accepts values from zero to a full day. The default value is 20000 ms (20 seconds).
|
||||||
User ID Attribute |
Yes |
Tells PingOne Protect what kind of user attribute to define as an end user’s user ID. |
||||||
High Risk Policy Evaluator |
Yes |
A policy that tells PingAccess what action to take if the returned risk score from an end user’s request is In the High Risk Policy Evaluator list, select one of the following options:
|
||||||
Medium Risk Policy Evaluator |
Yes |
A policy that tells PingAccess what action to take if the returned risk score from an end-user’s request is In the Medium Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry. |
||||||
Low Risk Policy Evaluator |
Yes |
A policy that tells PingAccess what action to take if the returned risk score from an end user’s request is In the Low Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry. |
||||||
Failed Risk Policy Evaluator |
Yes |
A policy that tells PingAccess what action to take if the returned risk score is an invalid value or if the risk evaluation service is unavailable. In the Failed Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry. |
||||||
Device Profiling Method |
Yes |
Specify if and how you want to collect an end-user’s device profile. The default value is
In the Device Profiling Method list, select one of the following options:
|
||||||
Device Profile Interval (S)
|
No |
Define, in seconds, how frequently PingAccess should interrupt end-user requests to gather device profile data when the Device Profiling Method is set to Captured by PingAccess. This parameter accepts an integer value between 1-86400 seconds. The default value is |
||||||
Device Profile Timeout (MS)
|
No |
Define, in milliseconds, how long the device profiling collection script will attempt to collect an end-user’s device profile when the Device Profiling Method is set to Captured by PingAccess. If this timeout is exceeded, the script can’t send device profile cookies to PingAccess, so PingAccess will follow the Invalid Profile Risk Policy. The default value is |
||||||
Device Profile Cookie Prefix
|
No |
Define the cookie prefix that’s used to send device profile data to PingAccess. The cookie prefix must be a valid token as described by .ietf.org/doc/html/rfc6265//[RFC 6265]. The default value is
|
||||||
Send Device Profile
|
No |
Select this check box if you want PingAccess to include device profile cookies in requests made to the protected application. This check box is cleared by default.
|
||||||
Invalid Profile Risk Policy |
Yes |
A policy that tells PingAccess what action to take in response to an end-user’s request if the device profile information sent to PingAccess is invalid. For example, device profile information could be invalid because it’s missing or because it isn’t being collected as expected. In the Invalid Profile Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry. |
||||||
IP Change Enforcement |
Yes |
Specify the enforcement strategy that you want to use when PingAccess detects an IP address change from the end user. The default value is In the IP Change Enforcement list, select one of the following options:
|
Advanced Settings
To configure advanced settings on a risk policy, expand the Show Advanced Settings section at the bottom of the Risk Policy page. These settings are optional.
- Device Profile Page
-
Specify the HTML template that PingAccess should render if the Device Profiling Method is set to Captured by PingAccess.
If you leave this field blank, PingAccess populates it with the
PA_HOME/conf/template/system/pingone.protect.template.html
default HTML template file after you save the risk policy.This default template contains the code that PingAccess uses to collect device profile data. Making changes to this template might interfere with PingAccess’s ability to collect device profile data. You can make style changes to this template, but you should avoid making functional changes to it.
- Max Expected Device Profile Cookies
-
You must set the Device Profiling Method to Captured by PingAccess to use this configuration option.
Define the number of device profile cookies that PingAccess attempts to reset when it displays the Device Profile Page. The default value is 5. You must specify a value between 1-64.
If PingAccess has seen the user before, it checks the user session data to determine the last set of device profile cookies it was sent and resets those cookies when it displays the device profile page. Max Expected Device Profile Cookies is only used when PingAccess is unable to determine the last set of device profile cookies that it was sent from the user.
If you use the default Device Profile Cookie Prefix,
p1_device_prof
, then PingAccess resets the cookies forp1_device_prof0
,p1_device_prof1
,p1_device_prof2
,p1_device_prof3
, andp1_device_prof4
so that the device profile page can edit them with the correct data.