PingAccess

Creating iovation Device Risk authorization rules

Create a rule to share device information with iovation Device Risk and allow or deny access based on the response.

About this task

When this rule runs, the iovation response is stored in the com.pingidentity.pa.iovation.kit:policy.decision.outcome property. Possible values are allow, deny, and review.

This property can be used by Groovy rules or custom plugins.

Steps

  1. In the PingAccess admin console, click Access, then go to Rules > Rules.

  2. Click Add Rule.

  3. In the Name field, enter a unique name for the rule.

    The name can be up to 64 characters long and can include special characters and spaces.

  4. In the Type list, select Iovation Device Risk authorization.

  5. In the iovation Service list, select a third-party service to use for outbound fraud checks to iovation.

  6. In the Blackbox Cookie Name Prefix field, enter the prefix of the cookies containing the iovation blackbox captured previously by the iovation Device Risk Device Profiling rule.

    The default value is iovation_bb.

  7. In the Subscriber ID field, enter the subscriber ID that iovation gave you.

  8. In the Subscriber Account field, enter the subscriber account name that iovation gave you.

  9. In the Subscriber Passcode field, enter the passcode that authorizes your ID and account with iovation.

  10. In the iovation Integration Point field, enter the integration point associated with the rule set you want to use.

  11. (Optional) In the Account Code Attribute field, enter the name of an attribute containing a unique identifier for each end user to send to iovation as the account code.

  12. (Optional) In the Transaction Insight Parameter Mappings section, configure one or more mappings from identity attributes in PingAccess to iovation Transaction Insight Parameters.

    The attributes are provided to iovation in the specified parameters.

    1. In the Attribute Name field, enter the attribute to use as a source.

    2. In the Transaction Insight Parameter field, enter the iovation Transaction Insight Parameter to use for the specified attribute.

    3. (Optional) Click Add Row to add one or more additional mappings.

  13. If additional options need to be configured, click Show Advanced.

    Advanced Settings
    Advanced Option Description

    Fraud Check Frequency (ms)

    The number of milliseconds between iovation fraud checks.

    The default value is 20000.

    iovation Fraud Check API Endpoint

    The application programming interface (API) endpoint where iovation fraud check requests are directed.

    If not specified, a value of /fraud/v1/subs/subscriberId/checks is used, where subscriberId is the value in the Subscriber ID field.

    iovation Failure Mode

    Specifies whether PingAccess should allow or deny access if the communication with iovation isn’t completed successfully.

    The default value is Deny.

    Invalid Blackbox Failure Mode

    Specifies whether PingAccess should allow or deny access if the blackbox device profile isn’t in a usable state. This situation can occur when the blackbox hasn’t already been collected from a previous exchange processed by this rule or when the collected blackbox has reached the end of its lifetime.

    The default value is Deny, which denies access. A value of Continue performs a risk assessment with no blackbox profile, while a value of Allow allows access.

    iovation Protocol Error Handling

    This section specifies the error parameters to use on a failure if there’s a failure to communicate with iovation for the fraud check API request.

    To configure the iovation Protocol Error Handling section:

    1. In the Error Response Code field, enter the HTTP response code for the error response.

    2. (Optional) In the Error Response Template File field, you can enter the name of a custom error page template if you don’t want to use the default error page.

      Templates are stored in the <PA_HOME>/conf/template/ directory.

    3. In the Error Response Content Type field, specify the content type of the custom error response template file if you configured a value in the previous field.

    Review Fallback Type

    Specifies whether PingAccess should allow or deny access if iovation returns a review result from the risk assessment.

    The default value is Deny.

    Review Deny Handling

    This section specifies the error parameters to use on a failure if the Review Fallback Type is set to Deny.

    To configure the Review Deny Handling section:

    1. In the Error Response Code field, enter the HTTP response code for the error response.

    2. (Optional) In the Error Response Template File field, you can enter the name of a custom error page template if you don’t want to use the default error page.

      Templates are stored in the <PA_HOME>/conf/template/ directory.

    3. In the Error Response Content Type field, specify the content type of the custom error response template file if you configured a value in the previous field.

    Deny Handling

    This section specifies the error parameters to use on a failure if either:

    • iovation returns a Deny (D) result

    • The blackbox isn’t set and the Invalid Blackbox Failure Mode is set to Deny.

    To configure the Deny Handling section:

    1. In the Error Response Code field, enter the HTTP response code for the error response.

    2. (Optional) In the Error Response Template File field, you can enter the name of a custom error page template if you don’t want to use the default error page.

      Templates are stored in the <PA_HOME>/conf/template/ directory.

    3. In the Error Response Content Type field, specify the content type of the custom error response template file if you configured a value in the previous field.

  14. Click Save.