PingGateway 2024.11

PingOneProtectThreatLevelRoutingHandler

Uses a PingOneProtectEvaluationContext representing a risk evaluation to route the inbound request according to the risk level.

You use a PingOneProtectEvaluationFilter to make a risk assessment request to PingOne Protect. The filter records the evaluation in a PingOneProtectEvaluationContext object. The PingOneProtectThreatLevelRoutingHandler acts on the risk level set in the context.

After completing additional actions to verify the identity of a user following a risk evaluation, record the outcome using a PingOneProtectFeedbackSuccessFilter or a PingOneProtectFeedbackFailureFilter.

For complex scenarios where you don’t want to base the decision on the risk level, you can use a DispatchHandler instead.

Usage

{
  "name": string,
  "type": "PingOneProtectThreatLevelRoutingHandler",
    "config": {
      "levels": {
        "low": Handler reference,
        "medium": Handler reference,
        "high": Handler reference
      }
  }
}

Configuration

"levels": array of objects, required

Object mapping a risk level to a handler.

"low": Handler reference, required

The handler responsible for low-risk requests.

"medium": Handler reference, required

The handler responsible for medium-risk requests.

"high": Handler reference, required

The handler responsible for high-risk requests.

Example

Threat-level routing handler

The following example sends low-risk requests straight through, medium-risk requests to a handler for additional authentication, for example, and high-risk requests to a handler that denies access and takes additional action:

{
    "name": "PingOneProtectThreatLevelRoutingHandler-1",
    "type": "PingOneProtectThreatLevelRoutingHandler",
    "config": {
        "levels": {
            "low": "passthroughHandler",
            "medium": "mediumRiskHandler",
            "high": "highRiskHandler"
        }
    }
}

Alternative with dispatch handler

This example uses a DispatchHandler to route requests based on the risk evaluation score rather than the levels:

{
  "name": "scoreBasedRoutingHandler",
  "type": "DispatchHandler",
  "config": {
    "bindings": [
      {
        "condition": "${contexts.pingOneProtect.score <= 30}",
        "handler": "passthroughHandler"
      },
      {
        "condition": "${contexts.pingOneProtect.score > 30 && contexts.pingOneProtect.score <= 70}",
        "handler": "mediumRiskHandler"
      },
      {
        "condition": "${contexts.pingOneProtect.score > 70}",
        "handler": "highRiskHandler"
      }
    ]
  }
}

The conditions depend on the PingOne Protect risk evaluation response API and the PingOneProtectEvaluationContext.

More information

org.forgerock.openig.ping.protect.PingOneProtectThreatLevelRoutingHandler