Create risk policies defining how PingAccess should respond to PingOne Protect's risk evaluations.
Currently, you can only create risk policies for the risk evaluation service provided by PingOne Protect. For a more detailed explanation of this integration, see PingOne Protect integration.
A risk policy tells PingAccess what action to take in response to the risk evaluations it receives from PingOne Protect. Apply a risk policy to a specific web application or resource to set up continuous authorization on your web applications with PingOne Protect.
To create or manage risk policies through the PingAccess administrative console, see:
Adding a risk policy
Make sure that:
- You have set up a PingOne connection in PingAccess.
- You have your PingOne credential easily accessible to copy and paste.
For more information, see Adding a PingOne connection.
To add a risk policy:
After you've created a PingAccess risk policy, you can assign it to a specific application or resource. For more information, see Application field descriptions or Adding application resources.
Editing a risk policy
Deleting a risk policy
- Go to .
- Click the Expand icon to view more details about the risk policy that you want to delete.
- Click the Delete icon.
- Click Delete.
Risk policy field descriptions
The following table describes the fields available for managing risk policies on the Risk Policies tab in PingAccess.
Field | Required | Description |
---|---|---|
Name |
Yes |
A unique name for the risk policy. |
PingOne Connection |
Yes |
The PingOne connection that you created in steps 2a-2c of Adding a PingOne connection. |
PingOne Risk Policy ID |
No |
The ID of the PingOne risk policy that you want to use to perform risk evaluation. A null value tells PingOne Protect to use a default policy. Note:
You can only configure a PingOne risk policy in PingOne Protect. If you haven't enabled device profiling in a PingAccess risk policy configuration, then you shouldn't include New Device or other device-related PingOne predictor types in the associated PingOne risk policy. Some of these device-related predictor types are included in the default PingOne risk policy. If you haven't enabled device profiling, make sure to remove the following predictor types from your configuration or adjust the weights or scores associated with them:
For more information, see Risk policies in the PingOne documentation. |
Risk Check Interval (MS) |
No |
The rate at which PingAccess requests an evaluation from PingOne Protect for the same end-user. This field accepts values from zero to a full day. The default value is 20000 ms (20 seconds). Tip:
To have PingOne Protect perform an evaluation on every request that an end-user makes, you can set this value to 0. However, evaluating every request could slow down your environment's performance. |
User ID Attribute |
Yes |
Tells PingOne Protect what kind of user attribute to define as an end user's user ID. |
High Risk Policy Evaluator |
Yes |
A policy that tells PingAccess what action to take if the returned risk score from an end user's request is HIGH. In the High Risk Policy Evaluator list, select one of the following options: Allow |
Medium Risk Policy Evaluator |
Yes |
A policy that tells PingAccess what action to take if the returned risk score from an end-user's request is MEDIUM. In the Medium Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry. |
Low Risk Policy Evaluator |
Yes |
A policy that tells PingAccess what action to take if the returned risk score from an end user's request is LOW. In the Low Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry. |
Failed Risk Policy Evaluator |
Yes |
A policy that tells PingAccess what action to take if the returned risk score is an invalid value or if the risk evaluation service is unavailable. In the Failed Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry. |
Device Profiling Method |
Yes |
Specify if and how you want to collect an end-user's
device profile. The default value is Note:
Device profiling helps PingOne Protect detect bot-like behavior and trigger step-up authentication in PingAccess. Important:
Device profile collection adds the device profile to the
user's browser as cookies, which are sent to PingAccess during subsequent requests. These
cookies are usually 8192 bytes in size. Before enabling
device profiling, you should increase the
In the Device Profiling Method list, select one of the following options: OFF |
Device Profile Interval (S) Note:
This field is only available if you set Captured by PingAccess as the Device Profiling Method. |
No |
Define, in seconds, how frequently PingAccess should interrupt end-user requests to gather device profile data when the Device Profiling Method is set to Captured by PingAccess. This parameter accepts an integer value between 1-86400 seconds. The default value is 300 seconds. |
Device Profile Timeout (MS) Note:
This field is only available if you set Captured by PingAccess as the Device Profiling Method. |
No |
Define, in milliseconds, how long the device profiling collection script will attempt to collect an end-user's device profile when the Device Profiling Method is set to Captured by PingAccess. If this timeout is exceeded, the script can't send device profile cookies to PingAccess, so PingAccess will follow the Invalid Profile Risk Policy. The default value is 5000 ms (5 seconds). A minimum value of 1000 ms (1 second) is required. |
Device Profile Cookie Prefix Note:
This field is only available if you set Captured by PingAccess or Captured by Frontend Application as the Device Profiling Method. |
No |
Define the cookie prefix that's used to send device profile data to PingAccess. The cookie prefix must be a valid token as described by RFC 6265. The default value is Note:
PingAccess expects sequential cookies using this cookie prefix and an index to provide the device profile data. For example, if you have three device profile cookies, you
should order them in the following sequence:
PingAccess concatenates these cookies and sends them to PingOne Protect when performing a risk evaluation for a user request. |
Send Device Profile
Note:
This check box is only available if you set Captured by PingAccess or Captured by Frontend Application as the Device Profiling Method. |
No |
Select this check box if you want PingAccess to include device profile cookies in requests made to the protected application. This check box is cleared by default. Note:
Device profile cookies can be large and can sometimes make requests incompatible with backend servers. |
Invalid Profile Risk Policy |
Yes |
A policy that tells PingAccess what action to take in response to an end-user’s request if the device profile information sent to PingAccess is invalid. For example, device profile information could be invalid because it's missing or because it isn't being collected as expected. In the Invalid Profile Risk Policy Evaluator list, select one of the five options described in the High Risk Policy Evaluator table entry. |
IP Change Enforcement |
Yes |
Specify the enforcement strategy that you want to use when
PingAccess detects an IP address change from the
end user. The default value is In the IP Change Enforcement list, select one of the following options: NONE |