Configure PingOne Protect risk evaluations in web applications protected by PingAccess and set PingAccess's response to the different levels of risk scores that might be returned.
PingOne Protect monitors end user requests and generates a risk score of low, medium, or high, based on the user's activity and device context.
You can create risk policies through the PingAccess
administrative console or administrative
For example, if the determined risk score is
you might direct the user to complete step-up authentication with additional
The following topics demonstrate how to integrate PingOne Protect evaluations within PingAccess and create PingAccess risk policies to leverage different responses to end user requests based on their determined risk score:
- To configure a connection between PingOne Protect and PingAccess, see Adding a PingOne connection.
- To configure a risk policy, see Adding a risk policy.
- To assign a risk policy to a specific application or application resource, see Application field descriptions and Adding application resources.
PingAccess evaluates the risk policies assigned to each application and resource before processing application and resource-specific rules and rule sets.
- If you enabled device profiling in your risk policy configuration, either PingAccess collects the user's device profile or the front end application collects the user's device profile and submits it to PingAccess.
- PingAccess collects user data, such as user ID and user-agent IP address, then sends a risk evaluation request to PingOne Protect each time the <riskCheckInterval> that you specified in the risk policy passes.
- After PingOne Protect returns an evaluation,
PingAccess follows the response
specified in the risk policy for the determined risk score or for a failed
evaluation if PingAccess is unable to
gather the expected risk response from PingOne Protect.
For example, if the returned risk score is HIGH and the risk policy specifies that an authentication challenge policy (ACP) should be issued to an end user with a high-risk score, then PingAccess returns the authentication challenge defined by the ACP to the end user for reauthentication.
If the risk policy specifies that PingAccess should follow a specific rule or rule set, then it uses that rule or rule set to determine whether the end user should be allowed access.
- If the end user meets the constraints set by the risk policy, PingAccess moves on to the next stage of request
processing, reviewing the normal policies attached to the application or
If a request is denied, PingAccess uses the rejection handler set within the risk policy or follows the rejection response specified in the rules or rule sets attached to the application or resource. The former case is applicable if the risk policy was set to deny an end user's request. Otherwise, the rejection response specified in the normal policy takes precedence.
- After PingAccess has completed request processing, it sends PingOne Protect feedback on whether an end user's request was allowed or denied.