By modifying your PingFederate authentication policy to include the risk evaluation ("LOW", "MEDIUM", and "HIGH") from PingOne Protect, you can dynamically change authentication requirements based on security risk level.
These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication API in the PingFederate documentation.
For new deployments, you should allow for a training period. To do this, configure your policy to pass traffic through the PingOne Protect IdP Adapter and continue regardless of the risk evaluation result. When you are ready to end the training period, adjust your authentication policy as described here.
When the authentication flow finishes, PingFederate informs PingOne Protect whether the user ultimately succeeded or failed. This is an important consideration when designing your authentication flow.
For example, a user receives a risk evaluation of HIGH, but ultimately completes the PingFederate authentication policy successfully. Based on that success, PingOne Protect now considers the user authentic and lowers the risk evaluation to MEDIUM or LOW on the next attempt.
In the PingFederate administrative console, go to the
- For PingFederate 10.1 or later: go to .
- For PingFederate 10.0 or earlier: go to .
- Select the IdP Authentication Policies check box.
Open an existing authentication policy, or click Add
See Defining authentication policies in the PingFederate documentation.
In the Policy area, in the Select
list, select a PingOne Protect IdP Adapter instance.
Map the user ID into the PingOne Protect IdP Adapter instance.
- Under the PingOne Protect IdP Adapter instance, click Options.
- In the Options dialog, in the Source list, select a previous authentication source that collects the user ID.
- In the Attribute list, select the user ID. Click Done.
Define policy paths based on risk results.
- Under the PingOne Protect IdP Adapter instance, click Rules.
- In the Rules dialog, from the Attribute Name list, select riskLevel or riskValue.
- In the Condition list, select equal to.
In the Value field, if you selected
riskLevel, enter LOW,
MEDIUM, or HIGH.
If you selected riskValue, enter one of the risk values that you configured in PingOne.
In the Result field, enter a name.
This appears as a new policy path that branches from the authentication source.
- Optional: To add more policy paths, click Add and repeat steps 6b-6e.
- Optional: Clear the Default to success check box.
- Click Done.
Complete the authentication policy:
- Configure each of the policy paths.
To allow users continue to sign on by satisfying stricter
authentication requirements when PingOne Protect is
unreachable or returns an error, do one of the following.
- In your PingOne Protect IdP Adapter instance, set the Failure mode as shown in IdP Adapter settings reference.
- In your authentication policy, set the Fail outcome of the PingOne Protect IdP Adapter instance to point to a second authentication factor, as shown in the example below.
- Click Done.
- In the Policies window, click Save.