By modifying your PingFederate authentication policy to include the risk evaluation from PingOne Risk, you can dynamically change authentication requirements based on security risk level.
The steps in this topic assume that an HTML Form Adapter exists for login purposes. For more information on creating an HTML Form Adapter for login, see Configuring an HTML Form Adapter instance.
These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication API in the PingFederate documentation.
When the authentication flow finishes, PingFederate informs PingOne Risk whether the user ultimately succeeded or failed. This is an important consideration when designing your authentication flow.
For example, a user receives a risk evaluation of
HIGH, but ultimately completes the PingFederate
authentication policy successfully. Based on that success, PingOne Risk now considers the user authenticated and lowers
the risk evaluation to
LOW on the next attempt.
- On the PingFederate administrative console, go to .
- Select the IdP Authentication Policies check box.
- Open an existing authentication policy, or click Add Policy. See Defining authentication policies in the PingFederate documentation.
In the Policy area, from the
Select list, select a PingOne Risk IdP Adapter
Map the user ID into the PingOne Risk IdP Adapter instance.
- Under the PingOne Risk IdP Adapter instance, click Options.
- On the Options dialog, from the Source list, select a previous authentication source that collects the user ID.
- From the Attribute list, select the user ID. Click Done.
Define policy paths based on risk results.
- Under the PingOne Risk IdP Adapter instance, click Rules.
- On the Rules dialog, from the Attribute Name list, select riskLevel or riskValue.
- From the Condition list, select equal to.
- In the Value field, if you selected riskLevel, enter LOW, MEDIUM, or HIGH. If you selected riskValue, enter one of the risk values that you configured in PingOne.
- In the Result field, enter a name. This appears as a new policy path that branches from the authentication source.
- If you want to add more policy paths, click Add and repeat steps b-e.
- Optional: Clear the Default to success check box.
- Click Done.
Complete the authentication policy.
- Configure each of the policy paths.
Allow users continue to sign on by satisfying stricter authentication
requirements when PingOne Risk is unreachable or
returns an error. Do one of the following:
- In your PingOne Risk IdP Adapter instance, set the Failure mode as shown in PingOne Risk IdP Adapter settings reference.
- In your authentication policy, set the Fail outcome of the PingOne Risk IdP Adapter instance to point to a second authentication factor, as shown in the example below.
- Click Done.
- On the Policies window, click Save.