The steps in this topic assume that an HTML Form Adapter exists for login purposes. For more information on creating an HTML Form Adapter for login, see Configuring an HTML Form Adapter instance.

These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication API in the PingFederate documentation.

For new deployments, we recommend that you allow for a training period. To do this, configure your policy to pass traffic through the PingOne Risk IdP Adapter and continue regardless of the risk evaluation result. When you are ready to end the training period, adjust your authentication policy as described below.

When the authentication flow finishes, PingFederate informs PingOne Risk whether the user ultimately succeeded or failed. This is an important consideration when designing your authentication flow.

For example, a user receives a risk evaluation of HIGH, but ultimately completes the PingFederate authentication policy successfully. Based on that success, PingOne Risk now considers the user authenticated and lowers the risk evaluation to MEDIUM or LOW on the next attempt.

  1. On the PingFederate administrative console, go to Policies > Authentication > Policies > Policies.
  2. Select the IdP Authentication Policies check box.
  3. Open an existing authentication policy, or click Add Policy. See Defining authentication policies in the PingFederate documentation.
  4. In the Policy area, from the Select list, select a PingOne Risk IdP Adapter instance.

    Adding the PingOne Risk IdP Adapter to the authentication policy
  5. Map the user ID into the PingOne Risk IdP Adapter instance.

    Passing the user ID from the first-factor authentication adapter to the PingOne Risk IdP Adapter
    1. Under the PingOne Risk IdP Adapter instance, click Options.
    2. On the Options dialog, from the Source list, select a previous authentication source that collects the user ID.
    3. From the Attribute list, select the user ID. Click Done.
  6. Define policy paths based on risk results.

    Branching the authentication policy based on risk results
    1. Under the PingOne Risk IdP Adapter instance, click Rules.
    2. On the Rules dialog, from the Attribute Name list, select riskLevel or riskValue.
    3. From the Condition list, select equal to.
    4. In the Value field, if you selected riskLevel, enter LOW, MEDIUM, or HIGH. If you selected riskValue, enter one of the risk values that you configured in PingOne.
    5. In the Result field, enter a name. This appears as a new policy path that branches from the authentication source.
    6. If you want to add more policy paths, click Add and repeat steps b-e.
    7. Optional: Clear the Default to success check box.
    8. Click Done.
  7. Complete the authentication policy.
    1. Configure each of the policy paths.
    2. Optional: Allow users continue to sign on by satisfying stricter authentication requirements when PingOne Risk is unreachable or returns an error. Do one of the following:
      • In your PingOne Risk IdP Adapter instance, set the Failure mode as shown in PingOne Risk IdP Adapter settings reference.
      • In your authentication policy, set the Fail outcome of the PingOne Risk IdP Adapter instance to point to a second authentication factor, as shown in the example below.

    The complete authentication policy
  8. Click Done.
  9. On the Policies window, click Save.