The following figure shows how PingOne Risk is integrated into the sign-on process:

Request and response flow Services PDP PingOne Risk API PDP PingOne Risk API PingAuthorize PingFederate PingAuthorize PingFederate Client Browser Client Browser Messages Comments Client Previous Adapter Client Previous Adapter PDP PingOne Risk IdP Adapter PDP PingOne Risk IdP Adapter 7. Executes authentication policy, branding based on risk result 6. Makes risk result and other information available in authentication policy 4. Sends transaction information and optional device profile 9. Reports authentication succeeded 1. User initiates single sign-on through PingFederate [Previous adapter device profiling method. (Simultaneous with step 1)] Layer 5 2. Collects device profile, passes it in an HTTP cookie [This adapter device profiling method (after step 1)] 2. Collects device profile 3. Collects transaction information 5. Provides risk result and other information PingAuthorize alt 8. Grants access to requested resource

Description

  1. A user initiates the sign-on process by requesting access to a protected resource.
  2. When device profiling is enabled, one of the following occurs (depending on the device profiling method):
    • An adapter that is earlier in the authentication flow runs a script that creates a device profile. The script passes the device profile to the PingOne Risk IdP Adapter in a series of HTTP cookies.
    • The PingOne Risk IdP Adapter creates a device profile.
  3. The PingOne Risk IdP Adapter collects transaction information, such as the user's IP address.
  4. The adapter sends the transaction information and optional device profile to PingOne Risk.
  5. PingOne Risk returns a JSON payload with the risk result and other information, such as the IP reputation, to the adapter.
  6. The PingOne Risk IdP Adapter makes the risk result and other information available in the PingFederate authentication policy.
  7. PingFederate executes the authentication policy, which branches based on the risk result provided by the adapter.
  8. PingFederate returns the resource that the user requested.
  9. The adapter notifies PingOne Risk whether authentication ultimately succeeded. This helps PingOne Risk evaluate subsequent sign-on attempts.