Establish a connection between PingOne Authorize and PingOne Risk to use risk signals in authorization policies and provide risk evaluation feedback.
- Make sure PingOne Risk is in your PingOne environment. For more information, see Getting started with PingOne Risk.
- If you’re using an external user directory, create attributes that store values for service input settings, such as the ID and IP address of the user whose risk is being evaluated.
PingOne Risk monitors end-user requests and generates a risk score of low, medium, or high, based on user behavior and device context. Service connectors enable you to include these risk assessments in dynamic authorization policies. For example, if a risk score is medium, the authorization policy might direct the user to complete step-up authentication with additional multi-factor authentication (MFA) methods. When the risk score is high, the policy might deny access to the resource.
PingOne Risk provides the capability to evaluate risk for a transaction, and the capability to provide feedback that improves risk models. Add a separate Risk service connector in PingOne Authorize for each capability.
Configure the following Risk connector settings, then configure general settings to finish the service connection.
-
Complete Inputs to define the API call to the PingOne Risk service.
For each input, enter a constant or click
to select an attribute. Constants are strings, but you can also
enter numbers, enums, JSON objects, and attribute references. You can leave optional constants blank. If
you switch to attribute selection, you must select an attribute, even if the
input is optional.For more information about the fields passed in the service request, see Risk Evaluations.
Inputs Description User ID
ID of the user whose risk is being evaluated.
If this is a PingOne user, make sure the ID belongs to a user in the current PingOne environment.
User Type
For PingOne users, enter PING_ONE. For users in an external directory, enter EXTERNAL. These are the only valid values for this input.
IP Address
The IP address of the user whose risk is being evaluated.
Application ID
Optional: ID for the application or resource the user wants to access.
Application Name
Optional: Name of the application or resource the user wants to access.
Session ID
Optional: Unique session ID for the transaction event.
Browser Data
Optional: An object that specifies browser fingerprint attributes. You can also use FingerprintJS to retrieve browser data.
Risk Policy ID
Optional: The risk policy set used for the risk evaluation. If this is blank, the risk evaluation uses the default risk policy set for the current environment.
Completion Status
This input is for the Update Risk Evaluation capability.
Status of the risk evaluation you’re updating. Enter SUCCESS or FAILED. These are the only valid values for this input.
Risk Evaluation ID
This input is for the Update Risk Evaluation capability.
The ID of the risk evaluation you’re updating. You can generate an attribute for the ID from the service response.
Tip:Tooltips provide additional guidance for inputs. If you’re having problems with invalid requests to PingOne Risk, make sure the service inputs are correct.
The following image shows an example risk connector service.
When you save the connector service, PingOne Authorize automatically generates an attribute that resolves against the service. This attribute has the same name as the connector service. Connector attributes are listed directly under Connectors on the Attributes tab in the Trust Framework.
You can generate child attributes from this attribute to extract service response values, such as the risk level, for use in authorization policies. When you update a connector service, PingOne Authorize updates the generated connector attribute associated with the service.