Integrating PingOne Protect with user journeys - PingOne Services - PingOne - PingOne Protect - PingOne Cloud Platform

PingOne

bundle
pingone
ft:publication_title
PingOne
Product_Version_ce
PingOne
PingOne Cloud Platform
category
Administratorguide
ContentType
Guide
Product
Productdocumentation
p1
p1cloudplatform
ContentType_ce
Guide
Product documentation
Guide > Administrator Guide

After you add PingOne Protect to your environment, integrate PingOne Protect into a user journey.

You’ll need a PingOne account with at least one environment that includes the PingOne Protect service. For more information, see Add an environment.

You can integrate your risk policy into a user journey in one of the following ways:

  • Using the integration with PingFederate
  • Building a custom flow with PingOne DaVinci
  • Using the PingOne API
  • Integrating with PingOne Advanced Identity Cloud

Regardless of the integration approach you use, the high-level steps are the same. The steps below use an authentication flow as an example for integration, but you can also use other user journeys, such as registration and authorization:

  1. Integrate into an authentication flow.

    The following diagram shows a high-level overview of PingOne Protect integrated in silent mode into an example authentication flow.

    A diagram of how PingOne Risk works in silent mode.
  2. Send transaction feedback.
  3. Configure a risk policy.

    The simplest approach is to use the default risk policy. You can also edit the default risk policy.

  4. Add risk evaluation to your authentication flow.

    The following diagram shows an example of PingOne Protect integrated into an authentication flow with risk levels affecting the flow.

    A diagram of how PingOne Protect works with risk evaluation enabled.

Using the PingOne Protect Integration Kit with PingFederate

Before proceeding, make sure PingFederate is installed. For help installing PingFederate, see Installing PingFederate.

  1. Deploy the files for the type of integration kit you're using to your PingFederate directory:
    Note:

    The PingOne Protect Integration Kit 1.0 works with PingFederate 11.3 and later. The PingOne Risk Integration Kit will continue to support PingFederate versions 10.2 and later.

  2. To allow PingFederate to communicate with PingOne, create a connection between PingOne and PingFederate.
  3. To configure the integration kit, follow the steps in the documentation for the integration type that you selected in step 1.

Building a custom flow with PingOne DaVinci

Add PingOne DaVinci to your PingOne environment. Learn more in Adding an environment.

PingOne DaVinci is the graphic orchestration tool used for designing flows, such as user registration and authentication flows. You can find general information on using PingOne DaVinci here.

You can use the PingOne Protect connector to define different paths in an user journey flow, based on the result of a risk evaluation.

For example, you can use a risk evaluation connector before a multi-factor authentication (MFA) step, and then define different paths based on the risk score calculated:

  • Skip the MFA challenge if low risk.
  • Use a specific authentication method if user behavior data suggests medium or high risk.
  • Block access completely in a high-risk situation, such as when the recommended action is equal to bot mitigation.
    A screen capture of a Davinci flow with a PingOne Protect connector, showing the user flow for different risk levels.

For examples of using the PingOne Protect connector in different types of flows, see the following templates in the Flow Library:

  • PingOne - Sign On and Adaptive MFA
  • PingID - MFA flow + Protect
  • PingID - FIDO2 Passwordless + Protect

To use Protect connectors in a flow:

  1. After you have added DaVinci to your PingOne environment, ensure any risk connectors you add to your flows already have been configured with the correct information for environment ID, client ID, and client secret.

    If you import a flow from a different PingOne environment, you must go to the settings for the Protect connector and update this information to reflect the environment where you're adding the flow.

  2. Add two different Protect connectors to your flow by following the documentation for the PingOne Protect connector:
    1. Add a Protect connector with the Create risk evaluation capability.

      The response returns a final risk evaluation result - High, Medium, or Low. The Protect connector with the Create Risk Evaluation capability should be added at a point in the flow where you would like to base the next action on the risk score assigned, for example, show an MFA prompt for Medium or High, but automatically grant access if the risk is deemed Low.

    2. Add risk evaluation feedback to the flow by adding a Protect connector with the Update risk evaluation capability.

      This step is included after authentication has been completed, and it consists of sending an update with the final state of the transaction, such as SUCCESS or FAIL. The Update risk evaluation capability represents the system's ability to learn over time in order to improve results. You should always include an update connector in your flow because this step is essential for improving the accuracy of the machine learning models.

      Note:

      Flows may take users on different paths. Make sure to include a Protect connector with the Update risk evaluation capability at the end of each possible path.

If you are having issues with the PingOne Protect Connector, try the following:

  • For each connector in the flow, make sure that all of the mandatory inputs have been provided.
  • If you are using the skrisk component to include the data provided by the PingOne Signals (Protect) SDK, make sure that you have carried out all of the necessary steps.
  • Use the Analytics feature to see where the flow stopped.
  • Select the Options icon, and turn on Show Node ID. This will make it easier to identify the source of inputs and outputs.

Using the PingOne API

To integrate using the PingOne API:

  1. Create a worker application and get an access token, as described in Creating a worker application and getting an access token.
  2. Add risk evaluation to your user flow, as described in the section on risk evaluation in the API reference.

    The response returns a final risk evaluation result: High, Medium, or Low.

  3. Add risk evaluation feedback to the flow.

    This step is included after authentication has been completed, and it consists of sending an update with the final state of the transaction, such as SUCCESS or FAIL. This step is essential for improving the accuracy of the machine learning models. See PUT UPDATE Risk Evaluation in the API reference.

  4. To modify the default risk policy, see Risk policies, or to create one of your own, see the documentation for creating a risk policy set with the API.

Integrating with PingOne Advanced Identity Cloud

Make sure you have:

  • A PingOne Advanced Identity Cloud administrator account
  • A PingOne account (see Starting a PingOne trial)
  • The client ID and client secret for a PingOne environment
  • A risk policy configured in PingOne (or use the default risk policy)
  • A worker application with the Identity Data admin role assigned in PingOne

Advanced Identity Cloud is a comprehensive identity and access management (IAM) service that lets you deploy applications anywhere: on-premises, in your own private cloud, or in your choice of public cloud. With Advanced Identity Cloud, you can manage user journeys and take advantage of the PingOne Protect threat protection features by integrating the three PingOne Protect nodes into your journey.

  1. Configure the PingOne Service in Advanced Identity Cloud.
  2. Set up your user journey in Advanced Identity Cloud with the three PingOne Protect nodes in the journey:
    1. The PingOne Protect Initialize node to initialize the PingOne Protect Web SDK on the client device.
    2. The PingOne Protect Evaluation node to calculate the risk level and other risk-related details associated with an event.
    3. The PingOne Protect Result node to update the risk evaluation configuration or modify the completion status of the resource when the risk evaluation is still in progress.
  3. Validate that the PingOne Protect Evaluation node is working by checking the PingOne Audit log for Risk Evaluation Created events.