PingOne Protect Connector
This connector lets you use PingOne Protect in a PingOne DaVinci flow to improve the user experience, reduce multi-factor authentication (MFA) fatigue, lower the probability of unintentional push approvals, and issue challenges or deny access in high-risk situations.
PingOne Protect is a cloud-based service that applies machine learning and configurable, intelligent security policies to analyze user identity and detect potential threats. PingOne Protect combines multiple risk factors to calculate an overall risk score.
When you add a PingOne Protect connector in a flow, you can define different paths based on the recommended action (when available), the risk level, or the risk score calculated by PingOne Protect in a risk evaluation. For example:
-
Skip the MFA challenge for low risk.
-
Use a specific authentication method if user behavior data suggests medium or high risk.
-
Block access completely for high risk, such as when the recommended action is bot mitigation or if impossible user travel is detected.
Learn more in the PingOne Protect documentation.
Setup
Resources
Learn more in the following documentation:
-
PingOne Protect documentation:
-
DaVinci documentation:
Requirements
To use the connector, you’ll need:
-
A PingOne Protect license
-
A PingOne environment with PingOne Protect added. Learn more in Adding an environment.
-
A worker application configured in your PingOne environment. Learn more in Adding an application.
-
A PingOne Protect risk policy. You can use the default risk policy or create a custom risk policy. Learn more in Risk policies.
Setting up the connector
-
Follow the instructions in Getting started with PingOne Protect.
-
In DaVinci, add a PingOne Protect connector.
Using the connector in a flow
Use the PingOne Protect connector to add risk evaluations to different types of flows, such as sign-on with MFA or passwordless sign-on. You can use the PingOne Protect connector in template flows available in the Integration Directory, such as:
Learn more about risk evaluations and how the response result affects the user flow in Reviewing risk evaluations.
The PingOne Protect connector provides these capabilities:
-
Create Risk Evaluation: Add in the flow where you want to base the next action on the risk score or level calculated. For example, show an MFA prompt for medium or high risk but automatically grant access for low risk.
-
Update Risk Evaluation: Add in the flow after authentication has been completed. This capability represents the system’s ability to learn over time to improve results and is essential for risk evaluation precision.
The following diagram shows an example user transaction flow with the two different PingOne Protect connector capabilities:
Create Risk Evaluation
Evaluate risk for a specific transaction based on predictors, such user location anomaly, IP reputation, and bot detection. Learn more in Predictors.
Steps
-
In your flow, add a PingOne Protect connector and select the Create Risk Evaluation capability.
-
On the General tab, enter the following information:
-
User Name
-
User ID
-
IP
-
Risk Policy ID (optional): If you’ve created custom risk policies beyond the default risk policy, you can enter the ID of the risk policy you want to use in the flow.
You can find the ID for a risk policy on the Risk Policies page in your environment in PingOne. If you don’t provide a risk policy ID, the connector uses the default risk policy.
-
Custom Attributes (optional): If you’re using a policy that includes one or more custom predictors that require external data, use the Custom Attributes field to enter the names of the custom attributes and their values.
For example:
{"managedDevice" : isManaged, "transactionValue" : transactionValueVar}The attribute names must match the attribute names you used in the custom predictors that you created and included in the risk policy. Learn more in Adding custom predictors and Using third-party risk scores with PingOne Protect.
-
-
Click Apply.
-
To improve risk analysis, include the data for additional risk-related variables provided by the Signals (Protect) SDK.
Risk evaluation can be performed without the Signals (Protect) SDK payload if there’s no way to provide the payload. However, some predictors require the SDK payload and won’t return a risk level if the payload is missing. Learn more in Predictors.
-
Manual deployment
-
skriskcomponent -
PingOne Forms connector
You can manually deploy the Signals (Protect) SDK when integrating using the DaVinci APIs. For mobile applications or integrating your webpage with DaVinci using APIs instead of redirecting, you’ll:
-
Deploy the Signals (Protect) SDK.
-
Send the SDK payload and the rest of the required data, such as username, user ID, IP address, and any custom attributes to DaVinci using the API.
-
Include a variable in your flow that represents the data obtained.
To manually deploy the SDK:
-
Follow the PingOne Protect Native SDKs documentation to implement the SDK in your mobile app or webpage.
-
Set global variables using the SDK to pass risk-related information from the SDK and map the information into the risk evaluation in DaVinci.
-
In DaVinci, click the applicable PingOne Protect connector with the Create Risk Evaluation capability in your flow to open its settings.
-
On the Device Configurations tab, for Risk input from device, enter the name of the variable that represents the data obtained from the SDK in your manual implementation.
-
In the User Agent field, enter the user agent string for the browser, if available.
User Agent is included in the SDK payload by default.
-
To improve risk analysis, use the Cookie field to provide the value of a persistent cookie, if available.
-
If you want to maintain your own device IDs, you can assign external device IDs that are not managed by the SDK, such as device serial number or mobile application installation ID. External IDs can be sent to DaVinci using the API.
For example, in a workforce user flow, you can use the Google Chrome Device Trust connector to map the user device serial number when using the Chrome browser.
-
To pass the risk information from the SDK to DaVinci, map the global variables that you set with the SDK into DaVinci:
-
On the Log Fields Mapping tab, click + Field.
-
Select and enter the global variables you set with the SDK.
-
-
You can include the
skriskcomponent in your flow to collect device and user behavioral data from user interactions with custom HTML templates in HTTP connectors, such as an HTTP sign-on or password reset flow. Learn more aboutskriskin SK-Components.With this approach, the information from the Signals Web SDK is obtained automatically. However, for the Signals Mobile SDK, you must implement the steps in the SDK documentation manually.
The
skriskcomponent must be added to the following:-
The first HTTP connector with a Custom HTML Template in your flow that requires user interaction.
-
Any subsequent HTTP connectors with a Custom HTML Template in the flow, including subflows called by a parent flow.
For example, you can create a subflow that performs the risk evaluation within a parent flow. In this case, add the
skriskcomponent to relevant HTTP connectors in the parent flow that call this subflow.You can find subflow templates in the Integration Directory, such as Login with Self-Service Journey, PingOne Sign On and Password Reset, and User Registration Journey. Learn more in Using DaVinci flow templates.
Adding the
skriskcomponent to multiple connectors in a flow allows the SDK to collect additional data throughout the flow and improves bot detection.-
Add an HTTP connector with the Custom HTML Template capability to your flow.
-
On the General tab, in the HTML Template field, click {}, click SK-Component, and then select skrisk in the list.
The skrisk component should always be at the beginning of the HTML template. Make sure that all HTML tags you add appear below the skrisk component in the HTML Template field.
-
Double-click the skrisk component that you added to open its properties.
-
Enter the Environment ID for your PingOne environment.
-
The Collect behavior data setting collects device and user behavioral data. By default, Collect behavioral data is set to
True.Set Collect behavior data to
Falseif this connector doesn’t require interaction from the user. -
(Optional) Change the default Risk Property Name as needed.
-
If you want the device data in the SDK payload to be provided as a signed JSON Web Token (JWT), set Enable Universal Device Identification to
True. -
Click Save.
-
On the General tab of the HTTP connector, scroll down to the Output Fields List and add a field to represent the output provided by the
skriskcomponent.-
For Property Name, enter the same name that you used for Risk Property Name. In the PingOne Protect connector, you’ll select this property name as one of the inputs.
-
Add a Display Name.
-
Click Apply.
-
-
Click the PingOne Protect connector with the Create Risk Evaluation capability in your flow.
-
On the Device Configurations tab, configure Risk input from device as follows:
-
Click {}.
-
Click to enable the Show all nodes toggle.
-
Select the HTTP connector in the list.
-
Under output, select the name that you provided previously for the output of the
skriskcomponent.In the following image, <output> represents the output from step 9.
-
You can enable device profiling to collect device information and user data from user interactions with PingOne Forms connectors in your flow. Learn more in Forms.
Enable device profiling in any user-facing forms as follows:
-
The first PingOne Forms connector in your flow
-
Any subsequent PingOne Forms connectors in the flow, including any in a subflow or parent flow
To enable device profiling in a PingOne Forms connector:
-
Add a PingOne Forms connector to your flow.
-
On the General tab, click the Enable Device Profiling toggle to enable the SDK to collect device information from user interactions with the form.
-
(Optional) Click the Include Behavioral Data toggle to identify non-human activity through behavioral data collection.
To enable Include Behavioral Data, you must first turn on Enable Device Profiling.
-
If you want the device data in the SDK payload to be provided as a signed JWT, set Enable Universal Device Identification to
True. -
Click Apply.
-
Update Risk Evaluation
Update an existing risk evaluation to include the flow completion status for the risk evaluation. Updating the completion status allows PingOne Protect to refine and improve the accuracy of future risk evaluations. Always include a PingOne Protect connector with the Update Risk Evaluation capability in your flows to allow PingOne Protect to learn over time. The Update Risk Evaluation event includes one of the following flow completion statuses for the risk evaluation:
-
SUCCESSwhen the user was granted access or passed the MFA challengeOnly events with
completionStatus=SUCCESSallow the predictors to learn. -
FAILEDwhen the user was denied access or failed the MFA challengeIf a user is unable to successfully complete an event, such as if their authentication failed, the risk evaluation for the event is updated as
completionStatus=FAILED.
|
If |
Steps
-
Add a PingOne Protect connector with the Update Risk Evaluation capability in your flow at the end of each possible path.
-
Update the risk evaluation completion status for
SUCCESSandFAILEDevents.Learn more in Updating completion status for risk evaluations.
Capabilities
Create Risk Evaluation
Evaluate risk for a specific transaction. Risk results are based on predictors like user behavior anomalies, IP reputation analysis, Geo velocity and other risk models.
Show details
- Properties
- User ID
textField -
The ID of the user whose risk is being evaluated.
- User Name
textField -
The username of the user whose risk is being evaluated.
- User Type
dropDown -
Indicates whether the user exists in the PingOne directory or in an external directory.
-
EXTERNAL (Default)
-
PING_ONE
-
- Password
textField -
The password entered by the user.
- Password Hash Algorithm
dropDown -
Password hashing method.
-
SHA_256 (Default)
-
SHA_384
-
- IP
textField -
The IP address of the user who initiated the flow.
- Application ID
textField -
The ID for the application or resource the user wants to access.
- Application Name
textField -
The name of the application or resource the user wants to access.
- Flow Type
textField -
The type of flow in which risk is evaluated.
Default:
AUTHENTICATION
- Flow Subtype
textField -
The subtype of the flow.
- Session ID
textField -
The unique session ID associated with the event.
- Risk input from device
textField - User Agent
textField -
The user agent of the browser/device that triggered the flow.
- Cookie
textField -
The cookie of the browser/device that triggered the flow.
- External ID
textField -
A unique device identifier generated and managed independently of the Signals SDK (SKrisk).
- Risk Policy ID
textField -
The risk policy set used during risk evaluation.
- Custom Attributes
textField -
Your Custom Atributes defined at Ping.
- Input Schema
- default
object - clientId
stringrequiredminLength: 0maxLength: 100 -
Client ID
- clientSecret
stringrequiredminLength: 0maxLength: 100 -
Client Secret
- envId
stringrequired - userId
stringminLength: 0maxLength: 100 -
User ID
- userName
stringminLength: 0maxLength: 100 -
User Name
- userType
stringminLength: 0maxLength: 100 -
User Type
- password
string -
Password
- passwordAlgorithm
string -
Password Hash Algorithm
- ipAddress
stringminLength: 0maxLength: 100 -
IP Address
- completionStatus
stringminLength: 0maxLength: 50 -
Completion Status
- targetResourceId
stringminLength: 0maxLength: 100 -
Target Resource ID
- targetResourceName
stringminLength: 0maxLength: 100 -
Target Resource Name
- flowType
stringminLength: 0maxLength: 50 -
Flow Type
- subtype
stringminLength: 0maxLength: 50 -
Flow Subtype
- sessionId
string - sharingType
stringminLength: 0maxLength: 100 -
Sharing Type
- userAgent
stringminLength: 0maxLength: 8190 -
User Agent
- riskPolicySetId
string - customAttributes
string - skRiskFP
string - cookie
string - externalId
string - Output Schema
- output
object - rawResponse
object - properties
object - id
string - environment
object - properties
object -
- id
string
- id
- createdAt
string - updatedAt
string - event
object - properties
object -
- completionStatus
string - targetResource
object - properties
object
- completionStatus
- id
string - name
string -
- ip
string - flow
object - properties
object
- ip
- type
string - subtype
string -
- session
object - properties
object
- session
- id
string -
- user
object - properties
object
- user
- id
string - name
string - type
string - groups
array - items
array - type
object - properties
- required
name -
- sharingType
string - browser
object - properties
object
- sharingType
- userAgent
string - cookie
string -
- origin
string - device
object - properties
object
- origin
- externalId
string - riskPolicySet
object - properties
object -
- id
string - name
string
- id
- result
object - properties
object -
- level
string - type
string - score
number - source
string - recommendedAction
string
- level
- details
object - properties
object -
- anonymousNetworkDetected
boolean - country
string - impossibleTravel
boolean - ipAddressReputation
object - properties
object
- anonymousNetworkDetected
- level
string - score
integer - type
string - domain
object - properties
object - asn
integer - sld
string - tld
string - organization
string - isp
string -
- ipRisk
object - properties
object
- ipRisk
- level
string - reason
string - type
string -
- ipVelocityByUser
object - properties
object
- ipVelocityByUser
- level
string - reason
string - type
string - threshold
object - properties
object - high
integer - medium
integer - source
string - calculatedAt
string - expiresAt
string - velocity
object - properties
object - distinctCount
integer - during
integer -
- userVelocityByIp
object - properties
object
- userVelocityByIp
- level
string - reason
string - type
string - threshold
object - properties
object - high
integer - medium
integer - source
string - calculatedAt
string - expiresAt
string - velocity
object - properties
object - distinctCount
integer - during
integer -
- estimatedSpeed
number - estimatedDistance
number - state
string - city
string - longitude
number - latitude
number - device
object - properties
object
- estimatedSpeed
- browser
object - properties
object - name
string - os
object - properties
object - name
string - id
string - externalId
string - estimatedDistance
number - lastSeen
string - externalLastSeen
string -
- previousSuccessfulTransaction
object - properties
object
- previousSuccessfulTransaction
- anonymousNetworkDetected
boolean - country
string - state
string - city
string - ip
string - timestamp
string -
- userBasedRiskBehavior
object - properties
object
- userBasedRiskBehavior
- level
string - reason
string - type
string -
- userRiskBehavior
object - properties
object
- userRiskBehavior
- level
string - reason
string - type
string -
- geoVelocity
object - properties
object
- geoVelocity
- level
string - reason
string - type
string -
- anonymousNetwork
object - properties
object
- anonymousNetwork
- level
string - reason
string - type
string -
- userLocationAnomaly
object - properties
object
- userLocationAnomaly
- level
string - reason
string - type
string - status
string -
- botDetection
object - properties
object
- botDetection
- level
string - reason
string - type
string - detected
object - properties
object - rule
object - properties
object -
- id
integer - suspiciousDevice
object - properties
object
- id
- level
string - reason
string - type
string - detected
object - properties
object - rule
object - properties
object -
- id
integer - newDevice
object - properties
object
- id
- level
string - reason
string - status
string - type
string
Update Risk Evaluation
Update an existing risk evaluation to refine future results.
Show details
- Properties
- Risk Evaluation ID
textField -
ID of the Risk Evaluation
- Risk Evaluation status
textField -
status of the Risk Evaluation
- Input Schema
- default
object - clientId
stringrequiredminLength: 0maxLength: 100 -
Client ID
- clientSecret
stringrequiredminLength: 0maxLength: 100 -
Client Secret
- envId
stringrequired - completionStatus
stringminLength: 0maxLength: 50 -
Completion Status
- riskId
stringrequiredminLength: 0maxLength: 100 -
Risk Evaluation ID
- Output Schema
- output
object - rawResponse
object - properties
object - completionStatus
string - ip
string - flow
object - properties
object -
- type
string - subtype
string
- type
- session
object - properties
object -
- id
string
- id
- user
object - properties
object -
- id
string - name
string - type
string - groups
array - items
array
- id
- type
object - properties
- required
name - sharingType
string - origin
string
Troubleshooting
To start troubleshooting issues with the PingOne Protect connector, try the following:
-
Test your implementation. Learn more in the PingOne Protect Integration Testing knowledgebase article.
-
For each connector in the flow, make sure you provided all required inputs.
-
For mobile applications, if you’re using the
skriskcomponent to include the data provided by the Signals (Protect) SDK, make sure that you followed the steps in the PingOne Protect Native SDKs documentation. -
To use the DaVinci Analytics feature to see where the flow stopped, open your flow and click Analytics in the lower-left corner of the flow editor. Learn more in Debugging and analytics.
-
Open your flow, click the More Options (⋮) icon, and click the Show Node ID toggle. This makes it easier to identify the source of inputs and outputs.