PingOne

Configuring a provider instance

The PingOne Protect provider works similarly to CAPTCHA providers and can detect bot activity before the password credential validator (PCV) is triggered.

About this task

A provider instance isn’t required, but having one is necessary for bot detection.

Steps

  1. In the PingFederate administrative console, go to System > External Systems > CAPTCHA and Risk Providers. Click Create New Instance.

  2. On the Type tab, set the basic provider instance attributes:

    1. In the Instance Name field, enter a name for the provider instance.

    2. In the Instance ID field, enter a unique identifier for the adapter instance.

    3. In the Type list, select PingOne Protect Provider. Click Next.

  3. On the Instance Configuration tab:

    1. In the PingOne Environment field, select your PingOne Connection and Environment Name.

    2. Click Show Advanced Fields.

    3. Optional: To allow the adapter to evaluate the risk rather than the provider, clear the Enable Risk Evaluation check box.

    4. In the Field Value list for PingOne Risk Policy section, select your risk policy.

    5. For improved detection of bots and brute force attacks, use the Password Encryption option by selecting one of the SHA-2 hash functions. When this option is enabled, part of the password is hashed and passed to PingOne Protect.

    6. In certain situations, the response from PingOne Protect includes not just an overall risk level but also a "recommended action", for example, BOT_MITIGATION or AITM MITIGATION. These recommended actions are passed forward and you can configure the PingFederate policy to act upon the recommendation. Enable the Follow Recommended Action option if you want the provider to automatically stop the transaction if the response includes one of these recommended actions.

    7. The Custom Connection Pool setting controls the number of connections to PingOne Protect.

      This value can be between 25 and 200, but best practice is to use the default value.

    8. Click Next.

  4. On the Summary tab, click Save.

  5. Enable the HTML Form adapter to use the provider:

    1. Go to Authentication > Integration > IdP Adapters. Select your HTML Form IdP Adapter from the list.

    2. On the IdP Adapter tab, click Show Advanced Fields.

    3. In the Risk Provider list, select your PingOne Protect provider instance.

    4. Select one or more of the following check boxes.

      Check box Description

      Risk for authentication

      Enable for the login form to prevent automated attacks

      Risk for password change

      Enable for the password change form to prevent automated attacks

      Risk for password reset

      Enable for the password reset and account unlock features to prevent automated attacks

      Risk for username recovery

      Enable for the username recovery features to prevent automated attacks

  6. Optional: Set the device profile settings for the PingOne Protect adapter:

    1. Go to Authentication > Integration > IdP Adapters.

    2. Select your PingOne Protect IdP adapter from the list.

    3. On the IdP Adapter tab, click Show Advanced Fields.

    4. Optional: Enable Include Device Dynamic Profile.

    When enabled, the adapter will load the device profiling page if it hasn’t already received the device profile payload from the provider.

Direct changes to Javascript files

In addition to the configuration in the PingFederate administrative console, you must make the following change directly to the relevant Javascript file if you want the device data in the SDK payload to be provided as a signed JWT.

  • Open the file <installation directory>\server\default\conf\template\assets\scripts\captcha\signals.js.

  • Add this line: universalDeviceIdentification: true

The option of using a signed JWT was introduced in version 1.0.4 of the integration kit.