Creating a risk policy with an MFA-only license (limited access)

This feature is available as part of a limited access release to PingID administrators who created a new PingOne environment with PingID enabled, or migrated their PingID account to PingOne.

To enroll in the limited access release, contact your Ping Identity representative.

There are various prerequisites you should be aware of when creating a workforce risk policy for user authentication. This section guides you through the steps needed.

Before you begin

You need to create all the applications, groups, policies, and predictors that you might want to reference in your risk policy.

If you skip this step, they won’t be available for you to select when configuring your risk policies.

Create applications and user groups

Create any groups to which you want to apply the risk policy.

Learn more in Groups.
Create any applications to which you want to apply the risk policy.

Learn more in Applications and and Including external groups in an application.
If you are using PingFederate as your identity provider (IdP), make sure you connect any OIDC applications to your PingFederate instance.

Learn more in Editing an application - OIDC.

Create one or more MFA policies

Create one or more MFA policies that cover the use cases to which you might want to apply a risk policy.

Example scenarios:

Use cases for different departments in your organization, such as Finance, HR, and IT.
High, medium, and low risk use cases. Create a different MFA policy with different allowed methods for each risk level.
Different MFA methods, such as an MFA policy for FIDO authentication or an MFA policy for less secure MFA methods, such as SMS or voice.

Learn more in Configuring an MFA policy for strong authentication.

Create relevant predictors

Create and configure any predictors that might you want to use in your risk policy. You can find a list of predictors that are supported with an MFA-only license in Risk policies for MFA-only licenses (limited access).

Within a risk policy, you can only reference predictors that already exist in the predictor list.

You can create composite predictors to cover more complex scenarios and to recreate legacy PingID policy rules.

Learn more about using predictors to recreate legacy PingID policy rules in PingOne in Using predictors to recreate legacy PingID policy rules (limited access).

Examples of useful composite predictors you might want to create include:

Create a risk policy with an MFA-only license

Create a risk policy and add the relevant predictors to the mitigations list.

In the PingOne admin portal, go to Threat Protection > Risk Policies, and click the + icon.
Enter a unique name for the risk policy.
Select the user groups and applications to which you want the policy to apply.
In the Mitigations section, for each predictor that you want to add, click +Add and select and configure the predictor rules:
1. Use the Operator, Level, and Returned Action fields to define the action you want, based on the risk level returned by the rule.
2. If you select MFA as the Returned Action, configure the following fields:
  - Authentication: Select the MFA policy to apply during an authentication flow.
  - Registration: Select the MFA policy to apply during a registration flow.
3. Drag and drop the rules to arrange them in the order you want them to be considered. PingOne evaluates mitigation rules separately in the order they’re listed.
4. Click Apply.
  
  PingOne evaluates risk policies separately by the order in which they’re listed in the Risk Policies list.
(Optional) To change the order in which this policy is evaluated, in the Risk Policies list, click Reorder, drag the policy to the desired position, and then click Save.