Using predictors to recreate legacy PingID policy rules (limited access)

This feature is available as part of a limited access release to PingID administrators who created a new PingOne environment with PingID enabled, or migrated their PingID account to PingOne.

To enroll in the limited access release, contact your Ping Identity representative.

This section is a guide for the admin who has migrated a PingID account from the legacy PingID admin portal to PingOne and wants to know how to create configurations similar to legacy PingID policies in PingOne.

Configure device management and PingID mobile app-related settings in the PingID mobile application located on the Applications tab. Learn more in (Workforce Only) Configuring the PingID mobile application settings.

The following table details common policy-related configurations in the legacy PingID admin portal and how to configure equivalent configurations in PingOne:

Legacy PingID policy field or rule	Where is it in PingOne?
Allowed Methods	In the MFA policy, define the MFA methods you want to allow. Some authentication methods require additional configurations. Learn more in Setting up an environment for strong authentication (MFA).
Accessing From Company Network Rule	The location-based part of this rule isn’t available in PingOne. You can create a composite predictor that specifies a range of allowed IP addresses.
Accessing From Countries	Create a composite predictor that specifies the countries that you want to allow or disallow. For an example, see Allowed or disallowed countries predictor.
Authenticating From a New Device	Create a New Device predictor. Learn more in Configuring predictors.
Recent Authentication From Office	The location-based part of this rule is not available in PingOne, and is deprecated in the legacy PingID admin portal. You can create a Recent authentication from company network predictor to recreate some of this functionality. Learn more in Recent authentication from company network predictor.
Recent Authentication	Configure remembered devices and enable the 'Remember me' feature in the MFA policy. Learn more in Configuring an MFA policy for strong authentication, and Remembered Devices in the PingOne API documentation.
Mobile OS Version	This option is only available in PingOne for registration flows. Define a list of allowed or disallowed Mobile OS versions for mobile app pairing as part of the PingID mobile application configurations.
Geovelocity Anomaly	Configure a Geovelocity Anomaly Predictor and add it to a risk policy.
Limit Push Notifications	Configure a push notification limit in the MFA policy.

Legacy PingID policy field or rule

Where is it in PingOne?

Allowed Methods

In the MFA policy, define the MFA methods you want to allow.

Some authentication methods require additional configurations. Learn more in Setting up an environment for strong authentication (MFA).

Accessing From Company Network Rule

The location-based part of this rule isn’t available in PingOne.

You can create a composite predictor that specifies a range of allowed IP addresses.

Accessing From Countries

Create a composite predictor that specifies the countries that you want to allow or disallow. For an example, see Allowed or disallowed countries predictor.

Authenticating From a New Device

Create a New Device predictor. Learn more in Configuring predictors.

Recent Authentication From Office

The location-based part of this rule is not available in PingOne, and is deprecated in the legacy PingID admin portal.

You can create a Recent authentication from company network predictor to recreate some of this functionality. Learn more in Recent authentication from company network predictor.

Recent Authentication

Configure remembered devices and enable the 'Remember me' feature in the MFA policy.

Learn more in Configuring an MFA policy for strong authentication, and Remembered Devices in the PingOne API documentation.

Mobile OS Version

This option is only available in PingOne for registration flows. Define a list of allowed or disallowed Mobile OS versions for mobile app pairing as part of the PingID mobile application configurations.

Geovelocity Anomaly

Configure a Geovelocity Anomaly Predictor and add it to a risk policy.

Limit Push Notifications

Configure a push notification limit in the MFA policy.

Creating useful predictors to recreate legacy PingID rules

Use a composite predictor to recreate legacy PingID rules, such as the following examples:

Allowed or disallowed countries predictor
Recent authentication from company network predictor

Allowed or disallowed countries predictor

This section explains how to configure a composite predictor that recommends the appropriate authentication action for a user, based on the country where their device is located.

Configure a composite predictor in which you specify the allowed countries that would return a low risk score:
1. In the PingOne admin console, go to Threat Protection > Predictors.
2. Click the + icon, and in the Predictor list, select Composite.
3. In the Display Name field, enter a name for the predictor.
  
  The display name is used in the Threat Protection Dashboard and policy configuration.
4. In the Compact Name field, enter a short name. This name is returned in the API response.
  
  You can’t change the compact name after it’s been saved.
5. Configure the following criteria for the composite predictor:
  - Predictor condition: All.
  - In the list, select Country.
  - Select the Is In operator.
  - In the Country list, select one or more countries.
  - For Risk Level Equals, select Low.
  - (Optional) To configure the risk level result to assign if the defined conditions are not met, for Else Return, select Medium or High.
Create a risk policy and add the Allowed Countries composite predictor to the mitigations list.
1. Go to Threat Protection > Risk Policies, and click the + icon.
2. Enter a unique name for the risk policy.
3. Select the user groups and applications to which you want the policy to apply.
4. In the Mitigations section, click + Add and select the Allowed Countries composite predictor that you created in the previous steps.
5. Use the Operator, Level, and Returned Action fields to define the action you want, based on the risk level returned by the rule.
  1. If you select MFA as the Returned Action, define the following:
    
    Authentication: Select the MFA policy you want to apply in an authentication flow.
    
    Registration: Select the MFA policy you want to apply in a registration flow.
  2. Click Apply.

To create a similar predictor, specifying the countries you want to disallow, repeat the steps above, specifying the Not In operator instead of the Is In operator.

Recent authentication from company network predictor

This section describes how to create a composite predictor to bypass PingID authentication if the last successful authentication request occurred within a specific IP range in the company network and within a given time period, such as within the last 30 minutes.

Steps

Before you configure the predictor, in the relevant MFA policy, under Remember Me Configurations, select Web Sessions, and then enter a duration.
1. Create one or more remembered devices. Learn more in Remembered Devices.
Configure a composite predictor in which you specify the allowed IP range that would return a low risk score:
1. In the PingOne admin console, go to Threat Protection > Predictors.
2. Click the + icon, and in the Predictor list, select Composite.
3. In the Display Name field, enter a name for the predictor.
  
  The display name is used in the Threat Protection Dashboard and policy configuration.
4. In the Compact Name field, enter a short name. This name is returned in the API response.
  
  You can’t change the compact name after it’s been saved.
5. Configure the following criteria for the composite predictor:
  - Predictor condition: All.
  - In the list, select IP.
  - Select the Is In operator.
  - Enter an IP range in the format x.x.x.x/xx (for example, 1.1.1.1/24).
  - For Risk Level Equals, select Low.
  - (Optional) To configure the risk level result to assign if the defined conditions are not met, for Else Return, select Medium or High.
Create a risk policy and add the Recent authentication from company network predictor to the Mitigations list:
1. Go to Threat Protection > Risk Policies, and click the + icon.
2. Enter a unique name for the risk policy.
3. Select the user groups and applications to which you want the policy to apply.
4. In the Mitigations section, click + Add and select the Recent Authentication from the officerule that you created in the previous steps.
5. Use the Operator, Level, and Returned Action fields to define the action you want, based on the risk level returned by the rule.
  1. If you select MFA as the Returned Action, you’ll also need to define the:
    
    Authentication: Select the MFA policy you want to apply in an authentication flow.
    
    Registration: Select the MFA policy you want to apply in a registration flow.
    
    Make sure to select an MFA policy that is configured to support remembered devices.