PingOne Advanced Identity Cloud (AIC), formerly known as ForgeRock Identity Cloud may be integrated with PingOne Protect(P1P) to evaluate the risk involved with a transaction.
AIC has three nodes related to P1P:
- PingOne Protect Evaluation node: It “contacts PingOne to calculate the risk level and other risk-related details associated with an event. Depending on how you configure your risk policies in PingOne, the response could return a risk score, a risk level such as high, medium, or low, and recommended actions to take, such as mitigation against bots.Configure a PingOne OIDC application to connect to ID Cloud”
- PingOne Protect Initialization node: It “instructs the SDK to initialize the embedded PingOne Protect SDK on the client device using the configuration provided by the node properties. Use the Applications page in the PingOne interface to add an application to connect to Identity Cloud.”
- PingOne Protect Result node: It “updates the risk evaluation configuration, or modify the completion status of the resource while the risk evaluation is still in progress.”
Follow the steps below to integrate AIC with P1P:
1. Configure a PingOne OIDC application to connect to ID Cloud:
Use the Applications page in the PingOne interface to add an application to connect to Identity Cloud. This needs to be done in the PingOne tenant, not PingOne Advanced Identity Cloud (Formerly known as ForgeRock Identity Cloud)
- Go to Applications > Applications.
- Click +.
- Create an application profile with these parameters:
- Application name: Identity Cloud Federation
- Description (optional): Enables Identity Cloud federation with PingOne.
- Select OIDC Web App as the Application Type.
- Click Save.
- After the application profile is created, go to the Configuration tab and click the pencil icon to edit the application:
- In the PKCE Enforcement the drop-down, select S256_REQUIRED.
- In the Token Endpoint Authentication Method drop-down, select Client Secret Basic.
- Select Require Pushed Authorization Request.
- Enter the Redirect URIs of your Identity Cloud AM instance. i.e https://openam-example.forgeblocks.com/am
- Click Save, and then select Enable.
2. Create a PingOne worker application:
A worker application is a software application used to access the PingOne Admin API. The worker application uses the client credentials grant type to authorize and obtain an access token for the API.
- On the PingOne Admin console, click Applications > Applications .
- On the Add Application page, enter the following:
- Application Name
- Description
- Application Type. Select Worker.
- Click Save.
3. Grant an Identity Data Admin role
At this stage, the work application requires the Identity Data Admin role.
- On the PingOne Applications page, click your worker application.
- Check that the Identity Data Admin role is assigned to the worker application.
4. Create an ESV in P1AIC to hold the Client Secret
You will need the Client ID and Client Secret from the PingOne Worker application that you created in PingOne.
Also, PingOne Worker Service requires an oAuth2 provide service in the P1AIC server which is already enabled by default.
Follow the steps in this section of the documentation:
- Log in to your Identity Cloud admin UI, and go to Tenant Settings > Global Settings > Environment Secrets & Variables.
- Click the Secrets tab.
- Click + Add Secret.
- In the Add a Secret modal window, enter the following information:
- Name: ping-protect-client-secret
- Description: Enter a description
- Value: Enter the Client Secret value you obtained when you created the worker application in PingOne
- Click Save to create the variable.
- Click View Update, check the details of the new secret, and then click Apply Update.
- Click on Apply Now in the final confirmation screen and wait until P1AIC processes the new secret and its value to all servers.
5. Configure a PingOne Worker Service in Identity Cloud:
- Log in to your Identity Cloud admin UI, and go to Native Consoles > Access Management.
- In the Realm Overview page, click Service Management.
- Click + Add a Service.
- Select Ping One Worker Service from the Choose a service type menu, and click Create.
- Go to the Secondary Configuration tab, click ** + Add a Secondary Configuration **, and configure these parameters:
- Name: PingOne Worker Service
- Client ID: The PingOne Worker Worker application client ID you created in step 2
- Client Secret Label Identifier: An identifier of your choice. It can only contain a-z, A-Z, 0-9 and a period (.). It cannot start or end with the period. The secret label uses the template am.services.pingone.worker.identifier.clientsecret, where identifier is the Client Secret Label Identifier value
- Environment ID: Enter the PingOne Worker Application’s environment ID you created in step 2.
- Click Create.
On the Workers Configuration page, make sure the PingOne API server URL and PingOne Authorization Server URL are correct for your region.
For more information: Configure the PingOne worker server
6. Map the Secrets in P1AIC
- In the Identity Cloud admin UI, click Native Consoles > Access Management.
- In the AM admin UI (native console), go to Secret Stores.
- Click the ESV secret store, then click Mappings.
- Click + Add Mapping.
-
In Secret Label, select the label generated when you entered the Client Secret Label Identifier previously.
For example,
am.services.pingone.worker.workerAppClientSecret.clientsecret
. -
In aliases, enter the name of the ESV secret you created earlier, including the
esv-
prefix, and then click Add.For example,
esv-ping-protect-client-secret
-
- Click Create
For more information: Map the Client Secret Label Identifier to a secret
7. Setup the journey
- Log in to AIC as an administrator.
- In the Identity Cloud admin UI, click Journeys. All existing Identity Cloud journeys display.
- Click + New Journey.
- Configure the following options for the new journey:
- Name: PingOne Protect
- Identity Object: Alpha Realm — Users
- Description: A login journey for the PingOne Protect integration.
- Override theme: Do not enable
- Default journey for end users: Do not enable
- Tags: P1P
- Click Save. The journey editor displays. To save your progress, periodically click Save in the top right of the journey editor. Failure to do this results in losing your work if the page reloads or if you lose your network connection.
- Next, implement the following basic authentication journey in Identity Cloud.
-
Run the following steps:
-
On the Journeys page, click Risk.
-
Drag the following nodes onto the journey canvas:
-
PingOne Protect Initialize node to initialize the PingOne Protect Web SDK on the client device.
-
PingOne Protect Evaluation node to calculate the risk level and other risk-related details associated with an event. Depending on how you configure your risk policies in PingOne, the returned response could be a risk score, a risk level, such as high, medium, or low, and recommended actions, such as bot mitigation.
-
Two PingOne Protect Result nodes to update the risk evaluation configuration or modify the completion status of the resource when the risk evaluation is still in progress.
-
- Click PingOne Protect Initialize, and enter the following:
- Name: PingOne Protect Initialize
- PingOne Worker Service ID: Select your PingOne Worker service created on step 5.
- Enable SDK Logs: Click to output messages to the developer console. Default is not enabled.
- Collect Behavioral Data: Click to enable behavioral data collection. Default is not enabled.
- Click PingOne Protect Evaluation, and enter the following:
- Name: PingOne Protect Evaluation
- PingOne Worker Service ID: Select your PingOne Worker service created on step 5.
- Flow Type: AUTHENTICATION
- Device Sharing Type: SHARED
- User Type: EXTERNAL
- Score Threshold: 300
- Node State Attribute for User ID: username
- Click PingOne Protect Result, and enter the following:
- Name: PingOne Protect Result
- Completion Status: Select SUCCESS
- Click the other PingOne Protect Result, and enter the following:
- Name: PingOne Protect Result
- Completion Status: Select FAILED
- Connect the nodes:
- Connect the start (person) icon to the PingOne Protect Initialize node.
-
- Connect the Next output of the PingOne Protect Initialize node to the Page Node node, containing the Platform Username and Platform Password nodes.
- Connect the Error output of the PingOne Protect Initialize node to the Failure node (red X circle).
- Connect the output of the Page node to the Data Store Decision node**
- Connect the True output from the Data Store Decision to the PingOne Protect Evaluation node.
- Connect the False output from the Data Store Decision to the Failure node (red X circle)
- Connect the High output of the PingOne Protect Evaluation node to the High Risk Handler node. In my lab I just added a message node as a place holder here. In a real world you would want to add an inner tree to handle MFA or something similar.
- Connect the handler node to the Ping One Protect Result (Failure) node.
- Do the same for the Medium and Low outputs and connect it to the respective handlers and then connect them to the PingOne Protect Result (Success) node.
- Connect the Exceed Score Threshold, Failure and Error outputs of the PingOne Protect Evaluation node to the PingOne Protect Result (Failure) node.
- Connect the output of the PingOne Protect Result (Success path) node to the Success node (green checkmark circle).
- Connect the output of the PingOne Protect Result (Failure path) node to the Failure node (red X circle).
- Click Save.